This morning the CJEU issued its long-awaited ruling on the “Schrems II” case. Of all the ways it could have gone, the ruling was the best possible outcome where privacy is concerned, and in many ways, where the Brexit transition is concerned too, particularly with SCCs.
In my view, however, the ruling’s invalidation of the Privacy Shield system carries a warning shot for the UK regarding its approach to securing a data protection adequacy agreement.
The UK is a Five Eyes partner with a less-than glorious history of its own domestic surveillance issues. We were, as I have said for years, barely an adequate country in terms of domestic surveillance while within the EU. To secure adequacy, the UK’s privacy practices will need to be better outside the EU than they were in it.
Where does this go next? Trade deals. After all, the UK is trying to align itself closer to the US system – no Federal privacy law, a highly politicised debate on intermediary liability, and open threats to encryption – than to the EU system. What the UK compromises now also compromises the integrity of the web.
For now, if you send EU data to the UK, I would strongly advise securing standard contractual clauses ahead of the Brexit transition deadline. You can no longer assume the UK will be granted data protection adequacy. Not after today.
This is important, because the Minister for Digital recently set out securing adequacy as a pillar of the UK’s upcoming digital strategy. This change of tone came after Boris bombastically declared in February that the UK would go their own way on data. If that digital strategy isn’t going to fall over before it begins, government must work with the tech sector, cluster groups, civil society, and tech policy bodies to iron these issues out, understanding the implications for both the economy and human rights if they don’t. Let’s get to work.