Another EU court ruling leaves data adequacy in doubt after Brexit

While rows over fish and state aid dominate the Brexit negotiations, a new European Court of Justice (ECJ) ruling is a reminder that data is also causing a considerable headache.

The ECJ has ruled that the indiscriminate collection of communications data for national security purposes undermines citizens’ fundamental rights as enshrined in the EU’s Charter of Fundamental Rights. The ruling, in a case originally brought by the digital rights group Privacy International against the UK government, builds on a similar ruling in a 2016 case originally brought by former Brexit secretary David Davis over the bulk collection and retention of personal data for the purpose of tackling crime.

This comes at an inconvenient time for the UK government. The ruling highlights issues with the UK’s data protection regime and weakens its case for a ‘data adequacy’ decision – where the European Commission recognises a country as providing a comparable level of protection for personal data as the EU, making it possible for data to pass freely between that country and the EU without additional safeguards – before the end of the transition period. This may not perturb some in the government with Dominic Cummings, Boris Johnson’s chief adviser, expressing a desire to break away from "idiotic" EU data protection rules that reflect an undue "hostility to technology and entrepreneurs", and to escape the influence of the ECJ on UK intelligence services. But the government’s stated aim remains to secure ‘adequacy’ – and for good reason, given the vital importance of free-flowing data to businesses, law enforcement agencies and others.  

Cross-border data flows underpin trade, law enforcement and more

The flow of personal data across borders is increasingly fundamental to modern life. Businesses are reliant on being able to transfer data about their customers between different countries to offer goods and services and to run internal processes such as cloud-based email or file storage. Police forces and judicial authorities share personal data to help tackle cross-border crime. And data sharing is also crucial in other areas, such as academic research and for supporting medical safety.

Data can move without restriction within the EU, as member states’ legal frameworks for protecting personal data are, in theory, harmonised. The UK has benefitted from this as a member state and during the transition period. But for data to continue flowing freely between the UK and EU from 1 January 2021, the European Commission will need to recognise the UK’s data protection regime as ‘fully adequate’. Without this, the UK will lose access to a range of EU databases for law enforcement cooperation, and organisations will have to put in place additional and potentially onerous legal safeguards at a significant cost, leaving UK businesses at a competitive disadvantage and subject to major disruption. Many businesses have already had to activate these contingency plans.

The EU has never given any guarantees of agreeing to data adequacy

Data minister John Whittingdale recently claimed he saw "no reason" why the UK would not get an adequacy decision. It is not clear where he was looking.

The ECJ has now ruled repeatedly that the bulk collection and retention of data by national security services, which is provided for in the UK under the Investigatory Powers Act 2016 (the so-called ‘Snoopers’ Charter’), contravenes EU law. European officials also have serious concerns about the onward transfer of information to close security partners – particularly members of the ‘Five Eyes’, such as the USA and Australia – who are not deemed ‘adequate’ by the European Commission in their own protection of personal data.

Politics, however, will play a part in any decision. Many EU businesses have an interest in data continuing to flow, with EU exports of data-enabled services to the UK worth approximately £42 billion in 2018 (exports in the other direction were roughly £85bn). EU interior ministers also have no desire to lose UK co-operation on policing and criminal justice. They are reportedly planning to revise the data adequacy requirements for law enforcement cooperation to make working with partners such as the UK easier in future, and even if no deal can be struck before the end of the transition they may push for the UK to be granted a ‘partial’ adequacy decision which covers law enforcement at a later date – especially if the consequences of losing UK collaboration prove to be severe.

The personal data question is not going away – with a continued role for the ECJ

But even if the UK secures an adequacy decision for Christmas, it won’t be a decision for life. It will be subject to legal challenge and vulnerable to being overturned by the ECJ – as has already happened to the US twice, first in 2015, and again in July this year, leading to significant uncertainty and disruption.

ECJ rulings will also continue to constrain the UK security services, at least when collaborating with EU partners or collecting data from European companies bound by those rulings – as Sir Julian King, former European commissioner for the Security Union, emphasised at a recent IfG event.

As well as casting further doubt over the UK’s chances of an adequacy decision, the latest ruling is a warning that the battles over who gets to use our personal data, and how, are only just getting started. And the ECJ will continue to be in the middle of the fray – however much Brexit was meant to be about taking back control.