The future of data flows between the European Union and United Kingdom took a step forward Friday with the release of two draft adequacy decisions from the European Commission. If approved, the highly anticipated proposals would allow for data to continue to flow between commercial and law enforcement sectors. However, there are strings attached.
The drafts now go to the European Data Protection Board — the EU's collection of data protection authorities — for a non-binding opinion before Member State representatives assess the agreements in its "comitology procedure." If the Member States "green light" the proposals, the Commission could then "proceed to adopt the two adequacy decisions."
It is notable that the Commission released two draft adequacy decisions: one under the EU General Data Protection Regulation for the commercial space, and another under the Law Enforcement Directive, the latter of which is a first, according to the Commission news release.
"The U.K. has left the EU, but not the European privacy family," said Věra Jourová, European Commission vice-president for Values and Transparency. "At the same time, we should ensure that our decision will stand the test of time. This is why we included clear and strict mechanisms in terms of both monitoring and review, suspension or withdrawal of such decisions, to address any problematic development in the U.K. system after the adequacy would be granted."
EU Commissioner for Justice Didier Reynders added that the "flow of secure data between the EU and the U.K. is crucial to maintain close trade ties and cooperate effectively in the fight against crime."
If approved, the framework would be valid for up to four years, with the possibility of renewal "if the level of protection in the U.K. would continue to be adequate." According to a press briefing Friday, a "senior EU official" noted that the four-year provision would allow the European Commission "to react in cases of 'problematic divergence' from EU data rules, 'to terminate or suspend the decision, or to not renew the decision in four years' time.'"
Unsurprisingly, the U.K. government applauded the draft decisions but is urging the EU to swiftly move through the approval process before the "bridging mechanism" expires June 30. Under the current bridging mechanism, data can continue to flow between both regions.
U.K. Secretary of State for Digital, Culture, Media and Sport Oliver Dowden said, "Although the EU’s progress in this area has been slower than we would have wished, I am glad we have now reached this significant milestone following months of constructive talks in which we have set out our robust data protection framework." He added, "I now urge the EU to fulfill their commitment to complete the technical approval process promptly, so businesses and organisations on both sides can seize the clear benefits."
U.K. Information Commissioner Elizabeth Denham said the drafts "are an important milestone" and the "announcement gets us a step closer to having a clear picture for organisations processing personal data from the EU, and I welcome the progress that has been made."
More certainty is what businesses have been seeking since Brexit. Rafi Azim-Khan, the head of data privacy at Pillsbury law, said the drafts were a "sigh of relief" and though the "draft still needs to be formally approved, and there is still the possibility that in four years' time the EU changes its mind, but for the time being at least, businesses can take some comfort."
Promontory's John Bowman, CIPP/E, CIPM, FIP, who formerly worked at the U.K. Ministry of Justice as the government's lead negotiator on the EU General Data Protection Regulation, told the IAPP that the "draft implementing decisions contain a substantial amount of detail about the way the data protection framework operates in the UK, including how data processing principles apply and data subject rights are safeguarded."
"One controversial topic which is addressed by the European Commission in the draft pursuant to the GDPR is the restriction of data subject rights in the context of immigration under U.K. law," Bowman said. "A detailed assessment of this issue is provided in the recitals, but this will be an area that the European Data Protection Board may focus on in its own assessment of the decision."
Bowman also highlighted two other areas on which the EDPB may focus: "The text examines the limitations and safeguards of the Investigatory Powers Act 2016, which provides the framework for collecting information for national security purposes. It also assesses the application of the enforcement regime by the Information Commissioner’s Office. These are areas which the EDPB would be expected to focus on when preparing its own opinion on the decisions."
The release of the proposals is a positive move forward for businesses that would be affected by stymied data flows between the EU and U.K., but an approved adequacy decision could face legal hurdles.
According to a recent media report, two sources "speaking on condition of anonymity," said "they were looking to raise funds for a potential legal challenge."
Separately, in a tweet Friday, Max Schrems, whose legal challenges led to the invalidation of the EU-U.S. Safe Harbor and Privacy Shield agreements, wrote, "As many asked about it: We will take a look at the UK adequacy decision once it is out. There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis."
As many asked about it: We will take a look at the UK adequacy decision once it is out. There seems to be little doubt about adequacy of the commercial data use. At the same time there are obviously issues on UK government surveillance on EU data, which requires deeper analysis.
— Max Schrems ???? (@maxschrems) February 19, 2021
The certainty of a long-standing agreement faces a rocky future. EU Parliament Member Sophie in 't Veld criticized the draft for putting politics above legal criteria, noting the decision "may well end up in the bin, next to the Data Retention Directive, Safe Harbor, Privacy Shield, PNR."
Typical @EU_Commission approach: political considerations prevail over legal criteria. This Adequacy Decision may well end up in the bin, next to the Data Retention Directive, Safe Harbor, Privacy Shield, PNR. https://t.co/AZAYsZCCvf
— Sophie in 't Veld (@SophieintVeld) February 19, 2021
Similar to the U.S., the U.K.'s surveillance laws are under the microscope by the EU and privacy advocates. And to complicate matters, the U.K. is part of the Five Eyes nations and has signed what some would deem controversial agreements with the U.S., including the Clarifying Lawful Overseas Use of Data Act.
Criticism of the draft proposals is already underway. No doubt, the draft decisions "will come under intense scrutiny," Bowman said. "Once the texts have been fully read and digested, they will be intensely debated by advocates representing a wide variety of views about the adequacy, or otherwise, of these decisions."
But first, the privacy profession will await the EDPB's opinion in the coming weeks and months. In the meantime, the IAPP plans to release an analysis of the draft decisions soon.
Photo by alevision.co on Unsplash