UK-EU security cooperation after Brexit Contents

5EU data-sharing

Introduction

73.The EU’s data-sharing tools are a central aspect of Member States’ cooperation in policing and security, allowing for a wide range of information to be exchanged on a ‘real-time’ basis. This includes data on suspects wanted for arrest or questioning, stolen vehicles, missing people, criminal records, DNA and fingerprint data, and criminal offences and structures. These tools are underpinned by a number of EU legislative instruments, so the UK would need new agreements with the EU to retain access to them after the transition or implementation period—potentially as part of a wider security treaty, as the Government proposes. This Chapter explores key EU measures and tools, precedents for third country access, EU processes involved in exchanging data with non-Member States, and potential obstacles to achieving the Government’s aims.

74.The Government’s future partnership paper emphasised the value gained by the UK from the following tools:

75.Other data-sharing measures not referenced directly in the future partnership paper include:

The value gained from EU data-sharing measures

76.The Government has been emphatic about the value gained from these tools. Its future partnership paper states that law enforcement agencies’ ability to conduct “point-to-point” data exchange is “critical for developing lines of enquiry, identifying suspects and informing appropriate action”. It emphasises the importance to the UK of agreeing a future model of cooperation to “facilitate data-driven law enforcement”, and provides the example of a “prolific” child sex offender who fled the UK while on bail, who was arrested after being involved in a car accident in Cahors. He gave a fake name to French police, but was identified via a SIS II alert entered by UK law enforcement, and was returned to the UK to face trial and imprisonment.101

77.Law enforcement representatives were equally enthusiastic. David Armond, then Deputy Director of the NCA, told our predecessors in December 2016 that SIS II had been a “game-changer” for UK law enforcement, making 66 million records available to police officers via the Police National Computer. He said that the capabilities enabled by the Prüm decisions were “something we have been looking for” for a long time, and that biometric data are “fairly essential for us in knowing whether the subject we think is a terrorist subject is actually the guy who was found in Syria”.102 Deputy Assistant Commissioner (DAC) Richard Martin, the NPCC’s Lead on EU exit, emphasised the importance of ECRIS in assisting custody sergeants with pre-court bail decisions, based on previous convictions handed down by EU courts.103

78.Updated figures provided by the NCA in February demonstrate the extent to which the UK both contributes to and gains from EU data-sharing measures. In a letter from the Deputy Director General, Matthew Horne, we were told that:

79.Clearly, the UK’s ability to share data and intelligence with international partners is not limited to EU measures. As we have outlined, Article 4(2) of the TEU states that “national security remains the sole responsibility of each Member State”,105 and it is generally acknowledged that “core” intelligence sharing in the interests of national security—particularly between security services—takes place beyond the remit of the EU, at an inter-governmental level.106 For example, the UK’s participation in the “Five Eyes” arrangement with the USA, New Zealand, Australia and Canada was described by David Armond as “our closest intelligence partnership”,107 and the Policing Minister told us that it was “especially important” for counter-terrorism.108

80.Nevertheless, the evidence we received demonstrated the wide range of data made accessible to the UK through its EU membership—including vital intelligence linked to global threats such as serious organised crime, child sexual abuse, human trafficking and terrorism. The British Director of Europol, Rob Wainwright—who previously worked for MI5—said that he could “absolutely accept the vital importance of the intelligence co-operation that is done outside the EU framework”; but he argued that EU intelligence is complementary to other international arrangements:

The UK does a very good job of maximising its world-leading strength in the intelligence community while also receiving complementary capability from its access to EU and other police co-operation instruments. As a package it is formidable.109

81.Our predecessors pressed Mr Armond and DAC Martin on the potential risks posed to UK citizens and residents if British agencies lose access to EU databases. DAC Martin told us that “we have to have a really good intelligence picture” in order to “really identify threat, harm and risk in all its various phases, as it happens”. That picture is “a jigsaw put together from as many different sources as we can get”, including from overseas. Any curtailment in access to intelligence systems “may risk people hurting children or committing harm because we cannot put that picture together”. Some of the EU databases detailed in this report have only become available to the UK relatively recently. Nevertheless, Mr Armond’s view was that “I can’t honestly say to you that the risk wouldn’t increase if we no longer saw that material”.110

82.The UK’s “Five Eyes” partnerships are vital to its intelligence capabilities, demonstrating that the EU is not the only important partner in the fight against terrorism and serious crime. It is clear, however, that there can be no substitute for the criminal intelligence and data gained from the UK’s access to EU databases. Other existing data exchange mechanisms may complement access to EU tools, but they are not potential replacements for them. It is vital for both the UK and the EU that their future relationship allows for the continued free flow of data on criminal matters on a ‘real-time’ basis, including full access to the Second Generation Schengen Information System (SIS II) and other EU databases.

Existing third country models

83.Direct access to the databases outlined above is limited either to EU Member States exclusively, or to Member States and non-EU countries within the Schengen Area, which commit to shared rules on migration and border control. To summarise:

84.An analysis last year by Camino Mortera-Martinez from the Centre for European Reform argued that negotiating access to SIS “will not be easy”, because “There is no legal basis in the EU treaties for a non-EU, non-Schengen country to participate in Schengen”. She pointed to the EU Council’s refusal to allow the UK to access the Schengen-related Visa Information System, even from within the EU, and the 2010 CJEU ruling in favour of the Council, when the UK challenged the Council’s decision.

85.Giving evidence to us in January, the Policing Minister conceded that “there are areas in which we are in new territory”, but expressed hope that EU partners would take account of “the level of mutual interest in this and the degree to which the UK is a valid player inside those systems”. He highlighted the fact that, in 2016, “the UK shared over 7,400 intelligence contributions relating to serious organised crime and counterterrorism” with EU partners. The Home Office’s Europe Director, Shona Riach, said that the Government is seeking “something that is fundamentally different from existing precedent because the UK is starting from a different place”.114

Retaining access to EU data after Brexit

86.The Policing Minister also confirmed to us in January that it is the Government’s intention to “stay in all of the existing information databases”.115 The Government’s future partnership paper acknowledges that the legal framework underpinning law enforcement cooperation between the UK and the EU will no longer apply after Brexit, and states that future arrangements should enable sustained cooperation “across a wide range of [ … ] structures and measures”. It then lists “the types of capability that a future partnership should encompass”, starting with “data-driven law enforcement”. It goes on to describe “point-to-point data exchange” as “critical for developing lines of enquiry, identifying suspects and informing appropriate action”, and provides the most detailed arguments in favour of retaining access to SIS II. ECRIS is not mentioned, but the paper refers to the “systematic nature of exchange of information such as criminal records”, stating that it can “help to deliver fair and robust justice”.116 On that basis, it can be inferred that the Government wants to include ongoing access to EU data-exchange measures in its proposed security treaty.

87.Without a relevant agreement between the two parties, it seems clear that the default or ‘fall-back’ position would be that access to these databases would cease after the transition or implementation period. Article 7 of the Commission’s draft withdrawal agreement states: “At the end of the transition period, the United Kingdom shall cease to be entitled to access any network, any information system, and any database established on the basis of Union law”.117 The draft agreement provides for ongoing data exchange and access to JHA measures during transition, as outlined in Chapter 2.

88.The EU has a specified process to allow third countries to share data with Member States on criminal and judicial matters. Those agreements are underpinned by Chapter V of the Law Enforcement Directive, which states:

Member States shall provide that a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.118 [emphasis added]

89.According to that Directive, the Commission will consider an extensive number of elements when assessing so called “data adequacy”. These include the rule of law, respect for human rights, rules for the onward transfer of personal data to another third country or international organisation, and “relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”.119 There are some provisions in the Law Enforcement Directive for transfers to a third country without an adequacy decision, but these are much more cumbersome,120 and require a “legally binding instrument” to provide for “appropriate safeguards”. Without these safeguards, transfer may only take place under strict criteria, such as for the “prevention of an immediate and serious threat to public security of a Member State or a third country”.121

90.The latest European Council draft negotiating guidelines, set out on 7 March 2018, stipulate that personal data protection in the future relationship will have to be “governed by Union rules on adequacy”, to ensure “a level of protection essentially equivalent to that of the Union”.122 On this basis, the UK will need an adequacy decision in order to retain the level of data exchange it seeks after Brexit. Sir Julian King told our predecessors that “there is no basis for personal data being shared between an EU member state or at least an EEA country and a non-EEA country, other than a data adequacy agreement”.123 Lorna Woods, Professor of Law at University of Essex and an expert in data protection law, told us that an adequacy decision would be “the obvious way to go” to maintain data exchange after Brexit.124

91.The Government also acknowledges that an adequacy decision is the best course of action, but it wants a tailored approach to adequacy. Its future partnership paper proposed a UK-EU model for data exchange which could “build on the existing adequacy model” to maintain a free flow of personal data between the UK and the EU. It wants this model to respect UK sovereignty, including “the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection”, and for it to provide for “ongoing regulatory cooperation between the EU and the UK on current and future data protection issues”, including a role for the UK Information Commissioner in EU regulatory fora. The Government also wants to ensure that flows of data between the UK and third countries with existing EU adequacy decisions can “continue on the same basis after the UK’s withdrawal, given such transfers could conceivably include EU data”.125

92.We agree with the Government that the sharing of criminal data must continue after Brexit, and that UK access to EU criminal justice and intelligence databases is extremely important for both the UK and the EU. At present, access to these vital databases is dependent on either EU membership or Schengen membership—there is no other precedent for third countries. We welcome the EU’s commitment to maintaining the UK’s current use of these measures during a transition or implementation period. After that, the Government has said that a new framework for data exchange on criminal matters will be needed, and we agree that this should form part of an overarching security treaty.

93.We note that EU position is to require a data ‘adequacy decision’ to be made by the European Commission, in order for EU countries and agencies to share law enforcement data in such a wide-ranging manner with a third country. Based on the evidence we have received, alternative models are likely to be more costly and onerous. The Government proposes a future arrangement for data exchange with the EU that builds on the adequacy model, including a role for the Information Commissioner. We welcome this proposal, but it remains to be seen whether the EU is willing or able to depart from its existing rules on data exchange with third countries in order to accommodate the UK’s wishes, and how long it will take to address some of the complex technical and legal obstacles. We urge the EU to show flexibility and not to confine its approach to existing models or arrangements, given the unique and leading role the UK has played in developing these databases and sharing information through them, as well as the clear shared interest in continued cooperation in this area.

Potential obstacles to data adequacy

94.Based on the adequacy process outlined above, the evidence that we have received suggests that the UK’s current compliance with EU data protection law is no guarantee of obtaining a data adequacy decision without encountering challenges, for a number of reasons:

95.This section examines each of these potential obstacles in turn, the first of which concerns the UK’s surveillance powers. According to the EU Law Enforcement Directive, an adequacy assessment on third countries will take account of legislation concerning national security, which may include the surveillance practices of the security services. As a Member State, the UK relies on the Article 4(2) national security exemption (outlined at paragraph 8) in order to exclude the activities of the security services from EU data protection law. As a third country, the UK will no longer be able to rely on this exemption.

96.Professor Woods told us that the Commission will “look right the way across the board, and the surveillance practices of the security services come into play as a third country”, whereas “they are excluded when we are a member of the EU because of the division of competence.” She noted that, as a third country, more of the UK’s practices will be subject to review than at present.126 The Deputy Information Commissioner, Steve Wood, also said that the Commission’s examination of UK surveillance law would “probably be the pinch-point” in the adequacy process.127 This may include EU scrutiny of the Investigatory Powers Act 2016—the most significant piece of surveillance legislation to be passed in recent years.

The Investigatory Powers Act 2016

97.The Investigatory Powers Act (IPA) provides an updated framework for the use of investigatory powers to obtain, intercept and retain communications and communications data. It lays out which powers can be used by different authorities, including the security services, law enforcement agencies and other public bodies, sets out statutory tests and safeguards for the powers contained within it, and creates a new Investigatory Powers Commissioner to oversee the use of those powers.128 Two aspects of the IPA have attracted controversy, and may cause issues for the Government in future: the retention of communications data (“data retention”) and the so-called “bulk powers” of the UK security services. This section outlines those powers, relevant recent and ongoing legal cases, and the challenges they may pose when the Government seeks some form of adequacy decision from the EU.

Data retention

98.The IPA allows the Secretary of State to require a telecommunications operator to retain relevant communications data for up to 12 months. The data may then be acquired by specific public authorities when certain proportionality tests are met.129

99.A recent ruling by the CJEU required the Government to amend these powers in order to comply with the EU Charter on Fundamental Rights. In December 2016, the CJEU ruled on the legality under EU law of the retention powers provided for by the IPA’s predecessor legislation, the Data Retention and Investigatory Powers Act 2014 (DRIPA).130 DRIPA included a ‘sunset clause’, so it effectively expired, but the same data retention provisions were provided for by the IPA. The CJEU ruled that EU law precludes national legislation that prescribes general and indiscriminate retention of data, and that derogations from the protection of personal data should apply “only in so far as is strictly necessary”, with the objective of “fighting serious crime”.131

100.In November, the Home Office launched a consultation on its proposed amendments to the IPA, with the aim of ensuring compliance with EU law. The consultation states that the Government is clear that “national security activities fall outside the scope of EU law and are not subject to the requirements of the CJEU’s judgment”.132 It proposes a new definition and threshold of “serious crime” in relation to communications data, to cover offences “capable” of attracting a custodial sentence of six months or more, and the creation of a new Office for Communications Data Authorisations to authorise communications data requests.133

101.The Home Office’s submission to this inquiry stated that its proposals are consistent with the EU Charter of Fundamental Rights, noting that there is “broad agreement across Member States that data retention is a vital tool in investigating crime and safeguarding the public”.134 But it also referenced an upcoming case which may have an impact on the UK’s regime: in Ministerio Fiscal, a Spanish court has requested a CJEU judgment regarding the definition of ‘serious crime’ as a justification for data retention.135 Depending on the outcome, this may lead to further amendments to the legislation in due course.

Bulk powers

102.The second set of IPA powers relevant to an EU adequacy decision are the so-called “bulk powers”, exclusively used by the security services. These enable MI5, MI6 and GCHQ to acquire large quantities of data for specified purposes, even when not associated with specific suspects.136 A review of these powers by the then Independent Reviewer of Terrorism Legislation, David Anderson QC, was published during the Investigatory Powers Bill’s passage through Parliament. This concluded that “bulk powers play an important part in identifying, understanding and averting threats”, and that, “Where alternative methods exist, they are often less effective, more dangerous, more resource-intensive, more intrusive or slower”. He said that the bulk acquisition power, which allows the security services to obtain “large amounts of communications data, most of it relating to individuals who are unlikely to be of any intelligence interest”, has “contributed significantly to the disruption of terrorist operations and the saving of lives”.137

103.The Government maintains that the CJEU judgment described above does not apply to the bulk powers, as a result of the Article 4(2) national security exemption.138 An upcoming CJEU ruling will address this further. In October, the Investigatory Powers Tribunal (IPT) made a referral to the Luxembourg Court for a ruling on whether the acquisition and use of bulk communications data by the security services falls under the scope of EU law.139

Implications for adequacy

104.The issues outlined above have two key implications for future UK-EU data exchange. First, regardless of the CJEU’s ruling in the IPT-referred case, which will apply to the extent of the Article 4(2) national security exemption for Member States, the EU Law Enforcement Directive makes it clear that the European Commission will examine legislation related to national security when making an adequacy decision. The Information Commissioner told us that the IPA is a “pinch-point” and a “vulnerability to achieving adequacy”. She added that “the closer we want to be and the more integrated we want to be in co-operative policing, [ … ] the more that we are going to have to pay attention to the European Union concerns” on data protection.

105.Second, even if the Commission makes a positive assessment of the UK’s data protection regime, any agreement between the UK and EU could be referred to the CJEU prior to EU ratification. Based on the evidence we have received, this has two major implications: first, it may be struck down on the basis of the activities of the UK security services, or the indiscriminate transfer of sensitive data on EU citizens. Second, it could cause significant delays to the ratification and implementation of the agreement concerned—which could be the proposed security treaty. Piet Eeckhout, Professor of EU Law at University College London, told us that “any negotiated agreement can be referred to the Court of Justice”, and that “We see increasingly there are more of these cases”.140 Professor Mitsilegas said that, due to the implications of security co-operation for the protection of human rights, “it is very likely that we will have a reference to the Court of Justice on any EU-UK security agreement”.141

106.The consequence of this is that the CJEU could end up having a more significant impact on UK data protection law once the UK is outside the EU than it does while the UK remains a member state. As a result, it is relevant to consider the Court’s recent rulings in relation to the exchange of data with third countries.

Relevant precedents for third country data exchange

107.There are no existing models for third country data exchange covering the degree of data-sharing in criminal justice that the UK will be seeking after Brexit. However, recent EU agreements over much more limited levels of data exchange with the US and Canada have encountered major legal obstacles, with the CJEU taking a strict approach to privacy and data protection rights. These rulings are relevant to the UK’s prospects of achieving an adequacy decision capable of standing up to the CJEU’s scrutiny.

EU-US ‘Umbrella Agreement’

108.In 2000, the European Commission made an adequacy decision permitting the exchange of data with the USA for commercial purposes—the so-called “Safe Harbour” decision. However, a landmark CJEU ruling on the transfer of data to the USA in the case of Schrems resulted in the striking down of this adequacy decision. In effect, it concluded that even the interests of national security were not considered sufficient for the bulk transfer of data without adequate protections. The implications of this ruling for the UK are significant. As outlined above, it demonstrates that even if the Commission considers the UK’s IPA powers to be permissible in the interests of national security, the CJEU may strike down any agreement between the UK and the EU if it regards it as a violation of Charter rights. Professor Woods told us that the Court’s view has been that “bulk collection of content data [ … ] undermines the essence of a right to privacy”, adding: “There are some things that are just not going to be acceptable.”142

109.The EU-US ‘Umbrella Agreement’ was formally signed in June 2016, taking account of the ruling in Schrems, to establish a “framework” for the protection of personal data in the field of law-enforcement cooperation. This nevertheless falls short of providing a lawful authority for the transfer of data from the EU to the US. It includes restrictions on retention periods and onward transmission of personal data, and provides EU citizens with the right to judicial redress before US courts.143 Even the safeguards afforded by the Umbrella Agreement may not be enough for all EU institutions, however. A leaked opinion by the European Parliament’s Legal Service concluded that the Agreement is “not compatible with primary EU law and the respect for fundamental rights”, because it does not allow non-EU citizens to seek judicial redress in the US, even if they are covered by EU law.144

EU-Canada sharing of passenger name records (PNR)

110.Canada’s experiences may hold further lessons for the UK. In July 2017, the CJEU ruled that a draft agreement between the EU and Canada on the sharing of passenger name record (PNR) data was not compliant with EU law, forcing both parties to return to the negotiating table. Professor Woods told us that the Court had particular concerns about the bulk transfer of sensitive data.145 The ruling states that “a transfer of sensitive data to Canada requires a precise and particularly solid justification, based on grounds other than the protection of public security against terrorism and serious transnational crime”.146 This suggests that, as far as the CJEU is concerned, the fight against terrorism and serious crime may not in itself be sufficient justification for the transfer of EU data to a third country.

111.It is not clear whether the Government is engaging with these potential obstacles to adequacy, although its future partnership paper on data protection does propose a data adequacy model that “respects UK sovereignty, including the UK’s ability to protect the security of its citizens”.147 When asked whether the Commission would look at the activities of the security services when making an adequacy decision, Shona Riach said that “National security is outside the EU data protection regime”, but that “the expectation would be that there would be consultation with the UK security services”. When asked whether the Government would prioritise bulk powers over access to EU data, she said: “we would not see it as a choice because the UK regime is fully in line with the EU regime on data protection”. The Policing Minister said: “I don’t necessarily recognise the choice but, even if we did, I am sure you would understand why we would not articulate it at this stage in the negotiation.”148

112.We agree with the Government that the UK should be aiming for a data adequacy model which would allow both for the continued transfer of EU criminal data (including access to the key databases) and for the existing surveillance and protective activities of the UK security services to continue. A negotiation process that pitted the national security operations of the UK security services against European cross-border policing and crime fighting would be in nobody’s interest, and we urge EU and UK negotiators to recognise this.

113.We are concerned about the implications for the activities of the UK security services if existing EU data adequacy processes for third countries are applied to the UK. We are also concerned about the risk of the CJEU striking down an adequacy decision, in the way that it has in relation to far less ambitious agreements with the USA and Canada. As an EU Member State, the UK can rely, to some degree, on the fact that national security remains an exclusive competency of Member States. As a third country, there is a significant risk that the UK’s surveillance and interception regime will be exposed to a new level of scrutiny by EU institutions, including capabilities that have enabled the security services to save lives and prevent serious harm. The Government must work closely with its EU partners to ensure that Brexit does not cause the UK’s surveillance powers to become a source of conflict, nor an obstacle to vital forms of data exchange.

114.These particular challenges posed by Brexit have received very little public attention to date. Based on the Minister’s evidence, we are concerned that the Government is not yet engaging sufficiently with the implications of an EU data adequacy assessment, nor preparing properly for such an assessment to take place. In addition, we believe that substantial contingency planning is required, in case this process takes considerably longer than the transition period, or in the scenario that it is not possible to achieve the UK’s objectives. The Government should be carrying out an impact assessment, in conjunction with the EU, of the consequences of failing to find a resolution to this important issue.

The EU Charter on Fundamental Rights

115.The second potential obstacle to data adequacy is the Government’s apparent failure to incorporate the data protection provisions of the EU’s Charter on Fundamental Rights into UK law. The Charter sets out, at a high level, a range of EU citizens’ civil, social, political and economic rights, and is legally binding on EU Member States. All EU legislation must respect the Charter, which is more extensive than the UK’s Human Rights Act. Article 8 of the Charter sets out the right to protection of personal data; its states that such data:

[ … ] must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.149

116.Clause 5(4) of the European Union (Withdrawal) Bill states that “The Charter of Fundamental Rights is not part of domestic law on or after exit day”.150 The Government has published a “Right by Right Analysis” of the Charter, in which it suggests that the Data Protection Bill will be the means of incorporating Article 8 into UK law.151 In response to a proposed amendment on Charter rights to the EU (Withdrawal) Bill, the then Justice Minister Dominic Raab MP said:

It is not required because the Data Protection Bill will set high standards for protecting personal data, linked to the General Data Protection Regulation. We will continue to maintain the highest standards of data protection after we leave the European Union.152

117.A recent report by the Joint Committee on Human Rights critiqued this analysis. It acknowledged that the Data Protection Bill contains “numerous rights for data subjects”, but stated:

[ … ] the Bill does not explicitly incorporate Article 8 of the Charter. Given the vast number of exemptions and derogations from these rights provided for in the Bill, there is a question as to whether the Bill offers protection that is equivalent to Article 8 of the Charter.153

118.In fact, there are concerns that the Data Protection Bill could itself stand in the way of an adequacy decision, which is the third potential obstacle that we have identified. The Bill includes exemptions to data subjects’ rights for the purposes of maintaining effective immigration control, or for the investigation or detection of activities that would undermine it. Liberty argued that this “removes all of the Home Office’s data protection obligations as they relate to its activities to control immigration”,154 although the Government states that the exceptions would only apply when the applications of data subjects’ rights would prejudice “the investigation or detection of activities that would undermine the maintenance of effective immigration control”. Defined in this way, the exceptions still have a wide scope, which could potentially cover significant forms of data about EU citizens in future.155 The Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), Claude Moraes MEP, claimed recently that this aspect of the Bill would “flout” EU protections on fundamental rights, lowering the UK’s chances of obtaining an adequacy decision.156

119.The Information Commissioner told us that her office has “always welcomed” the Article 8 Charter right, because it “recognises data protection as a distinct fundamental right not wrapped up into other rights”. She suggested that “reaffirming this qualified right to data protection in legal form would go a long way towards satisfying some of the concerns that our European colleagues have”, as well as ensuring protection for UK citizens, and that it would be “an important signal to both our citizens and to the European Union.”157

120.The Government has emphasised that UK data protection law will be consistent with EU law at the point of Brexit, but it has not fully incorporated EU data protection rights into domestic legislation. It claims that the Data Protection Bill contains the required provisions, but that Bill may in fact act as an obstacle to data adequacy, because it denies data protection rights to certain people subject to immigration controls—a scope sufficiently wide that it is likely to include EU citizens. Given the importance of a data adequacy decision for future law enforcement cooperation, we recommend that the Government incorporate Article 8 of the EU Charter of Fundamental Rights into UK law. It must also ensure that the Data Protection Bill contains adequate protections for all data subjects. This would provide some assurances to the EU that the UK will respect the data rights of EU citizens in future.

Onward transfer to Five Eyes partners

121.The fourth potential obstacle to adequacy relates to the UK’s relationship with its fellow “Five Eyes” partners, including the USA. The Information Commissioner highlighted the importance to the EU of the onward transfer of data to non-EU countries. She said: “I cannot emphasise enough [the importance of] getting our ducks in a row in terms of the onward transfer regime that we are going to have. [ … ] We have a lot of work to do, and it is practical work that really needs to start soon.”158

122.The CJEU’s ruling in Schrems (outlined above) highlights the acute sensitivities attached to any transfer of EU personal data to the USA. The UK and USA already have close intelligence-sharing arrangements, and media reports suggest that they are seeking to extend these further. Downing Street announced in February that the Prime Minister had spoken to President Donald Trump about data-sharing on serious crime and terrorism, and the US Senate is due to consider legislation to authorise the US Attorney General to enter into agreements to allow mutual compliance with court orders. The Prime Minister’s Office has indicated that the legislation would empower law enforcement officials in the USA and UK “to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking and the sexual abuse of children regardless of where the suspect’s emails or messages happen to be stored”.159

123.The UK benefits greatly from its Five Eyes intelligence-sharing capabilities, which may face new levels of scrutiny by the EU when a data adequacy decision is sought. It is essential that this cooperation continues in an effective way, and it is in the strong interests of both the UK and the EU to find a solution to this issue. Those relationships and surveillance capabilities need to operate with strong legal protections, but we agree with the Government that the exchange of intelligence data should take place within the UK’s own legal framework, beyond the scope of EU law. Nevertheless, the short period before Brexit does not allow time for a CJEU ruling against any plans for UK-EU data transfer. We recommend that the Government works proactively with EU institutions to ensure that the UK’s onward data transfer regime to the USA and other Five Eyes countries allows both for an EU adequacy decision and for the continuance of the existing Five Eyes relationship. We urge the EU to recognise the value of these parallel security relationships, and to work flexibly to come to an agreed solution.

CJEU jurisdiction

124.The fifth and final potential obstacle concerns the jurisdiction of the Court of Justice of the EU. In her recent speech on the future economic partnership with the EU, the Prime Minister acknowledged that the CJEU will determine “whether agreements the EU has struck are legal under the EU’s own law”, referring to the Schrems case as an example, and conceded that, “where appropriate, our courts will continue to look at the ECJ’s judgments, as they do for the appropriate jurisprudence of other countries’ courts.”160 Nevertheless, the Government has made it clear that the UK will no longer be subject to the direct jurisdiction of the CJEU after the end of the transition or implementation period.161 The Prime Minister’s Munich speech suggested that the Government may be willing to respect CJEU rulings in relation to specific areas of cooperation, such as Europol, but asserted that a “principled but pragmatic solution to close legal co-operation will be needed to respect our unique status as a third country with our own sovereign legal order”.162

125.There is some precedent for access to EU data without direct CJEU jurisdiction: non-EU countries within the Schengen area are not under its direct rule, but are able to access SIS II. This is not straightforward, however: Camino Mortera-Martinez has pointed out that, if there is a substantial difference between the CJEU and Norwegian, Icelandic or Swiss courts on the interpretation of one of their agreements with the EU, the agreement may be terminated. The courts of non-EU Schengen countries must also follow the case law of the CJEU when incorporating any aspect of the Schengen acquis into their own law.163

126.The Information Commissioner was not optimistic about the UK’s prospects of maintaining data-sharing on law enforcement without the jurisdiction of the CJEU. She said: “It is hard to think of how we could be outside of the scope of the European Court of Justice in terms of data protection for the data that are used and shared in that environment”. Professor Mitsilegas was similarly doubtful, stating: “I don’t think that full membership in databases or in agencies is possible without the full jurisdiction of the Court of Justice”.164 Professor Eeckhout and Sir Alan Dashwood agreed.165

127.The evidence we have received suggests that it may be very difficult for the Government to negotiate ongoing access to EU law enforcement databases while maintaining its ‘red line’ on the direct jurisdiction of the CJEU. The Prime Minister acknowledged recently that UK courts will need to take account of the European Court’s views on data protection, because the CJEU determines whether EU agreements with third countries are compliant with EU law. Even if an alternative dispute resolution mechanism is negotiated as part of a security treaty, or as part of the adequacy process, the CJEU’s rulings on the transfer of EU data to the USA and Canada—effectively striking down adequacy decisions made by the European Commission—illustrate that the UK cannot avoid the direct impact of the Court’s rulings in future.

128.Any comprehensive security treaty negotiated between the UK and the EU could be subject to referral to the CJEU prior to its ratification, to ensure its compatibility with primary EU law and the Charter of Fundamental Rights, even if the EU Commission is content with its provisions. As a result, the reality is that the UK will be unable to depart from EU data protection law after Brexit, nor from the rulings of the CJEU. Where data protection is concerned, the extent of CJEU involvement in any meaningful agreement between the UK and the EU means that it would be unwise to make the jurisdiction of the CJEU a “red line” issue in negotiations.

Timeline for adequacy

129.Subject to the outcome of the current stage of negotiations, the Government plans to maintain the status quo on data exchange during the transition/implementation period, adhering to EU data protection standards and accepting the jurisdiction of the CJEU during that time.166 But the number of complex legal issues linked to adequacy, and the time needed for ratification on both sides, cast doubt on the feasibility of achieving an adequacy decision before the EU’s proposed end date for transition in December 2020. The Information Commissioner said that it would be “really challenging”, because “On average it takes two years and is now more detailed and more wider-ranging [ … ] than it has been in the past.” She did point out, however, that when the USA and EU had to renegotiate a new arrangement after the Schrems ruling, “that was pretty darn quick. It was about a year”.167

130.Based on the evidence received, we have serious concerns about the number of potential obstacles to the UK achieving an EU adequacy decision within two years. The Government’s position—that the UK’s current compliance with EU data protection law should enable consistency after Brexit Day—takes no account of the different rules governing third countries’ access to EU data. At best, this response is evasive; at worst, it suggests that the Government is worryingly complacent about the UK’s future access to EU data. The Government must make necessary preparations for a long-term adequacy decision as early as possible in the Brexit process, to ensure that UK law enforcement authorities do not face a ‘cliff-edge’ in their ability to exchange data with their EU counterparts.


96 European Commission website, Schengen Information System, accessed February 2018

97 Home Office, Prüm Business and Implementation Case, November 2015

98 House of Commons Hansard, Vol 619 Col 961, Leaving the EU: Security, Law Enforcement and Criminal Justice, 18 January 2017

99 Europol website, Europol Information System (EIS), accessed February 2018

100 National Crime Agency written evidence (PSC009), 20 February 2018

102 Oral evidence taken on 6 December 2016, Q73

103 Oral evidence taken on 6 December 2016, Q36

104 National Crime Agency written evidence (PSC009), 20 February 2018

107 Oral evidence taken on 6 December 2016, Q43

108 Oral evidence taken on 23 January 2018, Q168

109 Oral evidence taken on 7 March 2017, Q166

110 Oral evidence taken on 6 December 2016, Q77

111 For example, the 2006 SIS II Regulation on border control states that “SIS II should constitute a compensatory measure contributing to maintaining a high level of security within the area of freedom, security and justice of the European Union by supporting the implementation of policies linked to the movement of persons that are part of the Schengen acquis, as integrated into Title IV of Part Three of the Treaty.”

112 Oral evidence taken on 6 December 2016, Q29

113 Council Decision 2009/1023/JHA, 21 September 2009

114 Oral evidence taken on 23 January 2018, Q159

115 Oral evidence taken on 23 January 2018

118 EU Directive 2016/680, 27 April 2016

119 EU Directive 2016/680, 27 April 2016

121 EU Directive 2016/680, 27 April 2016

123 Oral evidence taken on 28 February 2017, Q114

124 Oral evidence taken on 5 December 2017, Q75

126 Oral evidence taken on 5 December 2017, Q75

127 Oral evidence taken on 5 December 2017, Q76

130 Cases C-203/15 and C-698/15

134 Home Office written evidence (PSC0007)

135 European Criminal Law Academic Network website, Ministerio Fiscal, accessed February 2018

136 David Anderson QC, Report of the Bulk Powers Review, August 2016

137 David Anderson QC, Report of the Bulk Powers Review, August 2016

139 Privacy International v Secretary of State for Foreign and Commonwealth Office, Secretary of State for the Home Office, GCHQ, Security Service and Secret Intelligence Service: Order for a Preliminary Ruling request dated 17 October 2017.

140 Oral evidence taken on 5 December 2017, Q37

141 Oral evidence taken on 5 December 2017, Q57

142 Oral evidence taken on 5 December 2017, Q85

145 Oral evidence taken on 5 December 2017, Q90

148 Oral evidence taken on 23 January 2018, Q187

150 European Union (Withdrawal) Bill 2017–19, as introduced to the House of Lords (HL Bill 79),

152 House of Commons Hansard, Vol 631 Col 902, European Union (Withdrawal) Bill, 21 November 2017

153 Joint Committee on Human Rights, Legislative Scrutiny: The EU (Withdrawal) Bill: A Right by Right Analysis, 26 January 2018

155 Data Protection Bill [HL] Explanatory Notes (as brought from the House of Lords)

156 The Guardian (Claude Moraes), New UK data protection rules are a cynical attack on immigrants, 5 February 2018

157 Oral evidence taken on 5 December 2017, Q86

158 Oral evidence taken on 5 December 2017, Q96

163 Camino Mortera-Martinez, Hard Brexit, soft data: How to keep Britain plugged into EU databases, published by the Centre for European Reform, 23 June 2017

164 Oral evidence taken on 5 December 2017, Q58

165 Oral evidence taken on 5 December 2017, Q58

166 European Commission Article 50 Task Force, Position paper: “Transitional Arrangements in the Withdrawal Agreement”, 7 February 2018

167 Oral evidence taken on 5 December 2017, Q110




Published: 21 March 2018