Our British friends have cut ties with the European Union. As a result, the GDPR should no longer apply after a transitional period. Personal data that used to circulate freely will be subject to new rules if the European Commission takes an adequacy decision in favour of the UK. After the two failures before the Court of Justice of the European Union and confronted with the contradiction of the ‘Cloud Act’, the Commission is taking a fearsome path.
In its Article 45, the GDPR provides for the conditions under which personal data may be transferred outside the Union. This is the case when the Commission has established that the target country offers an adequate level of protection.
It is precisely because of a lack of adequacy that the CJEU successively sanctioned the ‘Safe Harbor’ decision (ruling C-362/14 of 6 October 2015, Maximillian Schrems v Data Protection Commissioner) and the ‘Privacy Shield’ decision (ruling C311-18 of 16 July 2020, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems), which authorised such transfers to the United States. The latter ruling was motivated by the interferences resulting from surveillance programmes based on Article 702 of FISA (1978) and EO 12333 (1981), which are not subject to requirements ensuring a level of protection substantially equivalent to that guaranteed by the Charter of the Union (Article 52).
The strict control exercised by the CJEU is to be compared with the very favourable remarks of Vĕra Jourová, European Commissioner, in the latest report of 23 October 2019 on the application of the Privacy Shield: “ With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our U.S. counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer term, to increase convergence of our systems.”
This means that the Commission will take extra precautions when it makes a new adequacy decision. The British case will give it the opportunity to apply the case law to one of the consequences of Brexit. Indeed, since 1 January, the United Kingdom is no longer in the Union. However, the Trade and Cooperation Agreement, signed on 24 December 2020, provides that the European General Data Protection Regulation (GDPR) shall remain applicable in the United Kingdom on a transitional basis for a maximum of 6 months.
As of 1 July, transfers will have to be based on an adequacy decision. Given the arguments put forward by the CJEU in its latest ruling, how can we assess the impact of the bilateral agreement adopted by the United States and the United Kingdom under the Cloud Act in October 2019? We know how much this text is at odds with the GDPR.
The adequacy decision is based in particular on the international commitments undertaken by the recipient country and the rules it applies on the onward transfer of personal data to another third country. The Cloud Act is therefore a major obstacle to an adequacy decision for the benefit of the UK, unless it were to renounce the 2019 agreement. Otherwise, the GDPR would be rendered meaningless. A Schrems III trial would be inevitable. The UK will have to meet conditions imposed by the EU, otherwise the transfer of data could be jeopardised.