Update – Data Protection Adequacy after the UK’s Exit from the EU
This post updates a previous article considering the complexities around data protection after the UK’s exit from the EU.
Under the Trade and Co-Operation Agreement, the treaty between the UK and the EU which settled some aspects of the EU and UK’s future relationship, transfers of personal data were to continue without additional safeguards until May 2021, which automatically extends to July 2021 in the absence of future agreement. After this period, unless draft adequacy decisions are approved by the European Commission (with the approval of each Member State), the UK will be treated as a third country, so further safeguards will be necessary.
The Adequacy Process
At the time of writing, we are in the automatic extension period, and the European Parliament has voted to ask the Commission to request that the UK make changes to its data protection practices before granting adequacy. This focuses on some key points:
- The breadth of the UK’s immigration exemption;
- The national security exemption which allows for the collection of bulk data;
- The treatment of metadata (data about data like location and timestamps);
- Onward transfers to countries with fewer data protection safeguards (such as the US);
- Enforcement issues.
This resolution does not prevent the Commission from seeking the consent of Member States to the UK’s adequacy decision, this is done through the comitology process. It was also not passed by a huge majority (344 votes in favour, 311 against and 28 abstaining). Importantly, the European Data Protection Board, which is (in broad terms) the EU’s chief data protection regulator, has already issued two opinions in respect of the UK’s adequacy decision. These opinions were positive, but did point out concerns around the issues which were the focus of the EU Parliament’s motion. The European Commission has yet to respond to the Parliament’s motion, and it is difficult to forecast to what extent this will impede the UK’s adequacy decision.
On 25th May 2021, a case was heard in the European Court of Human Rights (ECtHR), which challenged the “scope and magnitude of the electronic surveillance programmes operated by the Government of the United Kingdom”. This case followed on from the Snowden revelations, and is part of a growing body of jurisprudence on mass surveillance. The Court held that, while a bulk data collection regime may be justified on the basis of national security, in which states have a broad margin of appreciation; the safeguards around such collection, and the adequacy thereof, had a narrower margin. The Court established a “new conceptual framework” for assessing compatibility of safeguards with the Convention and found that the UK’s electronic surveillance and data collection regime did not meet the criteria in some respects. Although the ECtHR is not part of the European Union, this is a significant (and lengthy) judgement which will have implications for how privacy, freedom of expression and national security are weighed against each other. It demonstrates a growing understanding of the importance of privacy in an increasingly surveilled world. With two (partially) dissenting opinions, the implications of this judgement will take some time to fully understand and appreciate.
An uncertain future
In summary, the complexities around data protection adequacy following the UK’s exit from the EU continue to emerge. The concerns about bulk data collection powers are well known and have been well documented– the case mentioned above relates to data collection taking place in 2017. The comitology procedure may still work out in favour of an adequacy decision being granted to the UK. However, adequacy must be re-assessed four years after the decision has been granted. There is concern that the UK will enter into trade deals which have data transfer provisions with countries which do not have an adequacy decision, or that new data strategies might deviate from GDPR standards. On the other hand, the free flow of data is extremely important to key sectors like health, as well as for businesses who wish to trade with, or provide services to, people and organisations within the EU.