Brexit impact on UK/EEA data protection: transfers, adequacy and Schrems II
Originally published by Thomson Reuters © Thomson Reuters.
The Brexit transition period ended at 11pm on December 31, 2020 and the UK became a third country for the EU General Data Protection Regulation (EU GDPR). The December 24 announcement of a UK-EU trade deal with a controversial data protection impact just seven days before the deadline may either have felt like “too little, too late” after months of being told to prepare for no-deal Brexit, or confirmed the feeling that “something will be done”, depending on how proactive organisations were in their privacy governance.
This article looks at what was done, particularly on the transfer of personal data, and the impact on organisations’ privacy governance. The article focuses on third countries, specifically the UK and European Economic Area (EEA) respectively, although transfer can be to a third country or an international organisation.
Regardless of the Trade and Cooperation Agreement (TCA) of December 24, at the end of 2020:
The well-known rules for transfers, and the appropriate safeguards, are set out in Chapter V of each GDPR. The European Data Protection Board (EDPB) calls the safeguards “transfer tools” in its November 2020 “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (transfer recommendations).
The transfer recommendations do not add anything particularly new, but they set out a valuable framework for making and recording organisations’ decisions on transfers and helpfully confirm some points on transfers and Schrems II.
There is a long-established pecking order for safeguards when transferring personal data (although other relevant GDPR aspects also need to be considered, such as a data processing agreement satisfying Art 28):
The UK legislation adopting the UK GDPR enshrines an adequacy decision in favour of the EEA, so transfers can continue to take place from the UK to the EEA in 2021 and beyond, as long as that is in place.
The same UK legislation adopts all EU GDPR adequacy and SCC decisions as at the end of 2020.
As at January 11, 2021, there is no adequacy decision under EU GDPR in favour of the UK. The TCA provides a further transition period for transfers of up to six months (see below), which many have seen as proof that an adequacy decision is close.
The Joint Declarations accompanying the TCA include a declaration of the European Commission’s “intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK [ … and … ] to work closely to that end with the other bodies and institutions involved in the relevant decision-making procedure“.
Public commentary remains divided on the likelihood of an adequacy decision, primarily given the UK’s own surveillance laws. The UK legal environment is very different from that of the United States, not least that:
whereas the United States lacks a horizontal, general data protection law at federal level.
As a recent example of case law on the protection of fundamental rights, on January 8, 2021, in the Privacy International judicial review case, the UK High Court cited the need for proportionality and necessity when holding general warrants under the UK Intelligence Services Act 1994 unlawful.
Normally, the absence of an adequacy decision for a third country (such as the UK) would mean that EEA data exporters would have to look to the transfer tools in art 46 (such as SCCs), and Schrems II would be triggered. This would include the need to review the UK’s surveillance laws.
The TCA does, however, include a controversial provision, art FINPROV.10A, which states that, for a “specified period”, “transmission of personal data from the [EEA] to the United Kingdom shall not be considered as transfer to a third country under Union law”.
The specified period is:
There are conditions, which should not be problematic given the short timeframe, namely that:
The main point is that, for the “specified period”, the UK is not a third country for transfers, meaning that Chapter V of the EU GDPR is not engaged and no adequacy decision or other transfer tool is necessary.
This is very good news for EEA data exporters and UK data importers, but the provision has created some controversy, based on the ability of the TCA (as a trade deal) to side-step the provisions of the GDPR. A rapid adequacy decision, clearly signposted by the TCA, would settle this in practice.
On the topic of transfers, there are four more items in the EDPB’s transfer recommendations that are worth noting. One is very unhelpful for organisations trying to get to grips with Schrems II. The other three are very helpful for all transfer situations.
The EDPB gives examples of possible technical measures that might equate to supplemental measures when using a transfer tool other than an adequacy decision. It does, however, go on to give two scenarios where, “considering the current state of the art, [the EDBP is] incapable of envisioning an effective technical measure” that would safeguard the personal data, meaning that it cannot imagine how the transfer could go ahead (paras 88 to 91).
These two use cases potentially cover a great deal of transfers of personal data:
possible access by public authorities in that third country goes beyond what is necessary and proportionate in a democratic society.
The EDPB’s transfer recommendation helpfully states (EDPB’s emphasis): “If you transfer personal data to third countries, regions or sectors covered by a Commission adequacy decision (to the extent applicable), you do not need to take any further steps as described in these recommendations.” (para 19)
This reflects the Court of Justice of the European Union’s (CJEU) decision in Schrems II (see paras 13, 91, 96, 105, 129, 116 to 118, 120 and 128) that:
Put simply, if an adequacy decision is granted for the UK, then Schrems II falls away for transfers from the EEA to the UK.
Even though this has been settled law for some time, many still ask if it is a transfer when, for example, a support operative in the United States accesses an EU database. The second useful confirmation by the EDPB is that “remote access by an entity from a third country to data located in the EEA is also considered a transfer” (footnote 22).
The EDPB has confirmed that it views the derogations in art 49 as only good for “occasional and non-repetitive transfers”, so they are not as helpful as the CJEU seemed to imply in Schrems II (para 25).
The TCA means, however, that organisations do not need to consider derogations for transfers between the UK and EEA — at least for the next four to six months.
2020 introduced a high level of uncertainty for privacy professionals dealing with European law. The TCA and the transfer recommendations have brought some short-term respite and methodology, respectively, but the larger issues remain. Time will tell, soon enough, if those issues can be resolved.
Robert Baugh is the founder & CEO of Keepabl, privacy management SaaS based in London, UK. Prior to Keepabl, Robert was general counsel of technology growth companies for more than a decade.
Robert Baugh, Founder & CEO, Keepabl
Produced by Thomson Reuters Accelus Regulatory Intelligence, 15-Jan-2021
[This Q&A was created by and originally posted on FinTECHTalents, on 17 September 2019. Do check out their website and the Festival!] Keepabl offers an intuitive, customer-focused GDPR-as-a-Service solution. Their…
Cookie tools are notoriously tricky to get right, both from an implementation viewpoint and the website visitor’s viewpoint. They’re the first thing people see when they visit your site and…