Data protection and Brexit: 6-month delay for Schrems 3

Deal gives EC more time to assess UK data protection laws. But time isn’t the problem. The facts are.

With Brexit, few issues affect more businesses than EU data protection (privacy) rules. Huge numbers of businesses rely on the free flow of personal data in and out of the UK, often without realising it.

In that context, the new EU-UK trade agreement has been met with some relief. The deal extends the free flow of personal data for up to 6 months while the European Commission (EC) rates the adequacy of UK data protection laws.

Is this good news? Time to relax and wait for an adequacy decision?

Reading between the lines, there’s reason to think that:

  1. the EC is struggling to make a defensible UK adequacy decision;
  2. neither side can think of a politically viable alternative;
  3. the trade deal kicked the issue, quite desperately and at the last minute, into the long grass; and
  4. by mid-2021, the UK could be as big of a data protection headache as the USA – time to prepare for that.

This article looks at how we got here, and why data controllers and processors should secure UK-EEA data flows now using Schrems II-compliant measures. A subsequent article will examine some practical options for doing that.

Background: why the UK needs a favourable adequacy decision

The GDPR is the EU’s data protection law. It carves the world up into three groups of countries:

  • the European Economic Area (EEA);
  • “adequate” countries – these are non-EEA countries which, the EC has decided, have adequate data protection laws; and
  • all other (or “non-adequate”) countries.

Moving EEA personal data into a non-adequate country can be complicated and expensive. However, personal data can move freely amongst the EEA and adequate countries. This makes an EC adequacy decision critical for any country that wants to do a lot of business with the EEA.

Until now, as an EU / EEA member, the UK didn’t need an adequacy decision. Over the previous decades, the free flow of data between the UK and the EEA came to underpin billions of pounds of trade each year.

Brexit posed a potential threat to this. Business groups and privacy campaigners predicted this problem repeatedly during the Brexit debate and throughout the negotiations.

Hush, they were told. UK data protection law is already in alignment with the GDPR, so it’s obvious the EC will give the UK an adequacy finding.

And then the European Court of Justice (ECJ) punched a Schrems II-sized hole in that thinking.

Schrems II: a new hurdle for adequacy decisions

By leaving both the EU and the EEA, the UK pinned all hope for continued data flow on an adequacy finding. It’s a big gamble. And there’s reason to suspect it will be a losing bet. (Oliver Patel and Dr Nathan Lea of the UCL European Institute summarise the problem nicely in EU-UK Data Flows, Brexit and No-Deal: Adequacy or Disarray?)

If the EC gets an adequacy decision wrong, the ECJ can overturn the decision. This has happened already with two adequacy decisions involving the United States. The result has been disruption and expense for businesses across the world. And embarrassment for the EC.

In Schrems I (2015), Austrian lawyer Max Schrems challenged the EC’s adequacy decision on the EU-US “Safe Harbor” scheme. The ECJ invalidated Safe Harbor because it could not safeguard EEA personal data against US government surveillance.

In July 2020, in Schrems II, the ECJ struck down Safe Harbor’s replacement, Privacy Shield.

In both decisions, the ECJ signalled that personal data is not adequately protected in a third country unless the legal system provides meaningful “redress” against government intrusion. The US system did not provide that for EEA data subjects. Therefore, the adequacy decision was wrong.

The judgment provides a new measuring stick for all future adequacy decisions.

If the EC needs more time, something’s up

The EC says it needs more time to assess UK adequacy. On the surface, this looks reasonable. Previous adequacy decisions have taken between 18 months and 5 years to complete. Also, adequacy only applies to non-EU countries. Taken literally, the UK adequacy assessment could only start on 31 January 2020, when the UK formally left the EU. (See the revised Political Declaration on the future EU-UK relationship at page 4.)

Look a bit closer, and this explanation seems a bit hollow. The EC was always in a good position to decide quickly on UK data protection adequacy. Consider:

Unlike other adequacy decisions, this one involves a long-time member of the EU. The EC should already have acquired deep experience with, and knowledge of, UK law.

Previous adequacy decisions have involved mostly small or distant countries, such as Faroe Islands, New Zealand, and Uruguay. This time, there’s so much more on the line for the EU itself. Significant disruption would cost EU businesses dearly.

Since at least 2017, the UK government has been consistent: the ECJ must not have direct jurisdiction over the UK, and the UK would leave the EU’s single market. That means the UK would not accept the application of EU law, including the GDPR. The need for an adequacy assessment has thus been obvious for at least three and a half years.

In May 2018, the UK enacted the Data Protection Act 2018. This explicitly replaced the EU GDPR with a modified UK version, reinforcing the need for an adequacy decision.

Did the EC really leave all the adequacy groundwork until after Brexit Day in 2020? That would beggar belief. The EC usually favours pragmatism over formality when the economic stakes are large for EU member states.

Isn’t Schrems III the real problem?

Looking ahead, if the EC decides the UK provides adequate data protection, a Schrems III fight is practically a given. Will UK laws, such as the Investigative Powers Act 2016 (aka the Snooper’s Charter), survive a Schrems II analysis? How about the UK’s membership of the Five Eyes intelligence sharing alliance, which involves sharing intelligence data with the US? Or the exclusion of immigration controls from the UK GDPR?

Assuming the EC wants to grant an adequacy decision (and that’s not a given either, by the way), UK adequacy might be impossible to defend after Schrems II.

There are at least three theoretical routes around a UK lack of adequacy. However, each of them would be politically impossible for either the UK or the EU:

The UK could amend its laws to unblock the adequacy finding.

The EU could amend the GDPR to alter the standards for adequacy findings and remove the explicit link to the European Convention on Human Rights.

The EU and UK could extend the current 4-to-6-month reprieve (requires a further EU-UK treaty with approval of all 27 member states).

What now for data controllers and processors?

With a UK adequacy finding still in the air, there are two choices.

You can wait and hope for a positive adequacy decision. This would be a big gamble. You could save a lot of money and distraction if it works out, or you could find yourself scrambling in 6 months when the new deadline arrives with no solution in sight.

Alternatively, you can prepare now as if the UK will become a non-adequate country in 4 to 6 months. This will be expensive for some, and potentially unnecessary. However, compare that to a surprise “no adequacy” result. Preparing now lets you minimise and plan for disruption during the coming months. Also, the results should work just as well with or without an adequacy decision.