Orla Lynskey (London School of Economics)
In June 2021, EU adequacy decisions paved the way for cross-border data flows between the UK and the EU following the end of transitional legal arrangements. When considering whether such adequacy assessments should have been granted, or whether they are likely to withstand judicial scrutiny, much of the analysis immediately gravitates to the issue of national security. This is understandable: we have clear findings from the CJEU that the UK’s processing of personal data for national security purposes is incompatible with the EU Charter. In light of these findings, the UK’s Investigatory Powers Tribunal has held that section 94 of the Telecommunications Act 1984 is incompatible with EU law. The Tribunal has yet to determine the consequences of this finding and, no doubt, this determination may have consequences for the existing adequacy assessments.
Beyond this sticking point, the UK’s publication of a consultation document entitled “Data: A New Direction” tests the waters further. From the European Commission’s perspective, national security aside, it would have been difficult to suggest that a legal framework rooted in the General Data Protection Regulation (GDPR) and overseen by a well-resourced data protection authority was inadequate for EU purposes. The UK Prime Minister noted as much when he asserted that an adequacy assessment should be “technical” and “confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit”. However, the publication of this new consultation brings to the fore two key questions from an adequacy perspective: first, how much leeway do non-EU states have in designing their data protection frameworks and, second, does this “new direction” bring the UK to the same destination?
Flexibility in Achieving Essential Equivalence
The objectives of adequacy – the destination – are determined by the jurisprudence of the CJEU. In Schrems, the CJEU held that adequate protection is “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” (para 73). However, this is an obligation in respect of an outcome, saying nothing about the means used to achieve this outcome save that this does not have to be “identical” to the EU approach.
The UK’s consultation document emphasises the margin for manoeuvre that this leaves to non-EU states by pointing to jurisdictions, such as Israel, that have been deemed adequate “while pursuing independent and varied approaches to data protection, reflecting their unique national circumstances, cultures and heritages” (para 15). In a pre-appointment hearing with the DCMS Parliamentary Committee, John Edwards, the incoming Information Commissioner in the UK made a similar point by noting that New Zealand has an adequacy decision despite not having an identical law. Such an approach to data protection adequacy would seem to replicate that taken in Financial Services Regulation where Ferran has noted that the “focus on substantive outcomes in practice as well as on paper has gone some way to allay fears that blockages would be caused by undue attention to differences in line-by-line detail”. If this is the case, some eye-catching proposals in the consultation document, in particular the proposal to remove the prohibition on automated decision-making (Article 22 GDPR), might not jeopardise adequacy. Such a provision is absent in other international frameworks, such as the OECD Privacy Guidelines and the APEC Privacy Framework. How this proposal sits with the UK’s existing commitment to Council of Europe Convention 108 (as modernised), which contains a (pared back) equivalent to Article 22 GDPR, raises a bigger question.
It is notable that Convention 108 is referred to in only one section of the consultation document (dealing with data anonymisation). More fundamentally, the entire thrust of the consultation document is focused on unlocking “data potential” and devoid of references to fundamental rights protection. As the EU Charter – described by some as the heart of the GDPR – is no longer part of domestic law in the UK, the UK’s commitment to the ECHR remains key. Indeed, this is noted to be a “particularly important element of the assessment” in the UK’s adequacy decision. Assuming for argument’s sake that the UK does continue to adhere to the ECHR, and Convention 108 in particular, it is difficult to imagine that the CJEU would declare the level of substantive protection offered to individuals to be inadequate. Such a finding would do serious damage to the delicate relationships between the two courts.
The Politicisation of Data Protection Enforcement
Yet, in querying whether or not the new direction proposed by the UK will lead it to the same destination as the EU, a new fault line becomes apparent. The consultation document clearly envisages a weak and politicised regulator to oversee data protection. It proposes, for instance, that the Secretary of State for DCMS can determine the strategic priorities of the Information Commissioner’s Office (ICO) (paras 322;345); that the ICO must consider the government’s wider international priorities when conducting its own international activities (para 349) and that the Secretary of State can conduct an independent review of the ICO’s performance (para 373). This is not the first indication that the UK may seek to use data protection to pursue a political agenda. For instance, the UK GPDR already gives the Secretary of State the power to determine or revoke adequacy, with no procedural role foreseen for the ICO in this process. However, the consultation document makes this potential (and desire) for a politicised framework more apparent.
The proposals stand in marked contrast to the requirement stemming from EU primary law (Article 8(3) EU Charter; Article 16(2) TFEU) that national data protection authorities act with “complete independence”. It follows from settled jurisprudence of the CJEU that this complete independence precludes any “external influence in whatever form, whether direct or indirect, which may have an effect on their decisions and which could call into question the performance by those authorities of their task”. More pertinently, the Court has held that the “mere risk that the State scrutinising authorities could exercise a pollical influence over [their] decisions is enough to hinder the latter in the independent performance of their tasks” (Commission v Hungary, para 53).
Of course it is worth emphasising that the consultation document is just that and its suggestions may never be adopted. Nevertheless, it does provide some important insights into the current government thinking about data protection law and policy. Many of the changes proposed are narrow and technical (moving recitals to the main body of the text, for instance), suggesting that the core of the GDPR remains solid and that there is a desire to maintain the status quo. Nevertheless, the challenges mounted to the independence of the regulator as well as the broader break from the fundamental rights dimension of data protection are significant. One is left, perhaps unsurprisingly, with the impression that the government hopes to remain sufficiently aligned for adequacy while sufficiently differentiated to achieve a competitive advantage over the EU.
Orla Lynskey is an Associate Professor at the LSE Law School and a Visiting Professor (invited) at the College of Europe, Bruges.
The views expressed in this blog reflect the position of the author and not necessarily that of the Brexit Institute Blog.