Personal data transfers between the UK and the EU post-Brexit
On 24 December 2020, after four years of tears and frustration, the United Kingdom (‘UK’) and the European Union (‘EU’) have finally reached an agreement; the so-called EU-UK Trade and Cooperation Agreement (‘TCA’). The TCA regulates multiple legal issues regarding the relationship between the UK and the EU after the transition period, one being international data transfers from the EU to the UK. As you might know, the UK, from EU perspective, essentially is a ‘third-country’ within the meaning of the General Data Protection Regulation (‘GDPR’) as it is no longer part of the EU.[1] Whilst the EU Commission (‘EC’) aimed at adopting an adequacy decision, the legal concerns ahead rendered it very difficult to adopt such a decision before the end of the transition period (31 December 2020). Nevertheless, two weeks ago, an interim solution was adopted during the sweaty negotiations.
Adequacy decision
The GDPR requires personal data only to be transferred to a third country when the conditions in Chapter V of the GDPR are complied with.With an adequacy decision, no additional safeguards, such as Standard Contractual Clauses (‘SCC’) [2] or Binding Corporate Rules are required.[3] An adequacy decision seems therefore desirable as businesses otherwise have to execute new contracts for data transfers which is a huge responsibility. Also, an adequacy decision will save the UK’s economy a loss of 1.6. billion pounds.[4] Only then, essentially, personal data transferred from the EU to the UK will be considered to be legally transferred across the Channel.
Obstacles
Unfortunately, the EC was not up for the task to adopt an adequacy decision by the end of the year as a few obstacles refrained the Commission of doing so. The first one is that the protection of personal data will no longer constitute a fundamental right in the UK pursuant to art. 8 Charter of Fundamental Rights of the European Union (‘Charter’). However, one can argue whether this concern was legitimate, as article 8 of the European Charter of Human Rights (‘ECHR’) remains applicable. Although article 8 ECHR enshrines the right to privacy, the European Court of Human Rights (‘ECtHR’) has recognized that all kinds of personal data can potentially interfere with the scope of article 8 ECHR.[5] Secondly, although the UK has confirmed to seek an adequacy decision, the UK’s investigatory Powers Act 2016 may not be compatible with the GDPR. While this Act remains part of law enforcement in the UK, the ECJ has earlier ruled that types of ‘bulk surveillance practices’ that are permitted under the Act, fail to respect data protection principles. On this footing, the UK’s surveillance laws potentially lack the necessary protections in order to reach the level of privacy as safeguarded by EU-law.
Sui generis
As a consequence, the EU and the UK adopted a so-called ‘interim-solution’. Both the EU and the UK view this deal as a great temporary success. On Christmas Eve, the House of Commons voted by 521 votes to 73 in favor of the legislation. This solution essentially enshrines that the UK shall not be considered to be a third country for the transfer of personal data for the period of four months with the extension of two months starting at 1 January 2021. This means that for the time being, personal data can continue to be transferred across the Channel from the EU to the UK without additional safeguards. Thus, the EC has granted itself six more months to scratch their heads over the adoption of an adequate decision.
This interim solution renders that article 44ff GDPR do not apply. Nevertheless, transfers of personal data from the EU to the UK can still be transferred freely. transfers to the UK are not subject to the same requirements as transfers to other third countries. Essentially, the UK has an ‘unique’ – commonly referred to as sui generis – status under the GDPR as its status diverges from any other (third) country.
How to go on
We must await whether the EC will be able to adopt an adequacy decision in 2021. Until then, personal data can continue to be transferred freely from the EU to the UK from January 1, 2021, either until the adoption of such decision or for the duration of four months with the extension of two months. While for transfers to the UK an interim solution was adopted, the Data Protection Act 2018, which is the national transposition law of the GDPR, will continue to apply within the UK.
It will come as no shock, however, that this interim solution will cause for debate in the data protection world, as other third countries are put in a less favorable position in comparison to the UK. The United States (‘US’) for instance, has a similar surveillance system as the UK, yet the ECJ had ruled that the US’ surveillance system is disproportionate and therefore it does not offer an adequate level of protection.[6] Don’t you think that disapplying article 44ff GDPR to the UK, even for a specified timeframe, therefore interferes with the principle of equality under international law?
[1] General Data Protection Regulation, 2018, article 44ff.
[2] General Data Protection Regulation, 2018, article 46 GDPR.
[3] General Data Protection Regulation, 2018, article 47 GDPR.
[4] Vincent Manancourt, EU, UK mulling interim data flows solution post-Brexit, (Politico, 8 December 2020)
< https://www.politico.eu/article/eu-uk-brexit-personal-data-privacy-no-deal/> retrieved on 28 December 2020.
[5] ECtHR, Amann v Switserland (2000) 30 EHRR 843, paras 65-87.
[6] Case C-311/18 ECJ, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems [2020] OJ 21/08/2020