Brexit highlights the EU and UK data protection regimes

Of Brexit’s many ramifications, the flow of trade between the EU and UK has been much discussed in the public sphere, but also of importance is the flow of data. This flow depends on whether the UK is determined to have equivalent data protections as the EU, where a decision by the European Commission — either positive or not — will have significant implications for intelligence collecting and sharing activities, as well as for civil liberties.

As part of 2020’s UK-EU negotiations on a post-Brexit Trade and Cooperation Agreement, the two sides agreed — and is provisionally in effect since 1 January 2021, pending approval by the European Parliament — that the UK would de facto still be treated as a Member State when it comes to the transfer of personal data from the EU to the UK. Thus, allowing the free flow of personal data to continue from the continent, for a period of 4-6 months. On 19 February 2021, the European Commission published a draft decision finding the UK’s data protection regime to provide “essentially equivalent” protection to the EU. If confirmed, this would provide a long-term basis for this flow to continue.

There are numerous legal arguments for why this adequacy decision should not be approved by the Member States, particularly the UK’s “mass surveillance” (to privacy advocates) or “bulk collection” programmes (to the UK security and intelligence agencies) – which will also present significant obstacles to EU adequacy decisions for any other country developing similar systems. If the decision is approved, it will likely face an immediate legal challenge in the EU by civil society groups.

Third country treatment

For countries without an adequacy decision from the EU, regular transfers of personal data that are processed subject to the EU GDPR (or, for the EU Institutions, Regulation 2018/1725) to the third country are permitted only if “appropriate safeguards” are put in place between the EU-based data exporter and the third country-based data importer.

These safeguards include:

for regular data transfers within a group of enterprises, approved Binding Corporate Rules (BCRs);
for other companies, standard contract clauses (SCCs);
for the EU institutions, data transfer agreements specifically approved by the European Data Protection Supervisor;
for public bodies in the EU in relation to processing subject to the GDPR, “administrative arrangements” that have been authorised by the relevant data protection authority (see Article 46 GDPR).

However, these safeguards do not suffice in relation to third countries that engage in undue surveillance (i.e. surveillance that does not meet the European Essential Guarantees for surveillance issued recently by the European Data Protection Board). Rather, as the Court of Justice of the EU has made clear in its Schrems II judgment, in relation to such third countries, “supplementary measures” must be adopted to ensure that the transferred data will be protected against the undue surveillance. If not, then data may not be transferred.

Given the extensive technical surveillance carried out by the UK’s intelligence agency GCHQ, and its intimate cooperation with the USA’s National Security Agency, these EU requirements will create significant obstacles to transfers of personal data from the EU to the UK. The UK will have to choose: it either brings its law and practices in line with the European minimum standards by accepting the conditions outlined above, and can then enjoy free data exchanges with the EU; or it will have to face and accept the negative consequences of not providing “essentially equivalent” protection to personal data as are guaranteed in the EU.

Data laundering havens

The next implication concerns British islands Guernsey, the Isle of Man, and Jersey. These self-governing British dependencies were all granted positive adequacy decisions by the EU in, respectively, 2003, 2004 and 2008 – essentially since the UK was an EU Member State, and their data protection laws closely followed UK data protection law.

There can be no doubt that the UK will declare all these territories as providing “adequate” protection of personal data in terms of the “UK GDPR” after the end of the post-Brexit transition period – thereby allowing free transfers of personal data from the UK to these territories, including any data that may first have been transferred to the UK from the EU. And this will undoubtedly be reciprocal.

In our opinion, it must follow that the (currently still in force) adequacy decisions for these islands cannot be maintained after the end of the post-Brexit transition period. If they are not revoked or suspended, they would become “data laundering havens” between the UK and EU.

The ‘Five Eyes’

The adequacy decisions on Canada (2001) and New Zealand (2012), like those on Guernsey, the Isle of Man, and Jersey, were issued before the 2013 Snowden revelations about US, UK – and all the Five Eyes – surveillance operations. Therefore, the extensive cooperation between the intelligence agencies of those five countries (mainly, under the UKUSA Agreement that has been extended to them) was not considered in the context of those decisions. Furthermore, the “fifth” eye, Australia, never received an adequacy decision.

If, as we believe, the UK and the USA share much of the data they extract from Internet infrastructure — including such data on EU individuals as are included in those data — with Canada and New Zealand (and Australia), then the adequacy decisions on Canada and New Zealand should also be revoked or suspended, and Australia should not be granted one, until all the Five Eyes agree to bring their surveillance operations and laws in line with the European Essential Guarantees.

Implications for EU Member States

At first glance, a decision to not issue a positive adequacy decision on the UK (or its invalidation by the EU Court of Justice) would not have any immediate legal implications for the activities of EU Member State intelligence agencies, which would remain outside the scope of EU law.

However, if such a decision were to be based, at least in part, on the fact that UK law and practices fail to meet the standards set by the CJEU in relation to third country agencies (as presumably it would be) then the EU and its Member States could not avoid the accusation of hypocrisy and double standards. This is because several of them have laws and practices that also clearly do not meet those standards.^[1] Moreover, the intelligence agencies of several other EU Member States have been shown to have been cooperating with the US National Security Agency in very much the same way as the UK, albeit as much more junior partners than the UK.

It is long overdue that the EU — or at least, given the regrettable hole in the EU legal order when it comes to national security, the EU Member States that are supposed to be democracies upholding and adhering to the Rule of Law — give serious attention to the urgent need to rein in their intelligence agencies. In our opinion, the Schrems II judgment, the EDPB European Essential Guarantees, and the difficult issues raised in relation to the UK after Brexit, should now also urgently spur on the EU Member States to bring their own houses in order in relation to mass surveillance and bulk collection of personal data including (but far from limited to) communications metadata.

Finally, any decision by the European Commission to not issue a positive adequacy decision on the UK (or successful challenge) would have major implications for EU-based controllers and processors of personal data. Specifically, they would have to go through all the steps outlined in the EDPB recommendation on “supplementary measures”, that would have to be adopted in relation to transfers of personal data to the UK after mid-2021, including:

close study of the UK’s surveillance law and practices;
the adoption of such measures (very strong encryption; limiting transfers to fully anonymised or very strongly pseudonymised data; strong contractual stipulations);
informing of, and consultation with, their national data protection supervisory authority in relation to any doubts as to whether the data that are to be transferred can be effectively protected against the activities of the UK GCHQ (and the US NSA);
ending or not commencing transfers to the UK if protection cannot be effectively achieved.

Failure to carry out these tasks, and failure to protect the data against bulk extraction by GCHQ, would be a breach of the GDPR – and, in our opinion, would constitute a personal data breach for which the EU-based data exporter will be liable. In other words, failure, not just by the EU institutions but also by individual EU-based controllers and processors to take these matters seriously, will have major repercussions.

The stakes are high, both for the UK and the EU, if a positive adequacy decision is not granted. The UK will likely soon be at a tipping point; the country can either reform its data protection standards or lose the right to free data exchange with the EU. In either case, the economic and security implications are vast – not only for the UK and EU, but the Five Eye countries as well.

^[1] Cf. the short country sections on France and Germany in Douwe Korff et al., Boundaries of Law: Exploring Transparency, Accountability, and Oversight of Government Surveillance Regimes, January 2017, pp. 57 – 58 (and the references to these countries in the body of this report, passim), available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2894490

Brexit highlights the EU and UK data protection regimes

Add comment

Other articles

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis

Finnish intelligence overseers’ right of access supersedes Originator Control

Cyber defence operations require a dedicated legal framework

Stalemates in Dutch intelligence oversight

Obfuscation as a strategy to pass mass surveillance powers