Talks have yet to even commence on a future data-sharing relationship, and a landmark European Court of Human Rights ruling in September bodes poorly for the UK's future status under the EU’s General Data Protection Regulation.
What sequence of events is likely?
Prior to the developments of the past few weeks, one might have expected the following sequence of events:
Brexit takes place in some form other than EEA membership (unfortunately):
The Commission grants an Adequacy Decision permitting EU27 personal data to be shared with parties in the EU).
An appeal similar to the Schrems case is filed and works its way up to the ECJ.
The ECJ rules as they did in Schrems, thus invalidating the Adequacy Decision, but probably allowing the UK and the EU27 time to put other arrangements in place.
There would then be the risk that data transfers would be blocked until and unless an agreement analogous to Privacy Shield were negotiated between the UK and the EU27. The agreement would ideally be better structured than Privacy Shield, which has not yet been shown to be effective.
In light of the September 13th finding of the ECHR, one has to wonder whether it will still be possible for the Commission to issue the Adequacy Decision that appears in the second bullet. Recall that the ECHR found the UK guilty of abuse of human rights in September due to its overbearing surveillance. Under these circumstances, the Commission may not be able to grant the Adequacy Decision; having granted it, there is no assurance that it would be sustained.
As previously mentioned, in granting an Adequacy Decision the Commission is obliged under Article 45 of GDPR to take into account “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country”.
Given that ECHR has already ruled that the UK’s surveillance services are in violation of Articles 8 and 10 of the European Convention on Human Rights, can the Commission grant the Adequacy Decision in the absence of concrete commitments from the UK security establishment?
The Adequacy Decision entails a complex procedure consisting of (1) a proposal from the European Commission, (2) an opinion of the of the European Data Protection Board, (3) an approval from representatives of EU countries, and (4) the adoption of the decision by the European commissioners. This presumably cannot take place overnight.
Even after the Adequacy Decision is in place, it might or might not be sustainable. The European Parliament and the Council could at any time request that the European Commission amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation. In the absence of concrete commitments from the UK security establishment, the Parliament would likely have concerns over an Adequacy Decision.
Aside from that, a case similar to the Schrems case should be expected. In the absence of changes on the part of the UK security establishment, a similar ECJ outcome should be expected.
This seems to be headed for a rather bad place. In the unlikely event that the UK were to become an EEA member (or were it not to exit at all), all of this could be avoided. In all other scenarios, and especially in the “crashing out” scenario, problems with data transfers appear highly likely.
This is in nobody’s interest. It would harm both the UK and the EU27 economies.
These problems are not amenable to a quick fix through legislative or administrative measures. Most probably needed are some actual accommodations in the manner in which the UK conducts surveillance for purposes of national security.
The ECHR did not argue that surveillance is prohibited per se; what they argued, rather, is that it must be subject to a range of procedures and protections, as established in the case law. Notably, the ECHR “was satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers, [but] it found that there was inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination. Furthermore, there were no real safeguards applicable to the selection of related communications data for examination, even though this data could reveal a great deal about a person’s habits and contacts.”
If the UK is to avoid economically harmful limitations to its ability to transfer personal data to the EU27, UK security services should be working now to consider undertakings that the UK would be willing to offer in order to address the concerns that the ECHR has already raised. [...]
Hover over the blue highlighted
text to view the acronym meaning
over these icons for more information
No Comments for this Article