Post-Brexit data transfers are not a done deal by Sam Lowe and Camino Mortera-Martinez
Data transfers are essential for both trade and security co-operation. The EU and the UK should not let minor differences obscure the fact that they have more in common than divides them. The freedom to move data between the EU and the UK is as important to some businesses as the freedom to move goods, services and people. And for European and British security services, the ability to share and access data about criminals is an essential component of keeping people safe. The European Commission's decision to propose two adequacy decisions for the transfer of personal data to the UK, under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), therefore came as a relief to both EU governments and the UK. But this is just the beginning of a long, bumpy road. The Commission’s adequacy decisions are not final: the European Data Protection Board (EDPB, an EU privacy oversight body) must issue an opinion and a committee of representatives from the 27 member-states must green-light the decisions. While the EDPB’s opinion is not binding, it will indicate whether there are any grounds for concern amongst national data protection authorities. And if the adequacy decisions are adopted, the European Parliament and the Council of Ministers can ask the Commission to withdraw them at any time, if there are concerns about the way the UK is applying privacy rules. MEPs are already suspicious that Britain plans to undercut the EU on data protection in the future, and the threat of legal challenges looms large.
In 2013, Austrian lawyer Max Schrems complained to the Irish data protection authority about Facebook’s transfers of European citizens’ data to its Californian headquarters, under the EU-US Safe Harbour agreement. Schrems argued that the EU could not guarantee that its citizens’ privacy would be respected when their data was transferred to the US, because surveillance laws there required private companies to hand data to the government. The case ended up before the European Court of Justice (ECJ), which eventually struck down the Safe Harbour agreement in 2015. In 2016 the EU replaced Safe Harbour with a data adequacy decision, known as the Privacy Shield. This too was felled by the ECJ in July 2020, after another case instigated by Schrems. Now transatlantic personal data transfers can only happen if the data subject consents or if transfers are needed for the fulfilment of a contract. Commission officials are well aware that the UK adequacy decisions could face similar legal challenges and have set out in detail how the decisions will deal with some of the issues raised by the Schrems saga. For example, they will be reviewed every four years, to ensure compliance. But a review clause does not guarantee the UK adequacy decisions will continue; the Privacy Shield had to be re-examined every year and that did not stop it from being annulled by the ECJ.