Skip to content

A Cloud Over EU-UK Data Flows – 13th Dec 2020

-- 10 min read --

A Court Scene

Imagine a scenario in which the newly-independent UK is summoned to the European Court of Justice (ECJ) to explain why it thinks UK national security laws and practices are consistent with EU law and the EU Charter of Fundamental Rights.

The UK has to attend the hearing and take it seriously as the outcome of the case has massive consequences for the ability of many UK businesses to trade with people inside the EU.

Unlike other possible trade disputes, if this case turns out badly it will not just result in annoying but manageable new tariffs for UK businesses.

If the Court finds against the UK, British businesses will not just be able to “pay more and carry on”, but may have to make major changes to their company structures to keep trading with people in the EU.

This is because the Court will want to make it a condition of trading that UK businesses can show they are able to refuse to comply with demands from UK national security agencies where these relate to their EU customers.

Under current UK law, any business in the UK is required to comply with all properly drafted demands from national security agencies under threat of criminal penalties if they do not.

This is not particular to the UK, so French companies must similarly respond to French government demands, and it would be weird for any country to create a security law that gives local businesses the option to refuse legitimate orders to provide any of the data that they hold.

So the only way for a UK business to comply with a judgement like this would be to establish an entity within the EU to serve EU customers, with the relationship structured in such a way that the EU operation is legally insulated from the UK entity in respect of security service data requests.

[NB It will not be enough just to move the data of EU customers to servers within the EU as the problem will remain as long as the UK company has access to that data and could provide it to the UK authorities.]

For businesses with a lot of EU customers, the best solution may be to move their company HQ to a country within the EU, and have the UK part of their business become a legal subsidiary of this so it is absolutely clear that EU law will prevail over UK law.

And the decision about whether to make this hugely consequential change for UK businesses will lie wholly with the European Court of Justice – the UK has no seat at the table for this but is merely a petitioner in the proceedings.

At this point, the heads of Brexiteers will be swivelling with indignation and even though those who are more EU-friendly may be feeling that this all seems jolly unfair.

A Prediction

Predictions are always a risky thing in politics but I am prepared to say that some parts of this scenario are almost certainly going to occur over the next two years whatever happens in the ongoing trade negotiations.

I feel confident predicting the court case will happen because we have seen just this scenario playing out with the US, and we have every reason to believe there will be similar challenges to any agreement the EU makes that the UK has ‘adequate’ safeguards for personal data.

It is far from wild speculation to take this view when many of the experts in the privacy community who took issue with the EU-US agreement are signalling loudly and clearly that they want to see the UK regime tested in the same way.

Good examples of the concerns that are being expressed, and that will likely be argued out in a future court case, can be found in this paper by Douwe Korff and Ian Brown.

While I would assess the likelihood of this being tested in court at near enough 100%, the outcome of the case is much less certain and we should recognise that there is a fair chance that the UK could successfully defend its position.

The UK will certainly be in a stronger starting position than the US because it has been incorporating EU law into UK domestic law for many years.

But there are enough similarities between the way in which the the US and the UK think about data collection for national security purposes to believe there is a material chance that the UK would suffer a similar fate, and be deemed to be offering inadequate safeguards for EU data to be allowed free passage.

[NB In the US case, not only was their adequacy-like decision revoked (a special arrangement called the EU-US Privacy Shield) but doubt was cast on the validity of using another common legal mechanism, known as Standard Contractual Clauses, for transferring data to the US.]

The Big Question

We need especially to focus on the question that will likely be before the court which is ‘whether UK surveillance laws and national security data collection practices are consistent with the EU Charter of Fundamental Rights’.

The answer to this question is not ‘we have put the GDPR into UK law’ as the GDPR does not directly constrain the activities of national security agencies as I have described more fully in a previous post.

This question can only be answered by an assessment of this very sensitive area of national security law, just as happened in the EU-US case which turned on whether specific provisions under US law might result in access to the data of EU persons that was unacceptable to the ECJ.

Moving From a Right to a Privilege

You may be wondering how it is that these provisions have not already been considered by the courts during the time that the UK was a member of the EU.

We have seen the ECJ recently make some rulings that impact on this area of national security data collection, but it has to tread more carefully here for EU members than it does when looking at third countries.

This is partly because the EU treaties expressly exclude national security as an EU competence so the ECJ may only look at this tangentially through the lens of other EU laws rather than by directly ruling on member state laws.

We also need to recognise that for an EU country, the free flow of data is a right that is necessary for it to participate fully in the EU single market, while for a third country it is a privilege that the EU is granting to an outsider at its sole discretion.

It is much easier for the ECJ to remove a privilege from an outsider, as it did in striking down the EU-US Safe Harbor and Privacy Shield agreements, than for it to threaten one of the core rights of an EU member state.

As long as the UK was an EU member state then there might have been concerns about its surveillance practices but also strong incentives not to test these to the point where this would undermine the right for data to flow freely across the EU single market.

Now that the EU is a third country, the ECJ can happily test the UK’s surveillance practices to the point of destruction knowing that any decision will not affect the EU single market and data flows between member states.

Less Important Than Fish

There are some people doggedly trying to raise the profile of this issue, such as the journalist Mark Scott at Politico, but it remains remarkably low profile in the grand scheme of all things Brexit.

I asked the UK Government about their position on potential challenges in a written Parliamentary question :-

To ask Her Majesty’s Government what assessment they have made of the likelihood of legal challenges from privacy advocates against transfers of personal data between businesses in the EU and the UK after 31 December.

And they replied like this :-

At the end of the transition period, UK domestic law will treat EU (and wider EEA) states and institutions as adequate on a transitional basis for the purposes of the UK GDPR, so personal data can continue to flow from the UK to the EEA without further safeguards needing to be implemented.

In order for the free flow of personal data from the EEA to the UK to continue at the end of the transition period, we are seeking an adequacy decision from the EU under the GDPR. Our view is that the UK more than meets the ‘essentially equivalent’ adequacy test. However, if the EU has not made an adequacy decision in respect of the UK before the end of the transition period, there are alternative mechanisms which organisations in the EU/EEA can use to lawfully continue to send personal data to the UK from 1 January 2021. Standard Contractual Clauses (SCCs) are the most common legal safeguard and will be the relevant mitigation for most organisations.

These measures should address any potential risk of challenge from privacy advocates.

Baroness Barran, 27th Oct 2020

The UK Government seems remarkably sanguine about not being granted adequacy status by the EU, and happy with Standard Contractual Clauses as a fallback mechanism, even if the EU-US case also called these into question.

What seems to be missing from the equation on the UK Government side is any recognition of the harm that will be caused by the simple fact of there being significant uncertainty, and how businesses will respond to this.

Traffic Lights

We should avoid the temptation to catastrophize the situation – there are a number of ways to make it legal for people outside the EU to process the personal data of people inside the EU and they are not all under immediate legal threat.

But we should also recognise that businesses are likely to be cautious about any perceived risks in this sensitive area of data protection, not least because the authorities have been ramping up the rhetoric about how important it is to get this right over recent years.

In traffic light terms, we might see an adequacy decision as being a Green Light for data flows – this is the EU authorities saying they are entirely comfortable with sending EU data to a particular country.

If an adequacy decision is not granted, or granted then rescinded, this does not mean that data flows must now stop but it is moving from a Green to an Amber Light and signalling to businesses that they must proceed cautiously.

One of the ways to transfer data in this non-adequacy situation is to use legal instruments called ‘Standard Contractual Clauses’, but these have also been called into question in a recent ECJ judgement.

If this mechanism also becomes unavailable, then businesses can still look for other legal grounds for transferring data outside the EU, such as demonstrating that people have freely consented to this, but the Red Light will be looming much larger at this point.

The question facing an EU business as it sees data transfer mechanisms under threat is whether to move before the light changes to Red making it impossible for them to transfer data without exposing themselves to unacceptable legal risk at home.

This force may start to exert itself well before any final decisions by the ECJ and could represent a significant loss to UK businesses as EU customers move their contracts to safer providers within the EU.

The UK Response

So what should the UK government do to prepare for this eventuality?

Well, what it should not do is bury its head in the sand or fail to prepare for what we can accurately predict today is going to come tomorrow.

And it should certainly not get on its high horse and refuse to play ball with any judicial processes that are initiated within the EU that challenge the UK’s data protection regime.

That might feel good to the ‘sovereignty or death’ crowd, but it would be a serious dereliction of the government’s duty to defend the interests of UK businesses.

[NB The UK government might note that in similar circumstances the US government was prepared to come before the ECJ and argue its case and the UK government should certainly not see this as beneath itself.]

As this government has a penchant for snappy three phrase slogans, they might follow this one here – Be Open. Be Honest. Be Prepared.

The Government may feel that the best way to reduce uncertainty for business is to keep repeating their mantra of ‘we have the GDPR, it will all be fine’, and they may think that people raising concerns are exacerbating the problem.

If this is their approach, then it is badly misjudged given what we know about the likelihood and nature of the legal challenges to come.

It would inspire more confidence for them to recognise that there will be some difficult conversations to be had, and to start making the case for their defence in detail openly now.

This is not an issue that will be decided in secret negotiations behind closed doors but in open court with public submissions so it is question of when not whether you get your arguments out there.

A lesson from the EU-US cases is that the US Government was quite late to the party in terms of explaining and seeking to defend its laws and practices and could have been better served by having these debated earlier.

Where there are aspects of UK law that are problematic then it is also important to be honest about this and think hard about what to do about them.

This will be more sensitive as the instinct of a defendant is to try not to give any credence to the arguments of their opponents, but in this case many of the points of weakness are already well-known and being publicly discussed.

Most importantly, we need to be prepared for all the possible outcomes – hoping for the best but planning for the worst.

This means thinking now about any changes to UK law that we would be prepared to make if these were necessary to gain or maintain the status of EU data protection adequacy.

The Government could take the position that it is not prepared to change anything as a matter of principle but more likely is that it would be prepared to make some concessions given what is at stake.

[NB We should note again that the US was prepared to offer some commitments to the EU in order to establish the Privacy Shield, even if these were short of the changes that the ECJ eventually said were needed.]

If an honest analysis points to changes being needed then preparation means having these in place as early as possible to minimise the disruption caused while they are still pending.

As a veteran of many such situations, I can tell you that ‘defend-bleed-concede’, where you only make an inevitable concession after losing a significant amount of metaphorical blood, is not the best place to be.

It is far better to get the concession in early and move on, and this will be especially true in this situation where every week of uncertainty is likely to mean more businesses making decisions that are negative for the UK.

Fog in The Channel

There has been a natural focus on the guidance that the UK Government is offering to businesses here about data protection post-Brexit.

But far more pertinent for many businesses will be the guidance that is being given by public authorities and private lawyers on the other side of the Channel.

If businesses within the EU are told that it is risky to send data to the UK from Jan 1st 2021 (and this could happen even before any significant legal challenges take off) then this will weigh more heavily in their decision-making that any reassurances from the UK side.

We might consider the situation of a business in Germany thinking of using a UK service provider to handle its human resources operations.

They will ask their legal counsel if this is safe, and may also refer the question to their local German data protection agency.

If the answer comes back that the UK has been deemed adequate, and that it seems like this decision is defensible and will hold over the long-term, then they will feel comfortable placing the contract.

If they are told that an adequacy decision hasn’t yet been made for the UK but is in the works and that they can safely use Standard Contractual Clauses in the meantime then they may still feel confident about going ahead.

But if the advice is that there is a cloud of unresolved questions over data flows to the UK then this deal is going to start to look a lot riskier, and they may take the UK company off the tender list.

The creation of the cloud is not within the UK Government’s hands, but it can work to dispel it if it is willing to recognise that it exists, is a real threat, and should be one of the Government’s highest priorities for 2021.

Leave a Reply

Your email address will not be published.