Don't count on UK data adequacy; legal challenges appear inevitable

While UK businesses will raise a cheer at the EU's data adequacy proposal today, their joy may prove premature.

With a legal challenge over the process almost inevitably looming at the EU's top court, companies might be better off taking a more cautious approach and using what could be borrowed time to press ahead with contingency measures.

The European Commission's proposal today to adopt two positive adequacy decisions on the UK's data-protection framework seems to vindicate those experts who argued that the process is essentially political and reliant on the outcome of broader trade and cooperation negotiations.

The eleventh-hour EU-UK trade deal struck in December established an unprecedented six-month interim solution, accompanied by a declaration of intent that the commission would look into issuing a favorable adequacy decision. The UK, for its part, unilaterally declared the EU as having adequate rules last year.

It's not surprising that both sides were determined to maintain the continued free flow of data after Brexit: Data flows from the EU to the UK are crucial for high-value industries such as technology, banking, insurance and other financial services.

The UK government applied further pressure on the EU by stressing that its rules remain literally the same as they were on the withdrawal date and thus fully in line with the General Data Protection Regulation, so a refusal to recognize them as "essentially equivalent" would be politically indefensible.

Accordingly, London's reaction to the announcement today was assertive, saying merely it was the "logical" conclusion of the process and criticizing the EU for not reaching it sooner.

Balancing act

But while the politics and economics of Brexit may have influenced the process so far, it will now face intense scrutiny from critics on both sides of the English Channel who are likely to take their grievances to court.

Several EU lawmakers and privacy campaigners expressed their concerns about the UK's data protection framework, focusing primarily on the country's surveillance regime, which just last year was criticized by the EU Court of Justice. Indeed, over 50 pages of the 88-page-long draft decision are about this issue.

Further doubts have also been expressed about the immigration exemption in the UK's data protection legislation that would apply to more than four million EU nationals resident in the UK and the UK privacy regulator's practical enforcement effectiveness.

Indeed, UK lawmakers were told last year that it was "very likely, if not certain" that a legal challenge would be mounted as soon as the decisions get formally adopted.

While Max Schrems, the Austrian privacy campaigner who successfully led two complaints against EU-US data transfer mechanisms on similar grounds, said last year that he wasn't interested in this case, that may change or others will undoubtedly be keen to follow in his footsteps in defense of the EU's uncompromising privacy rules.

As a result, the commission has found itself in an unenviable position: When considering the UK's data protection regime, it had to choose between adopting the adequacy decision and risking a legal challenge, or accepting the criticisms and leaving UK companies to wrangle with significant disruption in data flows and potentially billions of pounds in compliance costs.

Unsurprisingly, it appears to have chosen the former, more pragmatic approach.

Indeed, Peter Wright, managing director at Digital Law UK and chairman of the Law Society of England and Wales's GDPR working group, told MLex that not granting the UK adequacy could have undermined the EU's entire adequacy regime.

"If you don't make an adequacy decision in favor of the UK, which root-and-branch has been following the EU law since the introduction, then who should get it?" he asked. "While there is this tension about security regime and investigatory powers, these are questions you are going to face when dealing with any other modern country or society."

Surveillance fears

Any criticism levied against the UK's surveillance regime would also likely spark a debate about double standards within the EU, given that the bloc's top court censured the UK along with France and Belgium.

But Catherine Barnard, EU law professor at the University of Cambridge, warned earlier this week that this should not be seen as a cover for the UK. "We are no longer a member state, but direct competition," she said in response to an MLex question. "The welcoming arm that the EU applies to its own member states is no longer extended to the UK."

In recent months, the British government has been at pains to stress that the controversial surveillance legislation has been amended since the campaigning group Privacy International brought its case against it and now offers more robust judiciary safeguards.

In the draft EU decisions, the commission appeared to side with London on this, saying that it was satisfied that "any interference with the fundamental rights of the individuals whose personal data are transferred from the EU to the UK by UK public authorities for public interest purposes ... will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists."

But this assertion is likely to be further tested in courts amid suggestions that the UK law may be seen as allowing for the bulk data collection on a "generalized basis," something expressly found, in the first Schrems ruling, to violate EU rules.

Act now

Given this backdrop of a likely legal challenge, Wright advised against UK businesses developing "complacency" on data transfers after today's announcement.

Assuming the adequacy decisions are confirmed, any ensuing stability, however long will it lasts, should be used to put alternative arrangements in place, he told MLex, such as standard contractual clauses or binding corporate rules.

"Adequacy is great when you have it, but it is likely to be subject to a legal challenge ... If you are in the compliance function in a large multinational company, moving a lot of data internationally, I would want to know that we can function perfectly adequately and without the risk of being compromised by a future decision of the EU court which would threaten the operation of our organization," he said.

This process may be further complicated because the commission is currently working on a new template for standard contractual clauses, to amend them after the decision of EU judges last year to strike down the EU-US Privacy Shield agreement.

MLex understands that the revised version is now expected to be published in March or April as the commission has to first go through more than 150 responses to a call for feedback.

"But it is easier to get these complex and difficult compliance tasks — that could take many months — done in the window we have now, than risk doing it against the clock and in a rush," he said. "This would be pretty close to the top of the to-do list for any compliance team in 2021."