GDPR Transition Period

In my Schrems II blog I described the implications of the Court of Justice of the European Union's (CJEU) decision to invalidate the Privacy Shield data transfer mechanism. The ruling did validate the use of Standard Contractual Clauses (SCCs) for data transfers, but made the point that controllers must carry out reviews of their SCCs. Subsequently the European Data Protection Board (EDPB) rushed out draft guidance, which I glibly summarise here as telling controllers to encrypt data transfers to prevent state snooping*.

At the same time as the CJEU was deliberating, the Brexit negotiations were continuing. Many privacy professionals were considering the implications on data transfers when the UK becomes a Third Country upon leaving the EU. Would the UK be granted an adequacy decision which would enable data transfers to continue seamlessly? Or would Adequacy be used as a bargaining chip by the EU, particularly with respect to the City of London and as underpinning free trade?

It couldn't be assumed that the EU would deem the UK adequate just because the UK had been in the EU and therefore previously adequate, as common sense might suggest. Like it or not, the process is going to be followed and comprises four steps:

1. The European Commission must submit a proposal for the UK to be adequate

2. The EDPB must offer an opinion

3. The EU member states must give approval

4. The Commissioners must adopt a decision

And this can take 18 to 60 months.

However, there are some stumbling blocks: the Investigatory Powers Act 2016 has previously been called into question by the European Court of Justice as contravening the Charter of Fundamental Rights (CFR), as has the DPA 2018 for immigration control; and the UK has been accused of violating the Schengen Information System. Then there's onward data transfers to non-adequate countries.

Last week’s High Court ruling on Section 5 of the Intelligence Services Act 1994 might have helped the situation. The Court ruled that warrants must be targeted at an individual, not on a general basis for surveilling the population writ large, as revealed by Snowden.

If these truly are blockers then it begs the question of is it right that previously a member state could be adequate simply by being a member state. And it has been observed that adequate third countries subsequently introduce legislation which falls foul of the CFR.

In the meantime the UK and the EU have agreed a six month transition period from 1st January 2021, during which it is hoped a decision will be reached. If not then organisations will have to fall back on SCCs or Binding Corporate Rules, which will require controllers, under the EDPB guidance, to conduct their own adequacy assessments of the destination countries. These are complicated and expensive to implement, probably beyond the reach of many SMEs, and at a time when the UK and EU economies need all the help they can get.

If the UK, which was previously adequate and has implemented GDPR and the Law Enforcement Directive in domestic legislation, can't meet the standard then how could other countries. It would also call into question existing adequacy agreements if they were at a lower standard than the UK.

It has also been suggested that an adequacy decision could be challenged and ruled upon by the CJEU.

The saving grace in all this uncertainty is the EU-UK Trade and Cooperation Agreement (TCA), which was agreed in December last year, and contains the six month transition period. A Partnership Council has been established to oversee the TCA and it can make recommendations about personal data transfers in any areas covered by the agreement. Privacy professionals and organisations will be keeping watch.

*Several people have asked me about the Federal Government simply demanding the controller's encryption keys in order to read the data. That would require judicial approval, lack of which was one of the CJEU's criticisms of the US surveillance laws.