The United Kingdom – This Sceptred (and Adequate) Isle?

The United Kingdom has officially left the European Union. But what does this mean for data transfers? This is one of the biggest concerns facing controllers and processors who regularly transfer personal data between the EEA and the UK. For now, during the "transition period" personal data can continue to flow freely from the EEA to the UK.  At the end of the transition period (currently scheduled for 31^st December 2020),  the UK will become a "third country" for the purposes of the GDPR. To ensure that data flows from the EEA to the UK are not disrupted, the UK will need to secure an adequacy decision from the European Commission (the "Commission"). In this blog post, we take a look at how the Commission determines adequacy and the UK's prospects of securing that haloed status.
 
What is adequacy?
 
The GDPR requires that EU standards of data protection are maintained whenever personal data is transferred outside of the EEA. To achieve this, Chapter V of the GDPR prohibits any transfers of personal data to a country or territory outside the EEA (a "third country") unless the Commission has determined that the third country provides an adequate level of protection (i.e., has been granted adequacy status) or the transfer is made using one of the GDPR's "appropriate safeguards" (i.e., Standard Contractual Clauses or approved Binding Corporate Rules). Adequacy represents the holy grail for data transfers because it removes the time, work and burden that companies and organisations otherwise face in putting these appropriate safeguards in place.
 
At present, the Commission has only granted adequacy to 13 countries and territories. This includes full adequacy in respect of Switzerland, New Zealand, Israel and Japan, as well as partial adequacy for transfers to the United States (for entities participating in the Privacy Shield framework) and Canada (for commercial organisations). See the full list here.
 
Why is adequacy important for the UK?
 
Adequacy is very important to the UK. During the transition period, the UK is still subject to EU law (including the GDPR) and therefore personal data can flow freely between the UK and the EEA. However, as soon as the transition periods ends and the UK is no longer subject to the GDPR it will become a third country and, without adequacy, appropriate safeguards will be needed to lawfully transfer data – which, in most cases, means putting in place Standard Contractual Clauses. For companies that regularly transfer data between the EEA and the UK this could pose a huge administrative burden and cause significant deal friction with customers. Under paragraph  9 of the Political Declaration on the framework for the future EU-UK relationship ("the Political Declaration") the Commission will endeavour to adopt an adequacy decision for the UK by the end of 2020, if the applicable conditions have been met.
 
How do you obtain adequacy?
 
Adequacy involves a comprehensive assessment of a third country's data protection regime, both in terms of the substantive protections in place around personal data and its mechanisms for oversight and redress. The adoption of an adequacy decision entails: (1) a proposal from the Commission, (2) an opinion from the European Data Protection Board ("EDPB"), (3) approval from representatives of the EU Member States, and finally (4) the adoption of a decision by the European commissioners. This takes time: Argentina obtained adequacy the fastest (in over 18 months) but for most other countries the process took years.
 
In terms of the assessment itself, the third country does not have to protect personal data on an identical basis to the GDPR but must provide "essentially equivalent" protection. This means that adequacy does not require a point-to-point replication of EU rules but instead considers whether the country's system delivers equivalent protection as a whole. Article 45 of the GDPR includes a non-exhaustive list of factors that the Commission must take into account:
 

• the third country's laws and rules governing data protection,
• relevant legislation concerning public security, defence, national security and criminal law,
• the respect for the rule of law, human rights and fundamental freedoms more generally,
• the access to personal data by public authorities,
• the rules for the onward transfer of personal data, and
• any international commitments the third country has entered into.

 
In addition, in a communication dated 10 January 2017, the Commission identified a number of further criteria:
 

• the extent of the EU's commercial relations with the third country (including the existence of ongoing negotiations around a free trade agreement),
• the extent of personal data flows from the EU to the third country, reflecting geographical and/or cultural ties,
• the role the third country plays in the field of privacy and data protection, and
• the overall political relationship with the third country in question.

 
In summary, the assessment not only looks at the country's laws around data protection but other areas such as national security and defence, while political factors can also play an important role.
 
What are the UK's prospects?
 
On the face of it, you might think that obtaining adequacy would be relatively unproblematic for the UK, in particular given the (current) close alignment between the UK's and EU's data protection regimes, the close historic ties between the UK and the EU and the prominent role the UK has historically played in the development of privacy and data protection laws. However, this is not necessarily the case. 
 
The most obvious problem is timing.  Under Boris Johnson's leadership, the UK Government is keen to "get Brexit done", which means ending the transition period on 31^st December 2020.  However, no adequacy process has ever been completed so quickly.
 
Another potential problem is the Government's policy on future UK data protection law.  Recent pronouncements from the Prime Minister seem at odds with Government policy as set in current domestic legislation which deals with the end of the transition period. That legislation ensures that EU legislation and standards are preserved in UK law at the end of the transition period.  However, the Prime Minister has said that "The UK will in the future develop separate and independent policies in areas such as data protection".  If this means that the UK is seeking to create a new framework for data protection then this is also a major obstacle to obtaining adequacy before the end of 2020. The adequacy decision cannot be based on a framework which is not yet in existence.
 
On the other hand, the Prime Minister may be referring to paragraph 9 of the Political Declaration, which mentions the UK developing its own international transfers mechanisms at the same time as the Commission assesses the UK for adequacy.  So the Prime Minister's statement may simply refer to new policies in the context of international transfers, rather than in relation to the data protection regime as a whole.
 
In any event, there are other issues that threaten the UK's chances of obtaining adequacy. In a 2018 report, the UK Home Affairs Committee cited a number of further stumbling blocks:
 

• the UK's national security legislation, in particular the Investigatory Powers Act 2016,
• onward transfers from the UK (including to the United States) under the UK's data protection regime,
• the fact that the EU Charter of Fundamental Rights will not become domestic law through the European Union (Withdrawl) Act 2018 (as it is an exception to the Act's savings mechanism), and
• Government red lines on future CJEU jurisdiction.

 
The first two of these factors pose a particular challenge. The Investigatory Powers Act provides a framework for UK law enforcement and intelligence agencies to obtain, intercept and retain communications and communications data. Critics have dubbed it the "Snooper's Charter" on the basis it enables the Government to carry out mass surveillance without adequate oversight or controls. As a member of the EU, the UK was able to keep the EU out of the national security sphere, given that the EU's Treaties cite national security as a matter for Member States.  However, as explained above, a third country's national security arrangements must be taken into account in the context of determining whether or not to grant that country adequacy. The UK Information Commissioner has described the Investigatory Powers Act as a "vulnerability to achieving adequacy".
 
In terms of onward transfers, this is also a significant risk. If the UK's own transfer mechanisms do not appear to the Commission to be sufficiently robust, then this could create a "back door" whereby EU data flows freely to the UK and is then transferred to less protective countries. This highlights an important point. In order to obtain adequacy, the UK will ensure that any new international transfers mechanisms under UK law, and any new arrangements it makes with other third countries, do not create weaknesses in the protection of EU citizens' rights and undermine adequacy negotiations. Ultimately, this means that the scope for the UK to diverge from EU standards is very limited. 
 
The other two issues cited by the Home Affairs Committee may be less problematic, given that the other third countries that have obtained adequacy are not subject to the Charter of Fundamental Rights or the jurisdiction of the CJEU.  It would therefore be surprising if the UK's position on the Charter of Fundamental Rights or the continuing CJEU jurisdiction compromised the prospects of an adequacy decision.
 
Final thoughts
 
Uncertainty hangs over the UK's ability to obtain adequacy.  If the Commission identifies any concerns about the UK's data protection regime then it could require the UK to make changes or provide additional assurances before granting adequacy. This is what happened with Japan, the most recent country to obtain adequacy. Before the Commission adopted its decision, Japan was required to put in place additional safeguards, including conditions under which EEA data can be transferred from Japan to other third countries and assurances as to access to data by Japanese public authorities for criminal law enforcement and national security purposes.
 
Equally, if the UK intends to diverge from EU standards then this imperils the UK's chances of getting an adequacy decision by the end of 2020:  adequacy cannot be granted for a framework which does not yet exist. Even if the Government is not intending to introduce a new data protection framework or is only intending to diverge in the context of international transfers then yet another obstacle remains: time.  The process for gaining an adequacy decision is detailed, careful and painstaking. It involves careful consideration of the legal framework in the territory which is being assessed.  
 
Without adequacy, alternative mechanisms will need to be put in place to enable transfers from the EEA to the UK.  Many organisations may be ready for this:  they have been here before in the context of no-deal planning.  But many will not be ready.  For them, and for EEA and UK businesses more generally, an adequacy decision for the UK before the end of 2020 would be welcome news.