by Osal Stephen Kelly*
In July 2020, the Court of Justice of the European Union (“CJEU”) delivered its judgment in the Schrems II case brought by the Austrian lawyer and activist Max Schrems, with far-reaching implications for data protection policy and practice. One question of particular urgency is what the consequences will be for the continued flow of personal data from the EU to the UK; while the EU-UK Trade and Cooperation Agreement temporarily allows these flows to continue on the same terms as between member states, this will end on 30th June 2021. The purpose of this period is to allow for the EU Commission to determine whether or not to grant an “adequacy decision” that would confirm that the UK provides a level of protection essentially equivalent to that of member states, which would allow for these important transfers to continue indefinitely. While the Commission has issued a draft adequacy decision, some of the issues identified by the European Data Protection Board (“EDPB”) in its recent opinion on the draft expose frailties in these protections that could form the basis for a legal challenge in the future. It is submitted that there are two areas of particular vulnerability that would be key in any such challenge. First, there are serious unresolved questions around the powers of UK and US authorities to access data for security purposes. Second, the UK’s emerging post-Brexit constitutional and legal framework is likely to be somewhat less advantageous to data subjects vindicating their rights than was the case when EU law had direct effect.
Schrems II comes after another case brought forward by Mr Schrems who had already challenged the previous framework as well (Schrems I). The Schrems II case arose from a complaint concerning the transfer of his data from Facebook Ireland to Facebook Inc. (based in the United States). The complaint was made to the Irish Data Protection Commissioner and resulted in the Irish High Court making a preliminary reference to the CJEU. In its submissions, Facebook sought to justify these transfers as permitted by the EU Commission’s Privacy Shield decision, which set additional safeguards for data moving from the EU to the US. However, the Court found that the Privacy Shield was invalid as the protections offered by US law did not in fact afford the required level of protection. The Court stressed the importance of “effective and enforceable data subject rights” (para. 177 of judgment) and found that data subjects did not enjoy such rights under the Privacy Shield. Particular emphasis was placed on the lack of limits on the power of surveillance agencies to collect data on individuals held by companies such as Facebook (para. 180). While the Court recognised that data controllers could in principle rely on standard contractual clauses approved by the Commission to allow cross-border data transfers to continue, it noted that such clauses did not necessarily protect data from unlawful access by the authorities of the receiving country (para. 141).
Although the UK ceased to be subject to EU law from 31st December 2020, the GDPR has been incorporated (with amendments) into UK domestic law, in line with Section 3 of the European Union (Withdrawal) Act 2018. This amended version, referred to as the “UK GDPR”, now forms the basis of the UK’s legal framework for data protection, along with the UK’s existing Data Protection Act 2018 (draft adequacy decision, Recital 14), and this is the framework that was examined in the Commission’s draft adequacy decision, and, subsequently, the EDPB’s opinion, released on 13th April 2021. Although important, the opinion in itself is non-binding and the final decision on adopting the adequacy decision rests with the Commission, so it is likely to be approved.
The EDPB opinion, read in light of Schrems II, would require the UK’s intelligence operations to apply particular scrutiny over the compliance with the (EU) GDPR. While the tone of the opinion as a whole is very measured, the EDPB nonetheless expresses “strong concerns” (para. 88 of opinion) over the data-sharing agreement between US and UK authorities pursuant to the US CLOUD Act. The Act requires US companies to disclose information stored on overseas-based servers on foot of a valid warrant. The EDPB notes that the Commission’s draft decision refers to non-binding “explanations” that were provided to it by UK authorities (para. 88 of opinion). Critically, however, the EDPB notes that these explanations did not seem to comprise “any concrete written assurance or commitment” on the part of the UK Government. It is difficult to see how mere explanations without substantive legal force could be relied upon by data subjects in enforcing their rights, which is concerning, given that the existence of “effective and enforceable data subject rights” was deemed vitally important in Schrems II.
Moreover, para. 189 of the opinion highlights how broad the general exemption is for intelligence-related processing, stating that “national security certificate DPA/S27/Security Service provides that until 24 July 2024, personal data processed ‘for, on behalf of, at the request of or with the aid or assistance of the Security Service or’ and ‘where such processing is necessary to facilitate the proper discharge of the functions of the Security Service described in section 1 of the Security Service Act 1989’ are exempted from the corresponding provisions in UK law to Chapter V GDPR in relation to transfers of personal data to third countries or international organisations”.
This provision is similarly open-ended to Section 702 of the US Foreign Intelligence Surveillance Act, which had been considered not to afford a sufficient level of protection to data flows in Schrems II (para. 180 of judgment). If Part V GDPR (and equivalent provisions in the UK GDPR) does not apply to intelligence processing, personal data would be transferred to US authorities and thus fall within the scope of the Court’s ruling in Schrems II.
Given that the UK is no longer a member of the EU and subject to the jurisdiction of the CJEU, issues also arise in relation to the UK’s overall legal framework (para. 54 of opinion). The Commission has placed great emphasis on the fact that the UK will continue to be a party to the European Convention on Human Rights (“ECHR”) and thus of the “European privacy family” (press release accompanying the adequacy decision). However, while the set of rights listed in the ECHR are also included in the EU’s Charter of Fundamental Rights, in Schrems II the Court notes that the ECHR is not part of the EU law acquis (paras. 98, 99 of judgment). Furthermore, the UK Government will review the Human Rights Act 1998 which implements the ECHR in the UK. The review will consider whether courts have been “unduly drawn into matters of policy”. Given that the CJEU identified “effective and enforceable data subject rights” as key in determining whether a country provided an adequate level of protection (para. 45 of judgment), any dilution of the rights of citizens to invoke their ECHR rights would be likely to count against the UK in the event of a legal challenge.
The foregoing indicates that a credible case could be brought before the Court to challenge the validity of the adequacy decision in the future. On a practical note, data controllers can at least be reassured by the CJEU’s clarification in Schrems II that an adequacy decision enjoys, in effect, a presumption of legality until it is successfully challenged (para. 156 of judgment), and accordingly they should not incur any liability for data transfers while the adequacy decision remains in place, for whatever period that may be.
*Osal Kelly is a postgraduate Law student in the Law Society of Ireland in Dublin and holds an undergraduate degree in Philosophy from Trinity College, Dublin. He currently works in the Irish public service. This article is written in a personal capacity.