Op-Ed: “The EDPB Adequacy referential for the Law Enforcement Directive: the quest for more clarity for personal data transfers in a law enforcement context continues” by Laura Drechsler
Despite becoming applicable nearly at the same time as the General Data Protection Regulation 679/2016 (‘GDPR’), the Law Enforcement Directive 680/2016 (‘LED’) has so far lived a shadowed existence. There was in particular a notable absence of any activity concerning it from national data protection authorities and the European Data Protection Board (‘EDPB’).
This finally changed last week. On 2 February 2021, the EDPB published its first guidance ever on the LED – ‘Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive’ (‘Recommendations 01/2021’). With the topic of adequacy, the EDPB chose a complex area for its first recommendation for the law enforcement sector – namely that of international personal data transfers. As a reminder, the LED has a scope limited to law enforcement authorities processing personal data for police purposes (defined in Article 1(1) LED). Data transfers are not defined in the LED, and their precise meaning can be heavily debated. Presumably, any making accessible of personal data to actors outside the EU constitutes a transfer. Like the GDPR, the LED includes general principles for transfers (Article 35 LED) and three different avenues for them to take place: adequacy decisions, appropriate safeguards and derogations (Articles 36, 37 and 38 LED). In its recommendation, the EDPB now advises the Commission on one of these three avenues – adequacy decisions.
The advice on adequacy for the LED is very timely. With the United Kingdom (‘UK’) now out of the European Union (‘EU’), arrangements are required for all personal data flows. This means not just arrangements for the commercial area but also for the cooperation of law enforcement authorities. As has been discussed elsewhere, the Trade and Cooperation Agreement between the UK and the EU provides both sides with a four-month, plus two months, transition period to arrange for these data flows. From the perspective of the EU, this means that the Commission is required to conclude both a GDPR and a LED adequacy decision for the UK in that period.
So far, no adequacy decision for the purposes of the LED has ever been adopted. Doing so in respect of the UK would mark the very first time in the history of EU data protection law, that a specific adequacy decision for law enforcement has been taken. This situation leads to three substantial questions about LED adequacy decisions in general and the one for the UK specifically: first, to what extent do LED adequacy decisions resemble GDPR adequacy decisions, especially when it comes to the strict requirements set by the Court of Justice of the EU (‘CJEU’) in Schrems I (C-362/14) and Schrems II (C-311/18) about essential equivalence. Second, what are the elements the Commission should focus on when assessing a third country’s adequacy for the purposes of the LED. Third, when it comes to the UK, to what extent are the issues noted for GDPR adequacy decisions also affecting LED adequacy decisions.
In terms of the first question, the EDPB makes it very clear that the ‘standard of essential equivalence’ that Schrems I and Schrems II require for GDPR adequacy decisions also applies in the area of law enforcement (pp. 4-5). To take a step back, the standard of essential equivalence, as first declared by the CJEU, means that a third country or international organisation to whom personal data of EU data subjects are to be transferred needs to offer a level of protection for personal data essentially equivalent to that in the EU (C-362/14, paragraph 73). The level of protection in the EU is hereby composed of the secondary EU law (for the purposes of law enforcement – the LED) and the Charter of Fundamental Rights of the EU (‘Charter’).
The clear establishment of the standard of essential equivalence as a benchmark for transfers under the LED has as a consequence, that in light of Schrems II (C-311/18, paragraph 96), this is also the level to achieve with the other avenues for transfers under the LED, notably with appropriate safeguards (Article 37 LED). Unlike the GDPR which offers a myriad of appropriate safeguards, the LED offers only two – international agreements or self-assessed appropriate safeguards (Article 37(1)(a) and (b) LED). The second category requires EU law enforcement authorities to assess themselves whether a partner in a law enforcement cooperation has the right level of protection. With the confirmation of the EDPB of the standard of essential equivalence for LED transfers, the right level of protection must most likely be understood as an essential equivalent level of protection. Unfortunately, the EDPB does not confirm so explicitly in Recommendations 01/2021, though it has already done so for all the appropriate safeguards in the GDPR in another set of recommendations (Recommendations 01/2020).
The EDPB gives probably (and to some extent logically) most guidance in reply to the second question. It lists a number of elements the Commission needs to pay special attention to for law enforcement adequacy decisions. These elements bear close resemblance to the elements listed by the Article 29 Working Party in their EDPB endorsed adequacy referential for the GDPR of 2018. Concretely, the EDPB proposes two sets of elements. On the one hand a list of substantive elements overlapping with data protection principles of the LED (Article 4 LED) (Recommendations 01/2021, pp. 9-13). This is extended by a few elements that should apply in specific processing situations such as the processing of special categories of data, or profiling (p. 14). On the other hand, the EDPB provides a set of ‘procedural and enforcement mechanisms’, that are to ensure that essential equivalence is achieved both in theory and in practice (pp. 15-16).
From the perspective of the LED, the description of the different elements in the referential offers few surprises but also few insights. Mostly, the description is limited to citing the corresponding provisions in the LED, which gives the impression that despite the EDPB’s insistence that essential equivalence ‘does not require to mirror point by point the EU legislation’ (pp. 4-5), such a mirroring is essentially what is looked for. While a discussion of all the different elements of the referential would go beyond the scope of this Op-Ed, it is worth noting that the EDPB did not decide to follow more closely the approach of the CJEU in Schrems I and Schrems II. Both Schrems I and Schrems II verify the standard of essential equivalence via a fundamental rights assessment based on the Charter. Concretely, the CJEU finds in both cases that there were interferences with EU fundamental rights caused by the transfer, and then assesses whether such interferences could be justified using the criteria of Article 52(1) Charter, especially under the viewpoints of essence and proportionality. The EDPB’s assessment does not really link up with this approach of the CJEU. While the EDPB mentions the elements of Article 52(1) Charter briefly, when discussing what standard of adequacy needs to be achieved under the LED (pp. 7-8), it does not link them back to the different substantive and procedural adequacy elements. It would be worth assessing in future research whether these adequacy elements address the issues noted and addressed by the CJEU on the basis of Article 52(1) Charter.
Finally, perhaps not very surprisingly, the EDPB offers very little insight into how their different elements for adequacy would work in the specific case of the UK. This is understandable, as the EDPB has intended the LED adequacy referential as a general guidance for all future adequacy decisions (though it is not known whether any other country is even considered for LED adequacy). It is also regrettable though, as commentators have already raised several issues for GDPR adequacy that also seem applicable to the law enforcement space. Among them, the close relationship between the UK and the United States could in particular create headaches for LED adequacy. With the UK being a third country, any transfer from a UK law enforcement authority to the US would qualify as an ‘onward transfer’. As also noted by the EDPB, such onward transfers need to be especially secure under the LED (p. 13). They always need the authorisation of the authority in the Member State in the EU the data originated from (Article 35(1)(e) LED). In practice, it should mean that there can be no sort of seamless access by US authorities to data coming from the EU that is held by UK law enforcement authorities.
To conclude, while the EDPB clarifies some issues in its adequacy referential, much doubt remains. By choosing the same approach as for the GDPR adequacy referential, the EDPB endorses that both instruments are linked in the transfer area by the standard of essential equivalence. This confirmation of the standard of essential equivalence for the area of law enforcement transfers is to be welcomed, but further guidance is now required for appropriate safeguards under the LED. Moreover, there is a certain discrepancy between the approach of the EDPB for essential equivalence explained in the referential and the one laid out by the CJEU in Schrems I and Schrems II, the consequences of which require further assessment.
Finally, whether the UK will achieve LED adequacy remains an open question. It is to be hoped that the Commission’s assessment of the UK for GDPR adequacy does not completely take away all resources from the LED adequacy decision. The issue of potential access by US authorities to data held by UK law enforcement authorities originally transferred from the EU in particular must not fall through the cracks.
Laura Drechsler is a PhD researcher funded by FWO at the Vrije Universiteit Brussels. Part of her research focuses on data transfers under the LED, in the context of which she has published ‘Comparing LED and GDPR adequacy: One standard two systems’ (Global Privacy Law Review 2020) and ‘Wanted LED Adequacy Decision’ (International Data Privacy Law 2021).