A few weeks
back I posted an article on this space outlining how “equivalence” was likely
to become one of the “words of the year” for 2021. The growing pains associated with defining
the parameters of Brexit would make finding such equivalent standards a vital issue. Matters remained fairly quiet
on this front for approximately the first six weeks of the year. Then, on the 19th of February the
European Commission issued two draft decisions which go a long way towards bringing “equivalence” to the fore once again. These decisions set out the terms
under which the EU will continue to allow personal data into the UK on the basis that it has established a system with an “adequate
standard” of data privacy. Essentially,
before issuing such an “adequacy” finding the EU seeks to establish that the
data protection laws in a given country are equivalent to those in the EU. Thus far the EU has found such adequate
protections in only a small number of jurisdictions (e.g. Canada, Switzerland,
Japan and a few others). Post Brexit,
the question of whether the UK has adequate data protection laws needed to be considered, and it was this exercise that led to the Commission issuing the drafts on the 19th of February. The two opinions address the question of whether the UK has laws that are up to the levels of the two most relevant EU laws, the General Data Protection Regulations (GDPR) and the Law
Enforcement Directive (LED).
In both
cases the Commission’s draft decisions recommend recognising the UK as having
adequate provisions in place to allow the continued flow of personal data. The findings, which will now have to be
reviewed by the European Data Protection Board (EDPB), are not surprising given
that the framework legislation for the UK’s current approach to data protection
is the GDPR and LED. It
would be exceedingly surprising if the EDPB does not agree with the draft assessment
when it undertakes its review. The Commission will then forward the draft to a representative
body of member states, who will vote on whether to accept its terms. Once again
– approval would be expected.
There are,
however, a few key items that could derail the orderly progress of the draft
adequacy decisions. Again, as will be
the case for many areas of comparison between the EU and UK, the word of the
year will be “equivalence” – whether it is present, where it may be absent –
and how it is defined. Here’s a closer look at some of those key areas:
Recognition
of 3rd Party Countries: In many ways this is the most important
of the measures to be taken when it comes to assessing equivalence. The existence of the GDPR and LED as base
legislation in the UK probably makes the treatment of personal data that goes
into the UK from the EU and then stays there of lesser
concern. After all, the laws within the
UK about what might be done with that data are currently nearly identical to
the EU. The greater worry, under the Schrems
II decision and similar lines of thought would be that the UK becomes a
mere “way station” for transfer on to other, non-equivalent countries. This could be accomplished if the UK were to recognise
countries as “adequate” or equivalent in terms of their approach to data, while
the EU continues to hold those same jurisdictions as inadequate. The most prominent country where these
potential conflicts might arise is, of course, the United States. The EU has never seen the U.S. as having adequate data protections in place
and has tied itself in knots, through “safe harbour” mechanisms and various attempts
at replacing the same, to find ways to address this concern. Theoretically the
UK could do away with this difficulty with a stroke of the pen by simply
finding the U.S. to have an adequate approach to data protection. This would be a nightmare scenario for the
EU, both from a standpoint of pure data protection and with regard to
competitiveness. The draft decision
seeks to somewhat address this possibility but it does not eliminate it, and it
is likely that there will be some further discussion around this scenario and
how it can be dealt with in the near future.
Treatment
of Corporates and Industry Sectors: Countries are, naturally, the first type of
entity one thinks of when it comes to dealing with broad brush “data protection”
measures – but they are by no means the only sorts of collectives to be
considered. One must also take into
account how the laws in a given jurisdiction are applied against entities like
multi-national corporates and sometimes very ill-defined sectors like “big-data”,
“social media”, “medical-pharma” and the like. The current draft decision does
not specifically call out these areas, presumably because it assumes that the
UK will continue to approach these questions in a manner consistent with
existing EU law. That may be the case –
but in the event the manner in which a given sector is treated does become
inconsistent between the two jurisdictions – (for instance if the EU were to
become more prescriptive than the UK in terms of what level of control might be
required when it comes to Twitter accounts) – then this too could become an
area where “equivalence” breaks down.
Treatment
of Law Enforcement Requests: This is obviously an area of
major concern for certain groups but, in a commercial sense, its relevance is
largely contingent upon whether a dispute over policing or intelligence could
upset the entire data arrangement in place between the EU and UK. Unlike the instances where differing
standards of recognition or favouritism for industry sectors could lead to
competitive imbalance – if the UK were ever to share information with law enforcement
groups in a manner that is not equivalent to that of the EU that would not directly
impact commercial arrangements. However,
if the standards for sharing data with law enforcement were to become a matter
of contention the knock-on effect may result in the adequacy decision being
overturned. The impact of that sort of
finding would be substantial. Moreover –
it is exactly this sort of sharing of information (as reflected in the various Schrems
cases) that gives rise to the most impactful litigation, making this an area
that bears careful monitoring.
Recognition
of Judicial and Administrative Findings: One of the primary concerns expressed by the
Brexit movement was the “loss of sovereignty” that was alleged to result from
deference to “Brussels”. Along with this
fear was the Brexiteers’ express worry that, somehow, remaining in the EU would
weaken the position of British litigants in international disputes. This
was accompanied by the somewhat illogical stance that ending the UK's direct
participation as a member of those courts would strengthen that same position. Brexiteers did not see this as contradictory
and claimed that having the ability to be “different” would increase UK
competitiveness. The entire concept of “equivalence”
is designed to put that theory to the test by demanding some degree of joint
recognition of authority between the two jurisdictions. The draft adequacy finding discusses in some detail
the ability of the UK Information Commissioner’s Office (ICO) to effectively handle
claims for redress from EU based data subjects and assesses the oversight powers
that sit within the remit of that office.
These are found to be adequate.
What is not dealt with quite as extensively, but which might eventually
have to be reckoned with, is the degree to which the UK Courts and regulatory boards
will need to defer to or adopt EU positions that arise from judicial or
administrative decisions. For instance –
if the ECJ were to interpret the definition of “personal” data in such a way that such classifications would be narrowed – would UK courts, following the principle of
maintaining adequacy, defer to that finding or insist that a unique “UK”
definition be maintained? Those who advocated
for Brexit would, under this scenario, be faced with having established a
system that is certainly more independent – but would quite clearly be less “competitive”.
Of course, the opposite situation, where the ECJ broadens the definition of “personal”
data – thereby leaving the UK courts to contemplate whether to follow that
precedent – could arise as well. No matter the scenario, if there is not to be
some degree of shared jurisprudence in areas that require the maintenance of
equivalent systems then there will be a constant threat that we are only ever
one decision away from losing that equivalence. This is essentially what happened
in the case of Schrems. The EU
and U.S. thought they had carefully constructed a “safe harbour” system that
addressed a major concern. Then the Schrems
decision came down – and it was back to the drawing board. The EU relationship with the UK is now
vulnerable to the same sort of Jenga rules – one block out of place – the whole
structure topples.
So, the
decision of the EC to issue a positive draft finding on adequacy is certainly a
step in the right direction when it comes to establishing a system of
equivalence between the EU and UK.
Having such a decision on the books is like a key to opening the first
gate into a shared future. That said, given
the care with which the parties will have to negotiate that future one hopes
that we haven’t simply been presented with a key to a minefield.
