Brexit impact on UK/EEA data protection: transfers, adequacy and Schrems II

Originally published by Thomson Reuters © Thomson Reuters.

Brexit impact on UK/EEA data protection: transfers, adequacy and Schrems II

The Brexit transition period ended at 11pm on December 31, 2020 and the UK became a third country for the EU General Data Protection Regulation (EU GDPR).  The December 24 announcement of a UK-EU trade deal with a controversial data protection impact just seven days before the deadline may either have felt like “too little, too late” after months of being told to prepare for no-deal Brexit, or confirmed the feeling that “something will be done”, depending on how proactive organisations were in their privacy governance.

This article looks at what was done, particularly on the transfer of personal data, and the impact on organisations’ privacy governance.  The article focuses on third countries, specifically the UK and European Economic Area (EEA) respectively, although transfer can be to a third country or an international organisation.

Third country

Regardless of the Trade and Cooperation Agreement (TCA) of December 24, at the end of 2020:

• the UK became a third country for the EU GDPR; and
• the member states of the EEA became third countries under the UK’s version of the EU GDPR, in force from January 1, 2021 (UK GDPR)

Appropriate safeguards or “transfer tools”

The well-known rules for transfers, and the appropriate safeguards, are set out in Chapter V of each GDPR.  The European Data Protection Board (EDPB) calls the safeguards “transfer tools” in its November 2020 “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (transfer recommendations).

The transfer recommendations do not add anything particularly new, but they set out a valuable framework for making and recording organisations’ decisions on transfers and helpfully confirm some points on transfers and Schrems II.

There is a long-established pecking order for safeguards when transferring personal data (although other relevant GDPR aspects also need to be considered, such as a data processing agreement satisfying Art 28):

• First, one looks for an adequacy decision by the European Commission or the UK under the respective Art 45, in which case no further safeguard is needed regarding the transfer.
• Second, one considers the appropriate safeguards in Art 46. In practice, this usually means the familiar standard contractual clauses (SCCs).  (Binding corporate rules (BCRs) are another tool, but only 140 entities had BCRs approved as at January 11, 2021.)
• And, as a last resort, there are the derogations in Art 49.

Transfers from the UK to the EEA

The UK legislation adopting the UK GDPR enshrines an adequacy decision in favour of the EEA, so transfers can continue to take place from the UK to the EEA in 2021 and beyond, as long as that is in place.

Transfers from the UK to non-EEA countries

The same UK legislation adopts all EU GDPR adequacy and SCC decisions as at the end of 2020.

• If there is a valid, existing adequacy decision under Art 45 of EU GDPR at the end of 2020 (for example, including Argentina and Japan but clearly excluding Privacy Shield), organisations can rely on it for transfers under UK GDPR.
• While Europe’s SCC decisions were also adopted by the UK, organisations will need to adapt the SCCs slightly, for example, to replace references to EU and member state with references to the UK.  The UK Information Commissioner’s Office (ICO) has done this and published SCCs ready for use for transfers from the UK.

Adequacy for the UK

As at January 11, 2021, there is no adequacy decision under EU GDPR in favour of the UK.  The TCA provides a further transition period for transfers of up to six months (see below), which many have seen as proof that an adequacy decision is close.

The Joint Declarations accompanying the TCA include a declaration of the European Commission’s “intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK [ … and … ] to work closely to that end with the other bodies and institutions involved in the relevant decision-making procedure“.

Public commentary remains divided on the likelihood of an adequacy decision, primarily given the UK’s own surveillance laws.  The UK legal environment is very different from that of the United States, not least that:

• the UK has had horizontal, generally applicable EU-derived data protection laws for decades, including the EU GDPR itself; and
• has now adopted the EU GDPR essentially word-for-word as the UK GDPR, which does not discriminate on nationality or residency,

whereas the United States lacks a horizontal, general data protection law at federal level.

As a recent example of case law on the protection of fundamental rights, on January 8, 2021, in the Privacy International judicial review case, the UK High Court cited the need for proportionality and necessity when holding general warrants under the UK Intelligence Services Act 1994 unlawful.

Transfers and the EEA-UK TCA

Normally, the absence of an adequacy decision for a third country (such as the UK) would mean that EEA data exporters would have to look to the transfer tools in art 46 (such as SCCs), and Schrems II would be triggered.  This would include the need to review the UK’s surveillance laws.

The TCA does, however, include a controversial provision, art FINPROV.10A, which states that, for a “specified period”, “transmission of personal data from the [EEA] to the United Kingdom shall not be considered as transfer to a third country under Union law”.

The specified period is:

• four months (i.e., the end of April 2021), extending to six months (i.e., the end of June 2021) unless a party objects, or
• an earlier adequacy decision in favour of the UK.

There are conditions, which should not be problematic given the short timeframe, namely that:

• no change is made to the UK’s data protection law regime as at December 31, 2020 (including the UK GDPR and the Privacy and Electronic Communications Regulations (PECR)); and
• the UK does not exercise certain “designated powers” without EU agreement, including the issue of adequacy decisions or new SCCs or to approve BCRs, codes of conduct or certification mechanisms.

The main point is that, for the “specified period”, the UK is not a third country for transfers, meaning that Chapter V of the EU GDPR is not engaged and no adequacy decision or other transfer tool is necessary.

This is very good news for EEA data exporters and UK data importers, but the provision has created some controversy, based on the ability of the TCA (as a trade deal) to side-step the provisions of the GDPR.  A rapid adequacy decision, clearly signposted by the TCA, would settle this in practice.

More from the EDPB

On the topic of transfers, there are four more items in the EDPB’s transfer recommendations that are worth noting. One is very unhelpful for organisations trying to get to grips with Schrems II.  The other three are very helpful for all transfer situations.

This might not work anyway …

The EDPB gives examples of possible technical measures that might equate to supplemental measures when using a transfer tool other than an adequacy decision.  It does, however, go on to give two scenarios where, “considering the current state of the art, [the EDBP is] incapable of envisioning an effective technical measure” that would safeguard the personal data, meaning that it cannot imagine how the transfer could go ahead (paras 88 to 91).

These two use cases potentially cover a great deal of transfers of personal data:

• the processor in the third country “needs access to the data in the clear” to execute the task assigned to it (Use Case 6); or
• a person in a third country has access to, and “uses the data in the clear” for its own purposes, including a group member providing
  HR services to EEA group members (Use Case 7); and

possible access by public authorities in that third country goes beyond what is necessary and proportionate in a democratic society.

Adequacy and Schrems II

The EDPB’s transfer recommendation helpfully states (EDPB’s emphasis): “If you transfer personal data to third countries, regions or sectors covered by a Commission adequacy decision (to the extent applicable), you do not need to take any further steps as described in these recommendations.” (para 19)

This reflects the Court of Justice of the European Union’s (CJEU) decision in Schrems II (see paras 13, 91, 96, 105, 129, 116 to 118, 120 and 128) that:

• the Art 45 process includes a review of surveillance laws; and
• data protection authorities are bound by a Commission’s adequacy decision.

Put simply, if an adequacy decision is granted for the UK, then Schrems II falls away for transfers from the EEA to the UK.

Transfers include making available

Even though this has been settled law for some time, many still ask if it is a transfer when, for example, a support operative in the United States accesses an EU database. The second useful confirmation by the EDPB is that “remote access by an entity from a third country to data located in the EEA is also considered a transfer” (footnote 22).

Derogations are tactical, not strategic

The EDPB has confirmed that it views the derogations in art 49 as only good for “occasional and non-repetitive transfers”, so they are not as helpful as the CJEU seemed to imply in Schrems II (para 25).

The TCA means, however, that organisations do not need to consider derogations for transfers between the UK and EEA — at least for the next four to six months.

Concluding thoughts

2020 introduced a high level of uncertainty for privacy professionals dealing with European law. The TCA and the transfer recommendations have brought some short-term respite and methodology, respectively, but the larger issues remain. Time will tell, soon enough, if those issues can be resolved.

Robert Baugh is the founder & CEO of Keepabl, privacy management SaaS based in London, UK. Prior to Keepabl, Robert was general counsel of technology growth companies for more than a decade.

Robert Baugh, Founder & CEO, Keepabl

Produced by Thomson Reuters Accelus Regulatory Intelligence, 15-Jan-2021