CJEU ruling puts EU-UK adequacy deal under pressure and puts free flow of data in doubt

During the Brexit transition period, data transferred to the United Kingdom from the European Union is unhindered as both the UK and EU are subject to the same General Data Protection Regulation laws. From 1 January 2021, the UK will no longer be a safe destination for EU personal data to flow freely to, meaning the UK’s data protection legislation must be approved by the European Commission in an “adequacy decision.” Following on from its ruling last month on Schrems II, the European Court of Justice (the Court) issued on Tuesday 6 October a further blow to the UK’s assessment of adequacy.

The decision

The Court declared that the UK’s Investigatory Powers Act 2016 violated EU law and an individual’s fundamental rights to privacy, data protection and freedom of expression. The Court further determined that mass data retention and collection is illegal under EU privacy law, meaning the UK legislation that grants national security and intelligence agencies significant powers to retain individuals’ data is contrary to EU law.

The ruling stated that obligations on companies under privacy and electronic communications legislation to forward and retain data in an indiscriminate manner, including traffic and location data, are against EU fundamental rights where “there is no link between the conduct of the persons whose data is affected and the objective pursued by the legislation.”

The implications for business

To achieve an adequacy decision by December, it is likely that the UK will be required to reform its data protection laws and agree not to divert from the EU’s data protection laws at the end of the transition period.

If the UK does not receive an adequacy decision, many UK businesses will be faced with significant issues surrounding the transfer of personal data relating to their business including that of employees, customers and suppliers as UK businesses may not have a mechanism for transferring personal data to the UK. Following the Court’s recent decisions and the EU’s requirements, the UK’s chance of receiving an adequacy decision are getting slimmer.

How can we help?

If you have questions about your business's data protection obligations, please contact a member of our specialist Data Protection & Cyber Security team.

Latest updates from @MacRoberts