On February 19, 2021, the European Commission published two draft decisions finding that UK law provides an adequate level of protection for personal data. The first would allow private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards (e.g., the Commission’s standard contractual clauses), while the second would allow EU law enforcement agencies to transfers personal data subject to Directive 2016/680 — the Data Protection and Law Enforcement Directive (LED) — to their UK counterparts.
Crucially, the Commission states that UK public authorities’ powers to access personal data are limited to what is strictly necessary, and that there are sufficient legal protections against undue interference, including effective rights of redress. This finding is likely to be closely scrutinized — in in Schrems I (C-362/14) and Schrems II (C-311/18), the powers of U.S. law enforcement to access personal data in bulk, without adequate redress, were crucial to the Court of Justice of the European Union’s finding that the Safe Harbor and Privacy Shield frameworks respectively did not provide an adequate level of protection.
Despite the positive outcome for EU and UK businesses and law enforcement agencies, the draft decisions will only apply for a period of four years after entering into force, and will lapse after that time, unless extended by the Commission. This is a stricter approach than the Commission took in relation to its finding of adequacy for Japan, which will not lapse absent repeal by the Commission or invalidation by the CJEU. The upshot is that the Commission will need to undertake a further full assessment of the adequacy of UK law in four years’ time, and may also revisit this decision earlier if it considers that UK law has materially changed.
Before these decisions are made final, the European Data Protection Board (EDPB) will issue an opinion on the Commission’s assessment of the adequacy of UK law, and the Member States will then likely give the green light for the Commission to proceed. The Commission has not set a public time limit in which the EDPB must issue this opinion (although we understand this is due in April), but the “interim adequacy” solution set out in the EU-UK Trade and Cooperation Agreement expires on 30 June, so we expect the Commission is aiming to finalize these decisions before that date.
Substantively, in line with Article 45(2) GDPR, the recitals to these decisions each consider four elements:
- The constitutional framework of the UK, including respect for fundamental rights.
The Commission emphasizes the importance of the Human Rights Act 1998, which incorporates the European Convention on Human Rights, as a critical aspect UK law, as it grants the rights to privacy and to a fair trial, and requires public authorities to act in a way that is compatible with these rights.
- The data protection framework set out in the UK Data Protection Act 2018 (DPA) and the UK GDPR
The draft decisions consider in particular the rules governing lawful processing, data subjects’ rights, and onward transfers of personal data. The clear theme of this analysis is, as expected, that UK data protection laws are essentially identical to those in the EU, due to the implementation of the GDPR and LED into UK law. The decisions contain substantial discussion of the restrictions on data subjects’ rights set out in Schedule 2 DPA, as the UK Government had discretion in these matters under Articles 23 GDPR and Article 15 LED, referring to UK case law that has interpreted these rights in accordance with the principles of necessity and proportionality (as required by the GDPR and LED).
- The existence of independent oversight
The draft decisions note in particular:
- the relatively large headcount at the UK Information Commissioner’s Office (ICO) — 768 people in March 2020;
- the sources of the ICO’s budget, which does not come from the proceeds of administrative fines;
- the number of complaints the ICO receives — approx. 40,000 per year since the GDPR came into effect, although it is not clear how many of those were investigated; and
- the number of independently opened investigations the ICO has carried out since the GDPR came into effect — 2,000. They also flag the significant monetary penalties issued to British Airways and Marriott.
Beyond the ICO, the draft decisions state that the domestic courts of the UK have oversight of data protection matters, and that there are mechanisms for EU data subjects to obtain redress either from the ICO or these courts.
- The possibility of access to and use of data by UK public authorities
The final element of the assessment is likely to be the most controversial, as the UK’s laws governing public authorities’ access to personal data are not derived directly from EU law, and are therefore more likely to diverge. Further, in both Schrems I and Schrems II, the CJEU invalidated the European Commission’s findings of adequacy in relation to the Safe Harbor and Privacy Shield frameworks on the basis that U.S. public authorities were able to access and use personal data relating to EU data subjects in a manner inconsistent with EU law.
This assessment was primarily carried out in relation to the GDPR decision, as in the context of law enforcement processing under the LED, public authorities already have access to the data. In any event, the Commission first noted three principles relevant to the assessment:
- that any limitations on the right to the protection of personal data must be set out in law, and the laws permitting those limitations must determine their scope;
- that any limitations on this right must be proportionate, meaning that they must apply only insofar as they are strictly necessary in a democratic society to meet specific public interest objectives; and
- that the legislation setting out these limitations must be legally binding, and enforceable by data subjects before local courts.
The Commission again notes the importance of the Human Rights Act 1998 and the UK’s membership of the Council of Europe, which it states “frame its system of government access on the basis of principles, safeguards and individual rights similar to those guaranteed under EU law and applicable to the Member States” (Recital 120). It also notes the safeguards on law enforcement and intelligence services access set out in Parts III and IV of the DPA, including in particular that the DPA incorporates the GDPR’s data protection principles, safeguards on processing special category data, and international transfers.
The GDPR decision in particular goes on to describe the specific powers law enforcement and intelligence agencies have to access personal data (whether search or production orders, or investigatory powers under the Investigatory Powers Act 2016 (IPA)), as well as the limitations and safeguards on that access (in particular the requirement for access to be necessary and proportionate) and oversight of those powers. It also discusses the impact of the UK-U.S. agreement, under which U.S. public authorities could compel disclosure of personal data from companies located in the UK, subject to the limitations and safeguards set out in that agreement. Importantly, the draft decision notes that all disclosures under the UK-U.S. agreement will be subject to the same protections as are set out in the EU-U.S. Umbrella agreement.
Within this description, there is a substantial analysis of UK intelligence services’ powers to access data in bulk under the IPA. The Commission emphasizes the existence of limitations and safeguards, in particular the requirement for a link between the specific power to be used and the underlying operational objective, requirements for necessity and proportionality, limitations on data use in the DPA, and oversight from various regulatory bodies (including the ICO, Investigatory Powers Commissioner, Investigatory Powers Tribunal, and the Parliamentary Intelligence and Security Committee). This, according to the Commission, differentiates the powers under the IPA from “mass surveillance” (Recital 211).