EU-UK data flows post-2020

Last week, @UKLawSociety hosted an extremely in-depth expert discussion on EU-UK Data Flows after 2020, featuring @DCMS, @MoJGovUK and @buchtan. Here’s my summary, also featuring some great questions and comments from other participants (all of which are public on YouTube.)

Some good questions/comments. Andrew Brenton: “What about the uncertainty of Standard Contractual Clauses caused by the Schrems II judgement? Would this not mean that SCCs are not adequate due to UK surveillance laws?”

Declan Brady: “Likely biggest threat to adequacy of SCCs is Downing Street’s approach in the internal market bill – i.e. trustworthiness.”

Sarah Newman: “There have been some publicised statements from the Government over the last few days which suggest that the UK may change its data protection laws after Brexit. Would that affect adequacy decision?”

@buchtan thinks there are “reasons to be optimistic” about #adequacy, since the UK’s legal framework is almost identical to the EU’s. Complexity comes from the the application in practice. The #GDPR areas of manoeuvre for the state are assessed differently.

For a long-term #adequacy finding, it’s unclear how to cater for the UK’s desire for future divergence. And, we all know there is an extensive surveillance capacity in the UK, with legal challenges including Privacy International at the @EUCourtPress (next Tuesday!)

Time is rapidly running out for an adequacy finding, so firms should look at putting in place backups, such as standard contractual clauses #SCC (which of course have #SchremsII issues as well.)

Declan Brady: “Let’s ask the nuclear question — what happens if, by midnight Dec 31, there has been no agreement, no adequacy? What should people be doing now, to prepare for that potential eventuality?”

@DCMS: UK will have left the EU post-transition period and be responsible for its own laws. We envisage DP laws changing over time, as the EU’s will, as tech and business practices change. But we are absolutely committed to keeping incredibly high DP standards. Re: #SchremsII, UK operates slightly differently to the US.

Brenton: RIPA/IPA and Official Secrets Act will mean no adequacy outside a trade agreement. Another comment: “Is redress vis a vis govt surveillance stronger in the UK? It’s effectively nonexistent in the US.”

Declan Brady: “I think UK rule of law is ok — the worry will be around oversight, and whether what’s permitted strays from EU expectations. There’s also the question of protection for onward transfers.”

@buchtan: #SchremsI and #SchremsII have certainly put the issue of government access to data right to the centre of discussions about adequacy frameworks. There is no way around these issues. The scrutiny expected from the EC of these aspects will be high. 

For third countries, the @EUCourtPress does not hesitate to apply the Charter of Fundamental Rights and Treaties to these questions. These discussions will be complicated and difficult. The Privacy International judgment on Tuesday will give indication of how far the national security scope exemption can be claimed, and compliance of bulk collection with the CFR and European law. These will be extremely important indications that will set the tone for some of these discussions further down the line, for #adequacy and beyond.

Andrew Cooke: the carve-outs in the #DPA2018 for immigration records and data subject access are already way out of line with what EU regards as adequate under existing adequacy grants. If I was to want to find a client to do a Schrems3 it would be as an EU citizen in UK trying to get a DSAR on their refusal for settled status.

@buchtan: ECHR and judicial control in the UK is not comparable to the US, so let’s not go too far with the comparisons. But there will be implications of #SchremsII for how we look at #SCCs more broadly, and there has been a lot of noise/commentary going all over the place. View of @EU_EDPB members is still #SCCs can be used for transfer of data to jurisdictions with unacceptable govt access to data, if there are acceptable supplementary guarantees. (IB: I cannot see this can POSSIBLY work.)

Sarah Newman: Whilst a member of the EU the EU courts expressed disquiet with our surveillance rights but we “got away with it” because we were member. I cannot see that we get adequacy with these. Why would we? The EU might have seen a benefit to agreeing a UK Privacy Shield. But the way Brexit negotiations have gone with UK, I see no reason at all why they would give us an easy time on adequacy.

Andrew Brenton: UK intends withdrawing from ECHR…

Info At Knowligence: I’ve looked into the technical controls, and beyond a general suggestion of anonymization / encryption, the guidance is woefully lacking. No real discussion of privacy-preserving tech, for example. << IB: Yes indeed. One German state DPA has explained this. Much more at…

Sarah Newman: I honestly think we have to assume that we will not get adequacy by the end of the year. If it will not be in any trade agreement, I cannot see any way we will get it in 2020.

@buchtan: @EUCouncil has made Law Enforcement Directive #adequacy a top priority for the negotiations, while the Commission has promised both adequacy findings by the end of the transition period — but even these will not solve everything. Both sides want LED adequacy to happen. The DPAs are very much aware of the predicament businesses may find themselves in during the coming months, but sound guidance agreed at the EU+EEA level takes time. Please be assured the regulators realise the difficulty of the situation

@MoJGovUK: the Political Declaration states adequacy is important, and both sides want it. (IB: UK govt doesn’t normally pay much attention to the PD, and is even busy breaking the Withdrawal Agreement!)

@DCMS: we are very hopeful for an #adequacy decision, but businesses also need to prepare for the worst, and should map all their data flows

The final comment goes to @rinseandspin: “Thanks for tweeting it Ian. You only missed the awkward silences and the sense of despair from practitioners.”