As the Biden administration and the European Commission “intensify” negotiations to re-establish a stable transatlantic data-transfer framework, Brussels separately is moving ahead to enable unrestricted data flows with two other major trading partners: the United Kingdom and the Republic of Korea.
In announcing the Commission’s preliminary “adequacy” decision for the United Kingdom on February 19, Commission Vice President Věra Jourová said that while it “has left the EU,” the United Kingdom remains a member of “the European privacy family.” The Commission’s announcement offers Washington a ray of hope. If the European Union (EU) welcomes back to the fold an ex-member with wide-ranging surveillance programs, then there may be a path for its American cousin as well.
The United Kingdom was under severe pressure to obtain continued legal certainty for data flows from the European continent. The EU-UK Trade and Cooperation Agreement (TCA), reached at the end of last year, did not resolve the matter. That agreement concentrates on goods trade, devoting comparatively little attention to the important category of services. It contains limited commitments on data flows, including a prohibition on localization of computing facilities or storage of data, but these are subject to a generous exception for privacy measures.
Unrestricted data transfers are indispensable for much services trade—and increasingly goods trade as well—so the Brexit trade negotiators’ decision to defer the question of commercial data transfers across the Channel was initially worrying, especially in Britain. If the EU failed to follow with an adequacy decision, and UK businesses were forced to shift exclusively to more costly and less efficient standard contractual clauses, there would be a high economic price to pay: approximately $4,120 for each UK micro-business, $13,730 for a small business, and nearly $27,000 for a medium-sized company, according to a study by the New Economics Foundation and UCL European Institute.
The European Commission moved quickly to allay these fears. It surprisingly decided not to demand that the United Kingdom make any changes in its data-protection laws or surveillance laws, contrary to the predictions of numerous observers, including this one. Instead, the Commission chose to emphasize the continuity of post-Brexit UK data-protection law with that of its former EU partners. Two elements loomed particularly large: first, the UK’s prior decision to enact the EU’s General Data Protection Regulation (GDPR), largely without change, into domestic law; and second, its continued adherence to the Council of Europe’s European Convention on Human Rights and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
This shared privacy legacy appeared to matter a great deal in the Commission’s detailed assessment of UK surveillance laws. It viewed the Information Commissioner’s Office (ICO), the UK’s data-protection authority (DPA), as an effective oversight body. The Commission approved of the ICO’s powers not only in relation to commercial data-privacy matters, but also as a supervisor of the UK’s security and intelligence services. The Commission also favorably critiqued the powers of the UK’s separate Investigative Powers Tribunal, an administrative tribunal with powers over security and intelligence activities. Individuals may bring complaints before these bodies, and appeal rulings to UK courts and ultimately to the European Court of Human Rights in Strasbourg.
Ironically, the fact that the United Kingdom previously had lost cases at the European Court of Justice (ECJ) in Luxembourg on law enforcement data protection turned out to bolster its post-Brexit bid for data-transfer adequacy. Following the 2016 Tele2/Watson judgments, the UK government had tightened administrative procedures for approval and oversight of its bulk metadata-collection programs, explicitly incorporating the “necessity” and “proportionality” standards used in ECJ jurisprudence. The Commission cited these legislative changes with approval as well.
This week, the European Data Protection Board (EDPB), the collective body of member-state DPAs, issued a guarded endorsement of the Commission’s preliminary adequacy verdict. The EDPB drew attention to the United Kingdom’s use of personal data in the immigration context, its actual and potential data-transfer relations with the United States, and its national security bulk metadata-collection practices as areas requiring further attention from the European Commission. The European Parliament likely will pick up on these criticisms in developing its own position in coming weeks. The Commission, the ultimate decision-maker on adequacy, could modify elements of its decision but is unlikely to be deterred from moving forward. However, its verdict can, and likely will, be challenged before the ECJ by a DPA, a privacy activist, or even the European Parliament—just as the EU-US Privacy Shield also ended up in European court. Such a challenge could take years to resolve.
The signs of dissent are already evident. Dutch liberal (ALDE) Sophie in ’t Veld, an influential member of the Parliament’s Civil Liberties, Justice, and Home Affairs (LIBE) Committee, quickly blasted the Commission for what “looks very much like a political decision.” Douwe Korff, an international law professor at London Metropolitan University and prominent gadfly on UK surveillance law, issued a scorching report accusing the Commission of looking only at the “law on paper…without paying any real attention as to the application of the law in practice.” Korff also pointed out that the Commission did not discuss signals intelligence-sharing among the UK’s Government Communications Headquarters (GCHQ) agency, the US National Security Agency, and their “Five Eyes” counterparts in Canada, Australia, and New Zealand. UK internet-law professor Lorna Woods, a more dispassionate observer, commented that the Commission had failed to analyze the actual operation of the UK surveillance-law system to the degree that the ECJ had assessed its US counterpart in the Schrems II case.
The United Kingdom nonetheless quickly seized upon the preliminary green light from Brussels as the moment to advertise its broader ambition to put data-transfer arrangements in place across the globe. In a March statement, UK Minister for Media and Data John Whittingdale proclaimed that “there is a great opportunity for the UK to make use of its independent powers to deepen our strategic international relationships and forge new bilateral and multilateral alliances.” One of the United Kingdom’s earliest moves is expected to be joining the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a multilateral trade agreement that includes a state-of-the-art data-transfer provision originally spearheaded by the United States before the Trump administration withdrew from the agreement.
London’s evident eagerness to begin charting its own economic future as a data hub worries Brussels. Not only may the United Kingdom pursue a wider and more liberal network of data-transfer agreements than the EU, it also may diverge from some of the less workable provisions of the GDPR, a government minister recently has indicated. The Commission therefore decided to limit Britain’s adequacy finding to a term of four years, with another review to follow at that point. All previous EU adequacy decisions have been open-ended in duration.
US negotiators on a successor to the Privacy Shield have been closely studying the UK adequacy decision for clues on how to persuade the European Commission that US privacy protections also merit its approval. There are important differences between the two countries’ systems, of course. The United States lacks an overarching national privacy law, let alone one closely resembling the GDPR. Nor does it share the United Kingdom’s decades of ingrained obedience to the data-protection jurisprudence of the European Court of Justice. Finally, the United States is not a member of the Council of Europe, and it is not likely to join its conventions and thereby subject US security agencies to the scrutiny of an international human-rights court.
Still, the Commission’s preliminary adequacy finding for the United Kingdom does offer Washington some reason for hope. Together with its 2018 adequacy decision for Japan and the March 30 announcement concluding negotiations with the Republic of Korea, the Commission is demonstrating that it is serious about establishing durable commercial data-transfer arrangements with major EU trading partners.
The Commission is obliged to take ECJ jurisprudence into account when reaching these determinations. Its preliminary UK adequacy decision focuses more on satisfying itself that foreign surveillance law embodies structural privacy protections than on closely examining how intelligence services conduct their operations. Although this approach still will require the United States to make compromises to assuage the ECJ’s concerns about judicial redress and proportionality of surveillance, it nevertheless is more flexible than the strictest reading of Schrems II might suggest. If the UK adequacy decision is any guide, the United States may yet find its way back into the European privacy family.
Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Europe Center and teaches European Union law at Georgetown University Law Center.