The metaphor of the ticking clock resonates with the state of EU-U.K. Brexit negotiations. First used in 2017 by Michel Barnier, the European Commission's chief Brexit negotiator, to describe the lack of progress being made, the ticking clock has come to symbolize the urgent need for both sides to agree on a range of matters to maintain economic and political certainty in the post-Brexit era. This is as true for data protection as it is for other issues that have dogged negotiations, including fishing rights, state aid and Irish customs arrangements.
As European privacy pros will recall, the U.K. government is seeking a European Commission data adequacy decision to maintain the free flow of personal data from the EU to the U.K. following the end of the Brexit transition period. A key deadline, Dec. 31, 2020, is just two-and-a-half months away. That is when the transition period, which has maintained a status quo position on data flows, comes to an end.
When the U.K. left the EU Jan. 31, the European Commission and U.K. government began formal negotiations to seek a decision on data adequacy. Though the two sides have met regularly, no agreement has been forthcoming to date. This is perhaps not surprising given the compressed time period available to hold talks but given that we are now in mid-October, the clock is ticking uncomfortably close to midnight.
The adequacy approval process is set out in Article 45 of the EU General Data Protection Regulation. When assessing the level of adequacy provided by an applicant third country (as the U.K. has now become), the European Commission must consider a range of factors, including rule of law, respect for human rights and freedoms, relevant legislation, such as regulations for the onward transfer of personal data to another third country, and judicial redress for data subjects whose personal data are being transferred. The European Commission must also assess whether the U.K. has an effective and functioning independent supervisory authority in place that is responsible for ensuring and enforcing compliance with data protection rules.
Any adequacy decision must be first be agreed upon by the Article 93 Committee, which is chaired by the European Commission and comprises representatives from EU member states, before being referred to the College of Commissioners for final approval. We expect both the commission and the member states to focus on the opinion of the European Data Protection Board and the views of the European Parliament when considering the draft adequacy decision.
To date, the EDPB has not published its opinion on the draft decision, though previous reports have been lengthy and detailed. For example, the EDPB's opinion on Japan's draft adequacy decision was 41 pages long. These are not insignificant deliberations. In the meantime, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs has discussed U.K. adequacy and asked the commission to present the state of play at a meeting Sept. 22. However, the meeting was held in private so any ensuing insight is unknown.
Given that the state of negotiations is somewhat opaque, data controllers in the EU are becoming increasingly anxious about the status of cross-border data transfers to the U.K. as the end of the transition period approaches. Will an adequacy decision be granted before the year-end or will measures such as standard contractual clauses need to be implemented to maintain existing EU-U.K. data flows? In light of the recent "Schrems II" judgment from the Court of Justice of the European Union, will data controllers need to make their own assessments of U.K. adequacy in lieu of any decision from the European Commission? This may seem like an almost surreal position for controllers to be in, but the U.K. government has argued it has a comprehensive framework in place that underpins high data protection standards.
In its explanatory framework for adequacy discussions published March 13, the U.K. government provided documents to justify its claim that "The U.K. has a world class data protection regime," noting, "Protecting personal data is and will continue to be a priority for the U.K." The government argued that, through its implementation of the GDPR, robust principles are in place to protect personal data and that there are clear onward transfer rules to ensure personal data continues to receive an adequate level of protection when it leaves the U.K. Additionally, it said, "the U.K.'s data protection authority, the Information Commissioner's Office, has a strong track record as an independent regulator capable of handling complex cases and imposing tough sanctions where necessary."
As for the impact of the recent judgment by the CJEU in the joined cases of Privacy International, La Quadrature du Net, French Data Network and others, John Whittingdale, the government minister responsible for data protection, responded to a U.K. Parliamentary question Oct. 19, saying, "The ruling relates to a previous power (in the Telecommunications Act 1984) that has since been replaced by provisions in the Investigatory Powers Act 2016." Whittingdale added the ruling will now be referred back to the U.K. courts, the Investigatory Powers Tribunal, for them to consider its effect on the U.K.’s current bulk communications data regime.
Key questions remain.
Will the U.K. be granted an adequacy decision before year-end? Although the clock is ticking, there may be just enough time to conclude the decision. Despite recent obstacles, the EU-U.K. free trade agreement negotiations have resumed with an aim to reach a deal by mid-November. FTA success may pressure the European Commission and member states to agree on an adequacy decision within the next few weeks. Any residual concerns raised by EDPB or European Parliament could perhaps be addressed through a robust monitoring and review regime once the decision comes into force. Failing to grant U.K. adequacy may also call into question all other adequacy decisions made to date; so, all of these factors will need to be taken into account.
In the meantime, data controllers in the EU should continue to monitor the situation closely and plan for all contingencies.
In a year that included a pandemic and the landmark "Schrems II" decision, this is perhaps one additional thing that privacy pros would prefer to ignore. However, the reality is that by Jan. 1, 2021, the transition period will have ended, and we will know then if the objective to determine U.K. adequacy has been met on time. All privacy pros in Europe should, therefore, keep a close eye on developments ahead of the clock striking midnight on New Year's Eve.