EU - UK: Necessary, proportionate, and adequate - European Commission issues draft adequacy decision of UK
The European Commission has issued a draft adequacy decision of the UK1. The decision is subject to comment, first from the European Data Protection Board ('EDPB') and then the EU 'comitology' process. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, outlines the key points around the adequacy reasoning set out by the Commision, including the UK's existing constitutional framework and administrative and judicial redress options for data subjects.
The Commission lays out, in detail, the reasons why UK law is 'essentially equivalent' to that of the EU, on the commercial side (hint: it's practically identical at this point) as well as on the surveillance side (hint: despite broad investigatory powers, including bulk surveillance, there are many statements in law and guidance that the surveillance is done only as 'necessary and proportionate').
The EDPB, where the draft is going for comment, will likely take issue with the latter position, and try to determine how, and whether, the surveillance stance of the UK is different from, and more robust and protective than, the US regime declared inadequate by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18)('Schrems II').
Key points outlining the Commission's adequacy reasoning
Based on a careful examination of the law and practice of the UK, the Commission concludes that the UK ensures an adequate level of protection for personal data transferred within the scope of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') from the EU to the UK.
Solid constitutional framework
- Parliamentary democracy: The UK is a Parliamentary democracy which has a constitutional sovereign as Head of State. It has a sovereign Parliament, which is supreme to all other government institutions, an Executive drawn from and accountable to Parliament, and an independent judiciary.
- Human Rights Act: The UK Human Rights Act 1998 incorporates the rights contained in the European Convention on Human Rights into the law of the UK, including Article 8 which limits the interference of the right to privacy, and the UK is subject to the jurisdiction of the European Court of Human Rights.
- UK GDPR: Prior to the withdrawal from the EU and during the Brexit transition period, the legislative framework on the protection of personal data in the UK consisted of the relevant EU legislation. As part of the withdrawal, the UK incorporates directly applicable EU legislation, including the GDPR, into the law of the UK. Even though the European Union (Withdrawal Agreement) Act 2020 allows for the amendment of UK law, which theoretically could deviate from EU law, so far no substantive change has been made.
Material and territorial scope
- Similar key terms: The key terms and concepts of the UK GDPR are identical/similar to those of the GDPR. This includes: the principles of lawfulness, fairness, and transparency and the grounds for lawful processing, conditions for consent provided for in the GDPR, addressing special categories of data, appointment of a data protection officer and conduction of Data Protection Impact Assessments, purpose limitation, accuracy, data minimisation, storage limitation, and data security without material modifications, as well as transparency obligations, data subject rights, and accountability.
- The regime on international transfers of personal data from the UK is set out in Articles 44-49 of the UK GDPR, supplemented by the Data Protection Act 2018 ('the Act'), and mirrors the one set out in Chapter V of the GDPR.
- Restrictions to individual rights in the context of immigration are necessary and proportionate: Even though UK law allows the restriction of individuals rights in the context of immigration, the Commission is satisfied with the UK High Court's interpretation of the test for such limitation being a test of necessity 'requiring any interference with the subject rights to be proportionate to the gravity of the threat,' and with similar guidance issued by the Information Commissioner's Office ('ICO').
- Restriction to individual rights for tax or crime prevention only if 'likely to prejudice the legitimate aim': In the majority of cases, such restrictions apply only when (and to the extent) that the application of the provisions 'would be likely to prejudice' the legitimate aim pursued by that restriction, for example, the listed provisions of the UK GDPR do not apply to personal data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty 'to the extent that the application of those provisions would be likely to prejudice' any of these matters. You must apply it on a case-by-case basis, only to the extent necessary to achieve a legitimate aim and in a proportionate manner.
- Restriction to individual rights in the context of safeguarding national security or defence purposes are only as required to safeguard national security: The limitation must be invoked only on a case by case basis and only as required to safeguard national security or defence. They are applied in compliance with human rights standards (interference necessary and proportionate in a democratic society) and as restrictively as possible.
Oversight and enforcement
- The ICO is independent: The Commission is comfortable that the UK ICO, tasked with powers to monitor and enforce compliance with the data protection rules should be in place, acts with complete independence and impartiality in performing its duties and exercising its powers.
- There are plenty of administrative and judicial redress options for individuals: The Commission is satisfied that under the UK regime, data subjects are provided with effective administrative and judicial redress, including compensation for damage. They are able to: (i) lodge a complaint with the ICO; (ii) mandate a representative body or organisation to lodge a complaint with the ICO on their behalf; (iii) get an effective judicial remedy against a legally binding decision of the ICO as part of a judicial review; (iv) get judicial redress against controllers and processors directly before the courts; (v) get compensation from the controller or processor for damage suffered; (vi) redress before the UK courts under the Human Rights Act; and (vii) redress before the European Court of Human Rights for violations of the European Convention on Human Rights.
Surveillance by public authorities – General
- Government access has to be legal and is subject to oversight: Government access in the UK must be carried out in full respect of the law and in compliance with the European Convention on Human Rights. It is also subject to the limitations of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') and the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108+'). Specific data protection safeguards and rights are guaranteed by the Act when data is processed by public authorities, including by law enforcement and national security bodies.
- Additional protection from Cabinet Minister Certificate: The Commission cites the option for a controller to receive a certificate signed by a Cabinet Minister or the Attorney General certifying that a restriction of such rights is a necessary and proportionate measure to the protection of national security and the UK government guidance that says that any limitation to data subjects' rights for safeguarding national security must be proportionate and necessary. Any person directly affected by the issuing of the certificate may appeal to a court (the Upper Tribunal) against the certificate. The Tribunal may assess necessity, proportionality, and lawfulness, having regard to the impact on the rights of data subjects and balancing the need to safeguard national security.
Investigatory powers exercised in the context of national security
- Interception and access are carried out by law and supplemented by Codes of Practice: Under the UK Investigatory Powers Act of 2016 ('IPA'), use of power to intercept, access communication data, and perform equipment interference is lawful only when carried out on the basis of a warrant or an authorisation. The IPA is supplemented with a number of statutory Codes of Practice, issued by the Secretary of State, approved by both Houses of the Parliament.
- Use of bulk powers is limited to intelligence services: Only intelligence services may make use of bulk powers (i.e. bulk interception, bulk acquisition of communications data, bulk equipment interference, and bulk personal dataset) whereas national security agencies and certain law enforcement authorities are allowed only targeted powers (targeted interception, acquisition of communication data, retention of communication data, and targeted equipment interference).
- Intelligence agency must comply with general duties in relation to privacy: In deciding which investigation power should be used, the intelligence agency has to comply with the 'general duties in relation to privacy' listed in Section 2(2)(a) of the IPA, which include a necessity and proportionality test.
- The decision needs to be authorised by the Secretary of State and the independent Judicial Commissioner who check whether the decision e.g. to issue a warrant, complies with the necessity and proportionality principles i.e. whether what is sought to be achieved by the warrant, authorisation, or notice could reasonably be achieved by other less intrusive means.
- Retention and acquisition of communication from telecommunications operators requires an ex ante authorisation by an independent Judicial Commissioner aimed notably at accessing the necessity and proportionality of the proposed measure and normally does not concern personal data of EU data subjects transferred to the UK.
- Equipment interference by an intelligence service for data transferred to the UK would require a mandatory warrant.
Exercise of bulk powers
- Bulk powers do not equate to so-called 'mass surveillance' but rather incorporate limitations and safeguards designed to ensure that access to data is not given on an indiscriminate or unjustified basis.
- Bulk powers can only be used if a link is established between the technical measure that a national intelligence agency intends to use and the operational objective for which such measure is requested.
- Bulk powers are always subject to a warrant issued by the Secretary of State and approved by a Judicial Commissioner.
- Bulk interception targets non UK individuals only: A bulk interception warrant is limited to the interception of communications in the course of their transmission sent or received by individuals who are outside the British Islands, so-called 'overseas-related communications,' as well as other relevant data and the subsequent selection for examination of the intercepted material.
- The Secretary of State can issue a bulk warrant only on an application made by a head of an intelligence service. A warrant authorising a bulk interception or a bulk equipment interference must be issued only if necessary for the interest of national security and also if proportionate. There must be a link between the measure to be sought and one or more operational purpose/s that must be included in the warrant.
- The Secretary of State's decision to issue the warrant must be approved by an independent Judicial Commissioner that assesses the evaluation of the necessity and proportionality of the proposed measure, using the same principles that would be used by a court in an application for judicial review.
- If the Judicial Commissioner refuses to approve, the Investigatory Powers Commissioner can be involved: The Secretary of State may either: (i) accept the decision and therefore not issue the warrant; or (ii) refer the matter to the Investigatory Powers Commissioner ('IPC') for a decision (unless the IPC has made the original decision).
- The warrant must have a duration of a maximum of six months and any decision to renew or modify (except minor modifications) the warrant must be also approved by a Judicial Commissioner.
- If sending the intercepted material to a third country, Secretary of State must ensure that arrangements are in force to provide safeguards on the retention and disclosure of material obtained under the warrant as well as that similar safeguards on security, retention and disclosure exist in that third country.
- The ICO, IPC, Judicial Commissioners, and the Intelligence Service Committee of Parliament provide oversight: Government access for national security purposes is overseen by a number of different bodies. The ICO, by the IPC, and other Judicial Commissioners, and by the Intelligence Service Committee of the Parliament. The IPC can also carry out ex post oversight.
- Redress is possible through: (i) complaint with the ICO; (ii) compensation for damage from the controller or a processor; (iii) Investigatory Powers Tribunal which has been recognised by the ECHR as 'a remedy available in theory and practice, which is capable of offering redress to applicants complaining of both specific incidences of surveillance and the general Convention compliance of surveillance regimes;' and (iv) redress under the Human Rights Act and ECHR.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia