What does ‘Schrems II’ mean for EU-UK data flows?

Escaping the jurisdiction of the Court of Justice of the European Union has long been a battle cry of Brexit-supporting politicians and voters. However, the idea that the CJEU would no longer have influence over the post-Brexit U.K. was always fanciful, and the CJEU’s seismic judgment in the “Schrems IIâ€� case reinforces this point.

There are four ways in which the judgment impacts the U.K. and, specifically, EU-U.K. data flows.

First, U.K.-US data flows are immediately disrupted. Second, the U.K.’s room to maneuver in seeking unrestricted data flows with both the U.S. and the EU has been severely diminished. Third, an EU adequacy decision for the U.K. has been rendered less likely, though not impossible. Fourth, standard contractual clauses used to transfer data from the EU to the U.K. may be vulnerable in the long-term, resulting in serious disruption to EU-U.K. data flows if the U.K. fails to attain an adequacy decision. 

Current UK-US data flows

The judgment has an immediate consequence for current U.K.-U.S. data flows. Although the U.K. formally left the EU Jan. 31, nearly all EU law continues to apply in the U.K., including CJEU jurisdiction, until the end of the transition period Dec. 31.

This means that companies transferring data from the U.K. to the U.S. were able to rely on the EU-U.S. Privacy Shield until the end of this year. This is no longer the case following Privacy Shield’s invalidation. The “Schrems IIâ€� judgment immediately disrupts U.K.-U.S. data flows, and organizations will have to use alternative safeguards, like SCCs or binding corporate rules to remain compliant.

The UK is caught between the EU and US on data flows

Beginning Jan. 1, 2021, the U.K. will, in theory, have full autonomy over data transfers. The U.S. and U.K. governments had previously confirmed that after the transition period, Privacy Shield would continue to enable lawful U.K.-U.S. data flows, so long as certified U.S. organizations update their public commitments accordingly.

In fact, the U.K. has already “rolled over� all EU data adequacy decisions in its domestic law, via a 2019 Statutory Instrument that stipulated personal data can continue to be freely transferred from the U.K. to all countries that have received EU adequacy decisions, as well as all countries in the European Economic Area.

From a legal perspective, the “Schrems II� judgment does not diminish the U.K.’s future autonomy over U.K. third-country data transfers. Even following Privacy Shield’s invalidation, the U.K. could opt, as currently agreed, to continue using a Privacy Shield “replica� to govern U.K.-U.S. data transfers. (In a similar vein, the “Schrems II� judgment does not invalidate the Swiss-U.S. Privacy Shield as the EU has no formal power over this.)

However, if the U.K. does “roll over� Privacy Shield, this will undermine its prospects of receiving an EU adequacy decision, as the EU will be worried about onward transfers of EU citizens’ data from the U.K. to the U.S., via a mechanism that has been ruled invalid by the CJEU. The “onward transfers� issue is a pertinent aspect of EU adequacy determinations, such as the recent agreement with Japan.

The U.S., on the other hand, is pushing for unrestricted data flows in the negotiations with the U.K., and the U.K. is eager for a trade agreement. The U.K. is, therefore, caught between the EU and U.S. on data flows, and it must decide where its priorities lie. Although if the U.K. does not receive an EU adequacy decision, then it could be incentivized to liberalize data flows with the U.S.

UK adequacy on the rocks?

There are several reasons why the EU may not grant the U.K. an adequacy decision, such as the potential incompatibility of the U.K. Investigatory Powers Act with EU law and the “onward transfers� issue outlined above.

The “Schrems II� judgment does nothing to change the legal criteria for adequacy, and the CJEU did not rule on the U.K. However, the ruling will likely shift the political dynamic of the adequacy assessments. The European Commission, hoping to avoid another defeat in court, will assess the U.K.’s national security and surveillance architecture with renewed vigor.

Although many are convinced that the U.K. will fall short in the EU’s adequacy assessment, it is important to remember how flexible the commission has been in finding solutions that kept trans-Atlantic data flowing since 2000, not least following Safe Harbor’s invalidation in 2015. Furthermore, immediately after the “Schrems II� judgment, the commission emphasized the importance of trans-Atlantic data flows and its willingness to find a solution with the U.S. It is not unimaginable that the commission might be similarly pragmatic with the U.K. However, for political reasons, the “Schrems II� judgment forces the commission to be more rigid, and an adequacy decision for the U.K. is therefore rendered less likely.

In the long run, this judgment highlights the plausibility of any U.K. adequacy decision facing concerted legal challenges and ending up before the CJEU. Activists have been emboldened by the invalidation of Privacy Shield, although in a recent IAPP discussion Max Schrems joked that he is staying well clear of the “craziness� of Brexit.

The precedent set is that the CJEU is prepared to invalidate adequacy decisions if national security and surveillance legislation in the third country does not meet EU standards. As such, even if the U.K. were to rigorously apply and enforce the GDPR post-Brexit, attaining and retaining an adequacy decision cannot be guaranteed.

EU-UK SCCs are vulnerable in the long-term

Arguably the most important outcome of the “Schrems II” case is the upholding of all SCCs and the simultaneous imposition of a stricter system of reviewing, on a case-by-case basis, whether an SCC actually delivers adequate levels of data protection in practice. This judgment means that using SCCs to transfer data to any third country that is not able to provide equivalent levels of data protection to EU standards could become problematic.

The future of using SCCs to transfer data to the U.S. and other third countries very much depends on the future approach of the data protection authorities. Businesses will probably continue using SCCs until they are explicitly told otherwise, even if that may not be in the spirit (or letter) of the judgment. In an extreme scenario, the European Data Protection Board could suspend all data transfers to the U.S. based on SCCs. 

If the U.K. fails to attain an adequacy decision, the vast majority of businesses transferring data from the EU to the U.K. would seek to use SCCs. This alone would be a huge issue, as it will significantly increase the cost of doing business. However, if the U.K. was not recognized as adequate, then the concern would be that SCCs used to transfer data from the EU to the U.K. would also be unable to deliver an adequate level of protection. Depending on the approach of regulators and activists, SCCs could become vulnerable and face suspension.

This could particularly implicate “telecommunications operators� (e.g., internet service providers, social media websites, email and cloud service providers) most affected by Investigatory Powers Act notices. If SCCs cannot be used in the event of no adequacy decision, this will severely disrupt EU-U.K. data flows, with no obvious workaround.

The U.K. government was “disappointed� by the invalidation of Privacy Shield, and it is easy to see why. U.K. policymakers and businesses with an interest in data flows should pay close attention to the approach taken by the EU data protection authorities, EDPB and commission in the coming weeks and months, as this will be instructive for the U.K.’s fate.

Photo by Rocco Dipoppa on Unsplash