Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
EU court ruling further dents UK's hopes of Brexit data-adequacy decision
09 October 2020 21:17 by Jakub Krupa
The UK already had a high wall to climb for it to win an adequacy decision that will let it continue data flows to the EU after Brexit. More bricks have been added this week, after the UK was singled out for criticism by the bloc's top court in a ruling on governments' mass collection of data.
As the end of the transition period closes in and domestic political pressure abounds, changing measures to respond to that EU ruling, and clear the way for data flows, may be tricky for Boris Johnson's government.
On Tuesday, the EU Court of Justice ruled that provisions in the UK's surveillance laws for "general and indiscriminate" bulk collection of data "exceed the limits of what is strictly necessary and cannot be considered to be justified within a democratic society," even where it is faced with a "serious threat to national security."
The verdict, resembling the criticism levied against the US in the recent landmark EU ruling that struck down its Privacy Shield data-transfer agreement, is likely to further complicate the adequacy talks as the UK scrambles to secure the all-important decision by the end of the year.
— UK response —
The easiest way to address the court’s concerns would be for the UK to amend the 2016 legislation that encodes its surveillance powers, the Investigatory Powers Act, or IPA, many lawyers believe.
But doing so quickly could prove politically tricky, amid end-game negotiations over a future trade deal. There has been accusations that the EU is trying to interfere just as the UK is about to "take back control."
There are also serious doubts about the legislative bandwidth, given the UK government's intensified preparations for a possible no-deal Brexit and a continuing slew of lawmaking to address the coronavirus pandemic.
The UK government is expected to argue that the surveillance regime probed in the original case from 2015 and investigated by the EU Court of Justice has now been superseded by the IpA, which introduced additional safeguards, including oversight by an independent judicial commissioner.
But the EU court's judgment appears to go further, asking the UK to set stricter limits on the permissible scope of actions to avoid "general and indiscriminate" retention and collection of data.
The UK government has downplayed the ruling, arguing that it doesn’t have a “direct impact” on the work of the security and intelligence agencies. In practical terms, the ruling will now be sent to the UK's Investigatory Powers Tribunal to find a way to implement it at a national level.
— Impact on adequacy talks —
As the UK is unlikely to be able to radically overhaul its surveillance laws in good time to satisfy the demands of EU negotiators, this shifts the focus of talks on data adequacy to broader issues of trust and the UK's declared intention of complying with the bloc's privacy rules in the future.
Without the adequacy decision, companies would have to find another legal basis to transfer data between the UK and the EU, risking extra cost and legal uncertainty. The two-way flow of data helped drive economic activity worth about 42 billion pounds ($54 billion) in 2018, UK government figures indicate.
The UK's lead Brexit negotiator, David Frost, insisted this week that Britain should be entitled to an adequacy decision, as it will be operating under the same rules as the EU at the end of the transition period on Dec. 31. "There's no reason at all why we should be considered inadequate," he said (see more).
The EU side has long been anxious, however, about the prospect of future UK divergence from the bloc's General Data Protection Regulation. Ministers have suggested that they would want to rewrite the privacy rules under the working name of "UK GDPR." Despite numerous requests, the government has so far refused to publish a detailed outline of proposed changes.
The challenge for the UK will be to strike the right balance between the promised relaxation of the privacy rules and maintaining its ability to operate as a European and international partner.
EU judges have struck down first Safe Harbor and now Privacy Shield due to concerns over US surveillance laws. The bloc's executive arm is even more likely to be scrupulous about not granting adequacy unless there is a legally watertight case for it, as it will want to avoid another embarrassing legal defeat.
A German member of the European Parliament, Patrick Breyer, told MLex that the European Commission has "put its head in the sand" about the UK's mass surveillance regime. Citing the US-EU data-transfer mechanisms, he put the commission on notice, warning that pushing through an adequacy decision would "risk invalidating it" when challenged by privacy advocates.
— Road ahead —
Despite upbeat comments in public, the UK government seems fully aware of the bumpy road ahead.
Last week, a senior British official urged EU companies sending data to the UK to "act now" to ensure they have alternative legal transfer mechanisms in place in case the UK fails to secure an adequacy decision (see more).
The UK hopes that the negotiating teams will keep an eye on the more comprehensive political discussions and will be keen to use a breakthrough in trade negotiations to justify coming to an agreement on data adequacy. "Ultimately, it's not a legal decision, but a political one. If there's a will, they will be able to find a way through stumbling blocks," one lawyer told MLex.
But with just six days until the UK's self-imposed deadline of Oct. 15 to decide whether a deal is feasible, such an approach has evident risks. At the very least, adequacy talks — once taken by the UK government for granted — look set to go down to the wire.
Additional reporting by Matthew Newman in Brussels.
26 May 2023 14:59 by Sam ClarkWhen the EU’s General Data Protection Regulation came into force five years ago, some said it would usher in a new era of EU supremacy over Silicon Valley's tech giants, reining in their rampant data-driven power.
24 May 2023 15:39 by Mike SwiftSince the General Data Protection Regulation took effect five years ago this week, more than 40 countries have enacted national privacy laws, most of which drew liberally from the canonical text of the EU law.
23 May 2023 23:47 by Mike SwiftThe count of countries with data protection laws more than doubled to 162 over the past dozen years, a total that includes a wide majority of the world’s nations, with new research suggesting data protection rules are approaching ubiquity.