Until 31 December 2020, it is business as usual for the protection of personal data in the UK – GDPR still applies. This also means that all-important data flows between the UK and EEA can continue to operate as they do now. However, at the end of the transition period, the UK will be a 'third country' for the purposes of GDPR, and will need the benefit of an adequacy decision from the European Commission for data transfers from the EEA to the UK (and Gibraltar) to continue to operate without difficulty. Whilst alternative tools are available to effect data transfers (such as standard contractual clauses), these are less practical and more complex and their validity is uncertain pending the outcome of the Schrems II case currently before the CJEU.
With the UK having officially left the EU on 31 January 2020, the Commission has now started the process of determining whether the UK does, indeed, ensure a level of protection for personal data which is "essentially equivalent" to that of the EU (an identical regime is not required). The Commission will endeavour to reach a conclusion by the end of 2020. To date, the Commission has made 13 adequacy decisions, but this will be the most significant given the compressed timetable of just 11 months, the importance of data protection in relation to future relations between the UK and the EU, particularly for the smooth import and export of goods and services, and continued law enforcement and judicial co-operation.
Over the last three years, the position has consistently been that the UK will follow Europe in relation to data protection. Steps have been taken to legislate to implement 'UK GDPR', essentially replicating the actual GDPR, after the end of the transition period. This will occur through the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which will amend GDPR (as brought into UK law as retained EU law (under the EU (Withdrawal) Act 2018)), the Data Protection Act 2018 (DPA18), and other data protection legislation.
Given that established trade links with the EEA depend so much on the free flow of personal data, it is difficult to see how anything other than equivalent data protection standards, and therefore a Commission adequacy decision, would be the UK Government's preferred outcome. However, there have been signs and hints in recent months that the current Government is prepared to consider divergence with the EU over data protection standards. For example, in early February, the Prime Minister said in his Greenwich speech: "We will restore full sovereign control over our borders and immigration, competition and subsidy rules, procurement and data protection." Concerns have also been expressed at Google's decision announced in February, that it would be moving the data and user accounts of UK users from the EU to the US from 31 March 2020, which many see as an attempt to avoid the extra-territorial reach of GDPR.
In the context of these concerns, it is interesting to review the Government's recently published Explanatory Framework for Adequacy Discussions, a comprehensive series of 18 papers providing an overview of the UK's legal framework "underpinning high data protection standards", intended to assist the European Commission to conduct its assessment. Aside from anything else, the documents are a useful overview of the complex legislative framework set out in DPA18.
In particular, the Government's documents draw attention to the following as indicative of an essentiality equivalent regime:
- The comprehensive legislative framework for data protection comprising DPA and the UK GDPR: This includes robust principles to protect personal data, clear grounds limiting when processing of personal data is lawful, effective and enforceable rights to data subjects, limitations and conditions to ensure restrictions to those rights are necessary and proportionate, clear onward transfer rules from the UK and additional safeguards in certain circumstances.
- Effective administrative and judicial redress provided by the data protection framework: As well as the possibility of seeking judicial redress, the UK's ICO is described as having a strong track record as an independent regulator handling complex cases and imposing touch sanctions where necessary (the potential massive fines against British Airways and Marriott are cited as examples, though a final decision is yet to be reached on these breaches). It is also noted that the ICO was reported in 2017 as one of the three most active data protection authorities in relation to individual fining decisions. With approximately 750 staff (rising to 825 by 2020-21) and a budget of £51.4 million for 2019/2020, the UK ICO works closely with other data protection authorities, being the lead authority on "dozens of One Stop Shop cases". The materials note that the UK is committed to maintaining this co-operation and to remain influential in driving global privacy standards.
- Robust rules for law enforcement and national security processing of personal data, requiring law enforcement, security, and the intelligence community to adhere to strict principles of necessity and proportionality: The documents note that Part 4 of DPA18, dealing with processing of personal data by the intelligence community in the UK, was designed to be consistent with the standards and obligations in the modernised Convention 108 and ensures that such processing is "subject to appropriate and proportionate controls". Meanwhile, it is also noted that the "world-leading" Investigatory Powers Act 2016 provides for "unprecedented transparency and oversight" over the use of investigatory powers in the UK. Finally, DPA18 implements the Law Enforcement Directive into UK law with appropriate and proportionate controls protecting the rights of data subjects.
Aside from the legal framework of DPA18 and UK GDPR, the Government refers to the "strong ecosystem" underpinning it. This includes the National Cyber Security Strategy, a commitment to membership of the European Convention on Human Rights, the UK's Digital Charter, the approach to online harms, the National Data Strategy, the vital role of the judiciary, and the rule of law generally. The Government proclaims its strong commitment to protecting personal data, resting on a "holistic approach to data".
In reaching its conclusion on adequacy, the Commission will consider:
- The existence of basic content principles
- The existence of additional content principles for specific processing – special categories of data, the ability to object to processing for direct marketing and provisions relating to automated decision making and profiling
- The existence of procedural and enforcement mechanisms
- Essential guarantees on national security and law enforcement access
Given that the UK GDPR will essentially replicate the actual GDPR, the main area of doubt and scrutiny for an adequacy decision is the UK's approach to data surveillance and investigatory powers. In particular, the bulk interception powers provided by the "world-leading" Investigatory Powers Act 2016 will be closely analysed by the Commission. Whilst businesses will wish for, and expect, an adequacy decision to be in place at the end of the transition period, it cannot be assumed to be a foregone conclusion.