Edoardo Celeste (DCU)
From a data protection perspective, Brexit manifestly represents a step backwards for the UK. The UK is leaving a space where personal data has freely circulated since 1995, where companies are subject to uniform rules and where national data protection authorities cooperate in a coordinated manner.
Brexit has increased the level of complexity of data protection law by inducing the introduction of two parallel sets of legislation potentially applying to the same actors: the UK and the EU GDPR. By virtue of the extraterritorial application of these two pieces of legislation, companies established in one jurisdiction but offering goods and services, or monitoring the behaviour of data subjects, in the other, are required to comply with both laws.
The era of unhindered personal data flows across the Channel has definitively ended. The EU-UK Trade and Cooperation Agreement (TCA) signed on 24th December 2020 clarifies that the UK will not enjoy any special status as a former member state, but will conversely be considered as a third country. The UK has lost direct and real time access to important databanks fed by European law enforcement agencies, and will have to rely on the standard mechanisms of transfers provided by the GDPR for the exchange of data in the commercial sector.
Paradoxically, Brexit does not achieve its long-awaited objective of freeing UK data protection law from the bridles of EU law. In the TCA, the parties reiterate multiple times their independence, especially from a regulatory point of view. Yet, the UK legal framework is inexorably put in a position of dependence. The TCA introduced a six-month interim period, during which the UK is not considered to be a third country and data can continue to be freely transferred across the Channel. Within this time-frame, the European Commission has committed to adopting an adequacy decision. During this extra transitional period, however, the UK cannot significantly amend its legal regime, unless in agreement with the EU.
Even once the adequacy decision is adopted, UK data protection law will be subject to regular monitoring in order to assess the persistence of safeguards offering an adequate level of protection for EU personal data. In light of the recent case law of the CJEU in the two Schrems cases, such supervision will be continuous, and will not spare UK national security law. Indeed, in Schrems I the CJEU affirmed that the EU Commission, when assessing the level of protection offered by a third country, shall have regard not only to the data protection framework stricto sensu, but also to the broader set of provisions affecting EU personal data transferred.
The general EU-UK data transfer regime relying on the adequacy decision is anticipated to be precarious and unstable. Companies are advised to put in place alternative transfer mechanisms. The European Parliament, in a resolution adopted on 12 February 2020, has already flagged the three main issues of a potential adequacy decision to the EU Commission. Firstly, the existence of a broad immigration exemption in UK data protection law that can be interpreted broadly and thus lead to the disapplication of a significant portion of the UK GDPR in relation to non-UK citizens. Secondly, the EU Parliament casted doubt on the compatibility of the UK data retention regime with the EU acquis. Recent decisions from the CJEU in the cases Tele2 Sverige and Watson (2016) and Privacy International (2020) reiterated that a system of general and indiscriminate data retention, such as the one in place in the UK, violates EU fundamental rights. Thirdly, the EU Parliament highlighted the related issue of mass surveillance, explicitly inviting the Commission to take into account the recent CJEU case law concerning US adequacy decisions.
Indeed, in the Schrems I and II cases the CJEU invalidated the Commission’s decisions declaring the adequacy of the Safe Harbor and Privacy Shield regimes, which allowed for the transfer of personal data from the EU to the US. The reason that prompted these cases, and was decisive of their outcome, was the extent of power vested in US national intelligence authorities and their potential misuse of EU personal data. A consideration that might easily be called into question in relation to the UK, in light of its participation in the Five Eyes, the intelligence sharing partnership which also includes the US, Canada, Australia and New Zealand.
In conclusion, the UK adequacy decision is subject to a time bomb. Over the past few years, the case law of the CJEU has become more solid and clear in relation to the incompatibility of various practices adopted by national security authorities involving personal data. This makes the general EU-UK data transfer mechanism based on the adequacy decision unstable and unreliable. If, once again, the EU Commission finds a way to reach a compromise between commercial interests and fundamental rights, it is only a question of time before the CJEU will intervene. And in this way, paradoxically, Brexit will enhance the level of external pressure on UK national security law, a sector that, when the UK was an EU member state, was considered as falling outside the scope of EU law and within the sovereign competences of the UK.
Edoardo Celeste is Assistant Professor of Law, Technology and Innovation at the School of Law & Government of Dublin City University. He is one of the founders of the Cross-Border Data Protection Network (crossdpn.org).
For a more detailed analysis, see Celeste Edoardo, Cross-Border Data Protection After Brexit (February 12, 2021). Brexit Institute Working Paper Series, No 4/2021, Available at SSRN: https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=2360654