UK adequacy, international transfers, and human rights compliance

I’ve previously noted that in several discussions of UK GDPR adequacy, mention was made of the fact that the UK is a party to the European Convention on Human Rights and that the Convention and — crucially — the case-law of the ECtHR can be and must be applied by the UK courts. Mention was also made of the Big Brother Watch judgment that is still pending before the Grand Chamber. This judgment (referenced in the second part of our submission to the EU institutions assessing UK adequacy) related inter alia to the question of the sharing of data intercepted by the UK intelligence agencies with their US counterparts.

The Strasbourg Court only looked at one aspect of that data sharing, i.e., at the regime under which the UK agencies could ask the US agencies for specific data. It held that it was not established that the UK legal regime relating to that specific issue could be used or was used to by-pass restrictions on the collection of data under UK law. It should be emphasised that in fact intercepted data — and especially the data extracted from the undersea cables at Bude in Cornwall, UK — are much much more broadly shared between the UK and US agencies than the Strasbourg Court seems to have realised. It never looked at the fact that the Bude GCHQ/NSA surveillance and bulk interception is in fact effectively a joint UK-USA operation (as explained in some detail in Part Two of our submission). The issue addressed by the Strasbourg Court in BBW was a red herring.

My second point is not unrelated. It concerns the question of when “appropriate safeguards” such as standard contract clauses (SCCs) must be used in relation to transfers of personal data from the EU/EEA to a third country that has not been held to provide “adequate”/”essentially equivalent” protection to that accorded by the GDPR, and when indeed “supplementary measures” may have to be adopted to protect data against undue access by the authorities in the third country (I am using “undue access” as shorthand for access that is not based on law or “necessary” and “proportionate” or subject to appropriate, effective remedies that can be accessed by the data subjects — in short: access based on rules that do not meet the EDPB’s recently issued “European Essential Guarantees for surveillance”).

Under the EU GDPR, appropriate safeguards and supplementary measures must be adopted if there is a risk of undue access in a third country to which data are transferred (or in yet another third country to which the data may be onwardly transferred). However, I recently noticed that the UK supervisory authority, the ICO, appears to take a more relaxed view of the issue than the EU one. In its guidance on “International transfers after the UK exit from the EU Implementation Period”, the ICO refers to transfers that may only take place subject to the adoption of the relevant SCC and where relevant supplementary measures as “restricted transfers”. If a transfer is not a “restricted transfer” in the eye of the ICO, there is no need for any such safeguards of measures.

The ICO provides guidance on this inter alia as follows:

Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.

It gives the following example:

Personal data is transferred from a controller in the UK to another controller in the UK via a server in Australia. There is no intention that the personal data will be accessed or manipulated while it is in Australia. Therefore there is no restricted transfer.

Of course, the same would apply if for Australia one would read the USA (or Russia or China).

The crucial point is the reference to their being “no intention” that the personal data will be accessed or manipulated while it is in Australia. But a major issue for the EU has been undue access to transferred EU data by authorities of third countries, in particular the USA (but that should now also be a major issue in relation to the UK which carries out much the same kind of undue surveillance, essentially hand in glove with the USA). The intention of the data exporter and importer are irrelevant to that.

The ICO guidance means that under UK law (as the ICO applies it) sending data from the UK to a US cloud as part of the use of a cloud-based service — e.g., the sharing of HR data between UK companies belonging to a group by means of a USA-based server — raises no data transfer issues: the data are only routed through the USA and the users of the service (and indeed presumably the US service provider) do not “intend” that the US intelligence agencies will access the data. But of course, under US law they can and do. If the UK is granted a positive adequacy decision, personal data sent from the EU/EEA to the UK can then simply be entered into the US could-based database, without any need for safeguard.

The ICO does not even require that the data in the UK-Australia example should be fully and strongly encrypted – strong enough to prevent the authorities from being able to access and decrypt the data.

In our submission, Ian Brown and I warned in particular that if the UK were to be granted a positive adequacy decision without changing its laws and practices, it would become a data laundering channel to the USA — which would go completely against the case-law of the CJEU. The ICO guidance appears to confirm not only that that risk is very real, but also that the UK ICO will not do anything to prevent it.