At the end of the transition period on 31 December 2020, the UK will become what the EU refers to as a ‘third country’: an external state with which it forms a relationship on trade, security, and so on. At that point, data can no longer flow freely from the EU to the UK without an ‘adequacy decision’.
An adequacy decision set out in Article 45 of the GDPR is the EU’s way of protecting the rights of EU citizens by insisting on the highest standards for data protection where EU citizen’s personal data will be processed.
The Commission assesses a third country’s data protection and if deemed equivalent to EU standards adequacy can be granted.
However, a recent ruling by the ECJ dents the UK’s prospects of such a decision – with important economic, and potentially security implications.
The flow of data is vital for the UK and EU economies. In 2018, the value of the data economy was estimated to be £301 billion, or 2.4% of EU GDP. The Commission estimates that by 2025 its value will increase to €829 billion or 5.8 percent of EU GDP.
With its large service sector, the UK has the largest internet economy as a proportion of GDP within the G20, reflecting the centrality of data to most goods and services trade. An interruption in data flows would therefore be costly.
Adequacy decisions fall outside the remit of the formal UK-EU trade negotiations. However, the decision is politicised, and appears more unlikely in the event of an acrimonious no deal Brexit. Ironically, one of the key sticking points in the negotiations are EU state aid rules: the UK does not want to limit its ability to support domestic potential tech giants.
Yet, as The Economist notes, without the free flow of personal data from the EU to the UK, it is unlikely that the UK would be able to develop such a domestic global tech challenger firm.
Whilst data can be transferred without an adequacy decision, in practice, it is far from straightforward.
The most likely way in which data would be transferred in this scenario is through Standard Contractual Clauses (SCCs) agreed between data senders and receivers in the UK and the EU.
Whatever verdict the Commission reaches, recent legal challenges reveal the continued uncertainties that are likely to characterise future UK-EU data flows.
In particular, in July 2020 the privacy activist Max Schrems was successful in overturning the partial-adequacy arrangements between the US and EU called the Privacy Shield over concerns about the US security services’ use of personal data.
The case also sought to invalidate SCCs, and whilst it was not successful in the latter, it did make them more burdensome for organisations.
In the wake of this, the ECJ has issued a new ruling that will have considerable consequences for personal data transfers outside the EU and will likely impact the Commission issuing an adequacy decision to the UK.
The court’s verdict concerned the potential application of the UK’s Investigatory Power’s Act (2016) (IPA) to assemble communications data en masse and potentially transfer it to national security services.
The UK argued that given the purpose of such mass collection of data was to protect national security, such practices should be exempt from the application of EU law.
The ECJ disagreed, stating not only that EU law is applicable in such instances, but also that such general and undiscerning data collection requirements were not permitted.
The significance of this ruling goes far beyond its immediate context. In particular, it creates serious doubts as to whether the UK can obtain a declaration of adequacy under article 45 of the GDPR.
It stipulates that the Commission can only grant such a relationship when ‘adequate protection’ exists for data subjects in the jurisdiction in question, taking into account inter alia:
‘the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data…’
The ECJ’s preliminary ruling is therefore clearly linked to the factors the EU commission must take into account when deciding whether or not to make an adequacy decision with the UK.
Similar to the Privacy Shield arrangement with the US, the existence of provisions within the IPA that could be seen has violating the rights of EU based data subjects would provide the Commission with serious pause for thought when making such a decision.
Furthermore, were the Commission to fail to properly take it into account, its decision could be open to legal challenge.
If the UK does not alter its IPA (something that seems unlikely from a political perspective currently), the likelihood of such a challenge should not currently be overlooked.
By Martin Heneghan, research fellow at the UK in a Changing Europe, Paul Quinn, researcher at the Vrije Universiteit Brussel (VUB) and Sarah Hall, senior fellow at the UK in a Changing Europe.