On Aug. 25, the U.K. Department for Digital, Culture, Media & Sport (DCMS) released important details about its post-Brexit strategy for cross-border flows of personal data. The U.K. government emphasized the importance of international transfers of personal data to global trade and notably named the United States as a “priority partner” for negotiating an adequacy determination.
The DCMS announcement occurs at the intersection of Brexit, where the United Kingdom gained new flexibility to interpret and change data protection and other laws, and the decision of the Court of Justice of the European Union (CJEU) in Schrems II, in which the CJEU struck down the EU/U.S. “Privacy Shield” and pronounced strict limits on cross-border data transfers. In this post I discuss the recent developments between the EU and U.S. following Schrems II, and the ongoing challenges regarding data flows between the U.K. and EU, and I also provide several initial observations about the package of measures at the heart of the DCMS announcement.
As has been discussed previously on Lawfare, such as here and here, the Schrems II decision in July 2020 declared that the EU Commission had erred when it found the U.S. safeguards concerning national security surveillance to be “adequate.” In particular, the CJEU found that the U.S. government had not provided the necessary redress for individual complaints, and the U.S. failed to meet the requirement of conducting only “necessary and proportionate” surveillance.
The EU and the U.S. continue to negotiate in the wake of Schrems II. In June, Secretary of Commerce Gina Raimondo met with EU Commissioner Didier Reynders and tweeted: “We have a shared commitment to find a comprehensive successor to Privacy Shield that is fully in line w/ the Schrems II requirements & w/ US law.” With Kenneth Propp, and in Senate testimony, I have sought to define rigorous new mechanisms for individual redress that would indeed meet the Schrems II requirements.
While the EU and U.S. negotiations continue, however, enforcement actions have increased against transfers of data to the U.S. following Schrems II. In April, Portugal’s data protection authority ordered its census office to suspend processing personal data from any third country that lacks “adequate privacy protections, including the United States.” The census office subsequently suspended its contract with U.S.-based online security services provider Cloudflare. In May, the European Data Protection Supervisor launched an investigation into whether it is lawful for EU agencies to continue using U.S. cloud and software services. In August, the Hamburg privacy supervisor informed a state agency that it could not lawfully use Zoom; the supervisor went so far as to name a local cloud provider as an alternative. Nigel Cory, associate director for trade policy at the Information Technology and Innovation Foundation, described the Schrems II case and its aftermath as turning the General Data Protection Regulation (GDPR) “into the world’s largest de facto data localization framework.”
Brexit and Data Flows
Although the DCMS announcement supports greater cross-border flows of data, the U.K. may face ongoing challenges from the EU on data protection issues. The U.K. and EU data protection agreement in place at the official start of Brexit, at the end of 2020, was only temporary. After lengthy negotiations, the EU Commission found in June that the U.K. provides “adequate” protection of personal data, and announced: “Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.” The EU’s approval of data flows to the U.K. was accompanied by warnings that the U.K. government must retain the privacy protections required under EU law and that the U.K.’s adequacy finding will be reviewed by the commission in four years. Senior commission official Věra Jourová, in an official press release announcing the EU’s approval, stated: “We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.” The commission’s June 28 adequacy decision reiterated this point, saying that it “may suspend, repeal or amend” this decision if it “has indications that an adequate level of protection is no longer ensured[.]” After the DCMS announcement, the Financial Times reported that an EU official said that Brussels was “monitoring the UK’s decision very closely,” adding that “in case of justified urgency that threatened its citizens, it would immediately revoke its data-sharing arrangement with the UK.”
Aware of possible EU challenges to data adequacy, the DCMS repeatedly emphasizes the U.K.’s “high data protection standards” Seeking to promote both trade and privacy, it says: “The aim is to make the country’s data regime even more ambitious, pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards.”
As the U.K. government seeks to point in two directions—privacy protections stay the same, while new opportunities for data flows exist—it is important as a matter of law that the text of the U.K. privacy laws in general remains the same as when the U.K. adopted the GDPR pre-Brexit. However, the U.K. adopted targeted changes to the GDPR to define which U.K. institutional actors will play each role in the post-Brexit privacy regime.
Under the GDPR, the EU Commission decides whether a third country, such as the U.S., has “adequate” protection of personal data. Post-Brexit, a secretary of state in the U.K. would issue any such adequacy decision, with the DCMS as the lead agency to staff such efforts. Under the GDPR, the European Data Protection Board, which comprises national data protection regulators, issues opinions on draft adequacy decisions. Post-Brexit, the Information Commissioner’s Office plays that role for the U.K.. In the EU, legal challenges to the adequacy decisions, made initially at the national level, are subject to be deferred at the CJEU. Post-Brexit, the U.K.’s judicial system provides the final answer on the lawfulness of an adequacy decision made by its government. With the U.K.’s dual directions, it will be challenging for the U.K. to ensure that the outcome of the adequacy reviews both increases data flow opportunities and ensures the same privacy protections as the EU decisions.
The DCMS announcement encompassed a lot of information. Paul Greaves has a useful summary that outlines the important pieces of the DCMS package, including the launch of an International Data Transfers Expert Council. Here, I offer the following initial observations.
First, it is noteworthy that the U.K. has listed the U.S. as one of its “top priorities” for negotiations on adequacy, along with Australia, Colombia, Dubai, the Republic of Korea and Singapore. (The announcement also states that “longer term priorities” are Brazil, India, Indonesia and Kenya.). The DCMS does not provide any details about the nature of such adequacy negotiations. One initial possibility is to build on the EU-U.S. Privacy Shield—the Schrems II decision focused on the two specific issues of redress and proportionality. The multiple other provisions in the Privacy Shield did not face any negative judicial finding. As a procedural matter, a revised U.K.-U.S. Privacy Shield would appear to be subject to judicial review in U.K. courts but would not be subject to the same sort of review by the CJEU as existed pre-Brexit.
Second, the DCMS is explicit that, in such negotiations, “policy factors which will be considered include the trade and diplomatic relationship between the UK and the third country.” The long-standing “special relationship” between the U.K. and U.S. would be consistent with efforts to find solutions for lawful U.K.-U.S. data transfers where feasible.
Third, the DCMS notes that an adequacy decision can apply to sectors of the economy, or territories within a country, rather than to the entire country itself. There have been public discussions about whether certain sectors of the U.S., such as health care and financial services, might meet the adequacy standards. Some observers have even suggested that California, with its privacy laws, might qualify. In light of the Health Insurance Portability and Accountability Act (HIPAA) medical privacy protections, and the importance of health research during the coronavirus pandemic, perhaps the DCMS would find adequate protections for U.S. health care. The DCMS announcement highlights the need for international data sharing for clinical vaccine trials and other medical research, in contrast to objections to such data sharing that have been raised in the EU. For financial services, U.S. privacy protections are in place under laws such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, and major U.S. banks have been global leaders for cybersecurity protections. With London and New York as leading financial centers, there may be “trade and diplomatic” relationships that would support efforts to promote financial data flows, consistent with high data protection standards. As one additional possibility for subnational adequacy, the U.K. might consider the APEC Cross-Border Privacy Rules System, under which only transfers made by certified companies in participating countries would be deemed adequate for transfers.
Fourth, it seems possible that the U.K. would find that the U.S. does provide adequate protections in the area of national security surveillance. As one possibility, the U.S. may reform its surveillance practices in the course of its negotiations with the EU, such as by providing new procedures for individual redress. In that case, the U.K. might consider any such U.S. reforms as it makes its own adequacy decisions. As another change, the legal standard for measuring “adequacy” or “essential equivalence” would seem to change. For technical legal reasons concerning the scope of EU law, it does not appear to be relevant under EU law if the U.S. has stronger privacy protections for data collected for national security purposes than an EU member state. As Kristina Irion has written, “[E]lectronic surveillance conducted by Member States’ intelligence authorities for the purpose of national security is off limits for EU law.” By contrast, it would seem that a U.K. adequacy decision would decide that there is “adequacy” or “essential equivalence” compared to U.K. law. In Schrems II, the CJEU applied the EU Charter of Fundamental Rights. Post-Brexit, a U.K.-U.S. adequacy arrangement review would instead be subject to the U.K. courts and the applicable law to assess adequacy would be U.K. law, as well as the European Convention on Human Rights, as interpreted by the European Court of Human Rights. The latter court has applied a less strict standard to date concerning government surveillance than the CJEU.
Fifth, the DCMS package discusses transfer mechanisms in addition to having an adequacy finding. The U.K. Information Commissioner’s Office recently launched a consultation on standard clauses to legitimize transfers outside of the U.K., which are expected to be adopted at the end of 2021. In addition, the DCMS “strongly encourage[s] industry bodies to develop their own international codes of conduct.” Such codes of conduct can exist under both the GDPR and U.K. law, but the DCMS says that “this mechanism is currently underutilised.” The DCMS talks in detail about the need for international transfers in order for U.K. individuals and companies to use cloud-based solutions, concluding: “If we can remove barriers to these data flows, it means that such services can be provided faster, more reliably and securely, and cheaper.” Cloud providers have been working on international codes of conduct, and the DCMS appears to be inviting submission of such a code.
Sixth, the DCMS hints at a broader review of U.K. data protection law. It says that “[p]lans to consult on the future of the country’s data regime are also being confirmed.” Digital Secretary Oliver Dowden went into further detail—“It means reforming our own data laws so that they’re based on common sense, not box-ticking.” The reference to “box-ticking” might refer to the widespread practice in the EU of having users click “accept cookies” (or “reject cookies”) for each visit to a web site. Any legal deviation from the GDPR may trigger responses from Brussels. With that said, the new announcements suggest that such deviations may become an explicit part of U.K. law.
The DCMS package released on Aug. 26 suggests multiple possible changes to the practice of cross-border data flows. This post has sought to explore some possibilities, but the eventual details will only become apparent as the new U.K. “approach to international data transfers” becomes reality.