Brexit and Data Protection: CJEU decision casts further doubt on adequacy decision
Thursday, 15 October 2020We recently updated you on the decision of the Court of Justice of the European Union (CJEU) issued in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II) and the impact this decision will have on data transfers to third countries. See our article of 17 July.
The UK will become a third country in January 2021. The Schrems II decision will have an impact on data transfers to all third countries including the UK. There has been a lot of uncertainty about whether an EU Commission adequacy decision would be made in relation to the UK. The effect of an adequacy decision would be that personal data could be sent from the EEA to the UK without any further safeguard being necessary.
However, another recent decision of the CJEU has cast further doubt on the possibility of an adequacy decision being made and suggests that transfers to the UK will need to be treated like a transfer to any third country post Brexit.
In Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others (Case C-623-17) the legality of legislation authorising the acquisition and use of bulk communications data by the UK security and intelligence agencies was challenged. The CJEU found that EU law precludes such legislation which does not lay down clear rules relating to the collection of the data.
Such a finding comes amid concerns expressed by the European Data Protection Board over the UKs agreement with the US relating to Access to Electronic Data for the Purpose of Countering Serious Crime.
While the position still remains uncertain all organisations should prepare for a situation in which no adequacy decision is made. The starting point is to identify all data transfers to the UK and to monitor the Data Protection Commission website for forthcoming clarifications on transfers to third countries.
For advice on what Brexit will mean for you and your business, please contact Sean O'Donnell, Zelda Deasy or Aislinn Cullen of our Data Protection Team or your usual ByrneWallace contact.