UK Data Protection and Brexit: the Implications of the Latest Privacy International Ruling – Updated

Background

Following the end of the Brexit transition period on 31 December 2020, a key concern for UK- based entities was whether the European Commission (“EC”) will find that the level of protection afforded to personal data by the UK’s data protection laws (typically referred to as the “UK GDPR”) is adequate pursuant to the General Data Protection Regulation (EU/2016/679) (“EU GDPR”) and related EU legislation.

Hopes in this regard have been improved by the findings made in the draft adequacy decision published by the EC on 19 February 2021. These can be found here. If the adequacy decision is approved, the UK could continue to import EEA-originated personal data without the imposition of additional safeguards. The UK courts’ recent decision in Privacy International, Investigatory Powers Tribunal, Secretary State for Foreign, Commonwealth and Development Affairs and Government Communication Headquarters [2021] EWHC 27 (Admin) (“Privacy International”) may have improved the likelihood of this.

Current Position

The Impact of the UK’s Investigatory Powers Laws

Prior to the EC’s release of a draft adequacy finding, the UK had already determined that the EU GDPR provides an adequate level of protection for personal data exported to the EEA but the reciprocal position has not been extended by the EC. This was somewhat surprising given that, at Brexit, the UK GDPR was a mirror image of the EU GDPR and the UK has a good record of enforcing the regulation.

However, one potential problem is that, as noted in a previous alert, holdings by the ECJ[1] have indicated that the UK’s Investigatory Powers Act 2016 (“IP Act”) contravenes the EU’s privacy and electronic communications directive (“e-Privacy Directive”). The e-Privacy Directive prevents Member States from imposing national legislation that requires electronic communications service providers to carry out the general and indiscriminate transmission or retention of traffic and location data for the purposes of combatting crime or safeguarding national security.

The UK’s IP Act requires ISPs and mobile phone operators to store internet connection records for up to 12 months so that these can be forwarded to national security and intelligence agencies for national security purposes. The ECJ has expressed concern over the breadth of the powers available under the UK’s IP Act and the level to which personal data is protected in the UK.

Notwithstanding these concerns, the UK Government had remained optimistic about the prospective declaration of an adequacy decision. In a statement to Parliament on 11 January, the relevant minister said:-

“….. Given we have an existing data protection framework that is equivalent to the EU’s, we see no reason why the UK should not be awarded adequacy and we expect the process to be concluded promptly…”.

The findings made by the EC in its draft adequacy decision would support this view. On page 51 of its decision, the EC begins an extensive review of the use of data by UK public authorities for national security purposes under the IP Act, the Data Protection Act 2018 and the Regulation of Investigatory Powers Act 2000. It notes that the IP Act replaces the legislation concerning the acquisition of bulk communications data which was the subject of the ECJ judgment in Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others. In particular, the EC observes that the IP Act requires the Secretary of State to issue a warrant only if the measure is necessary and proportionate, rather than giving the Secretary of State full discretion over authorization as under the previous legislation. This means that in practice, there must be a “link between the access to the data and the aim pursued”.

The ruling by a UK court in a recent case (also involving Privacy International), described below, may be helpful to the UK’s cause in this respect.

If so, this will provide welcome assurance to UK and EU businesses alike that data can continue to flow freely from the EU to the UK. If such a finding is made, very little will change for UK-based entities from a data protection perspective. Nonetheless, those that process the personal data of EU residents may need to appoint an EU representative (see here for more on this), identify a lead supervisory authority in the EU, and update their policies, procedures and documentation to reflect the change.

Further Interim Measures – the ‘Bridging Mechanism’ for Personal Data Transfers from the EU to the UK

Given that the EC did not reach an adequacy finding before the end of the transition period, a ‘bridging mechanism’ applicable to personal data transfers from the EU to the UK was included in the Trade and Co-operation Agreement reached on 24 December 2020 (i.e. the deal upon which the UK finally left the EU).

The bridge will last from 1 January 2021 until the shorter of the date on which an adequacy decision is agreed or four months (extendable to six months with the agreement of both the EU and the UK). During this time and under its current data protection regime, the UK will not be treated as a third country for the purposes of personal data transfers and data exports between the EU and the UK. These can continue as before.

How May the Ruling in the New Privacy International Case Help the UK?

In Privacy International, Privacy International applied to the Divisional Court for a judicial review of the Investigatory Powers Tribunal judgment. It sought to have the court clarify the scope of the Intelligent Services Act 1994 (“IS Act”). In particular, the court was asked whether the IS Act permitted issuing so-called ‘thematic’ computer hacking warrants authorizing acts in respect of an entire class of people or an entire class of such acts. Computer hacking or computer network exploitation (“CNE”) is a key tool for national security agencies when dealing with threats in the UK. In reaching its decision, the court concluded that:

1. The IS Act in this regard engages fundamental rights in the UK due to the “longstanding aversion of the common law to general search warrants” such as those under consideration in this case. As a result, these rights may not be overridden by statute unless the wording of the statute makes clear that Parliament intended to do so.
2. A general search warrant (i.e. one which requires the exercise of discretion by the official executing the warrant as to which individuals or property should be targeted) gives rise to an unlawful delegation of authority by the legally-entrusted decision-maker to the executing official thereby breaching a fundamental right in the UK. The IS Act’s requirement that warrants are to be issued “under the hand of the Secretary of State” emphasizes that the delegation of this duty to an official is impermissible.
3. To be lawful, a warrant must be “sufficiently specific” and “objectively ascertainable” so as to indicate to individual officers of the security agencies (GCHQ in this case) which property can be targeted, rather than leaving it to their discretion.

Comment

As the court noted, the holding in Privacy International is of significance to the IP Act because much of the IS Act has been replaced by provisions in the IP Act. The IP Act creates a new regime for the authorization of warrants for particular purposes. The judgment would suggest the need for the UK Government to amend the provisions of the IP Act in order to bring it in line with the recent holding in Privacy International and the ECJ’s decisions footnoted in this article. As far as we are aware, the decision has not been appealed by the UK Government and it remains to be seen how the UK Government will respond to the High Court’s decision.

The draft adequacy decisions made by the EC under the EU GDPR and the Law Enforcement Directive now need to be considered by the European Data Protection Board and, then, a committee of representatives from the EU Member States. The process will be scrutinized by the European Parliament. The Privacy International cases are discussed at some length in the draft adequacy decisions. In our view, an amendment in UK law to bring it into line with the recent High Court decision would strengthen the likelihood of the EC’s draft decisions in favour of making an adequacy finding in relation to the UK GDPR being endorsed. Such an amendment would bolster the restriction on the state’s powers so that general and indiscriminate warrants for investigatory purposes are prevented.

However, even if the UK’s data protection laws are determined to be adequate, it will not end there. Any adequacy decision granted by the EU will be periodically reviewed at least every four years and is open to legal challenges at the ECJ. Thus, any change in the UK’s laws or the manner in which they are applied, may lead to the ECJ or EC overturning an adequacy finding. Indeed, a similar event happened when the EU-US ‘Privacy Shield’ was struck down last year (see here for this). There is also, of course, the possibility of privacy activists such as Privacy International challenging the adequacy decision at any time.

Click to view the full alert.

___________

[1] See Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others.

© 2021 Brown Rudnick LLP

Prior results do not guarantee a similar outcome.

Brown Rudnick is a tradename of both Brown Rudnick LLP, a limited liability partnership organized under the laws of the Commonwealth of Massachusetts (“BR-USA”), and its affiliate Brown Rudnick LLP, a limited liability partnership registered in England and Wales with registered number OC300611 (“BR-UK”). BR-UK is a law firm of Solicitors and Registered Foreign Lawyers authorized and regulated by the Solicitors Regulation Authority of England and Wales, and registered with the Paris Bar pursuant to the 98/5/EC Directive. A full list of members of BR- UK, who are either Solicitors, European lawyers or Registered Foreign Lawyers, is open to inspection at its registered office, 8 Clifford Street, London W1S 2LQ, England (tel. +44.20.7851.6000; fax. +44.20.7851.6100).

Information contained in this Alert is not intended to constitute legal advice by the author or the lawyers at Brown Rudnick LLP, and they expressly disclaim any such interpretation by any party. Specific legal advice depends on the facts of each situation and may vary from situation to situation.

Distribution of this Alert to interested parties does not establish a lawyer-client relationship. The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP.