See below for the latest Data Blast from our legal team: European regulator finds that UK-US data agreement may be a hurdle for post-Brexit data flows; Lithuania and Norway each suspend Covid tracing apps over location data concerns; Regulator finds that Clearview AI facial recognition service is likely to be illegal in Europe...

UK-US data agreement puts post-Brexit adequacy decision at risk

On June 15th, the European Data Protection Board (EDPB) wrote an open letter to the members of the European Parliament (MEPs), explaining that the UK may fail to achieve a post-Brexit data adequacy decision if its data protection agreements with the United States remove certain vital safeguards.

An adequacy decision is a legal mechanism, allowing the European Commission (EC) to permit personal data transfers between the European Union (EU) and third countries. Effectively, achieving an adequacy decision would confirm that the UK’s data protection framework is equivalent to that of the EU.

According to the EDPB, a data adequacy decision, ensuring the ability to transfer personal data from the EU to the UK after the Brexit transition period, may be impossible if it cannot be shown that sufficient safeguards meeting with EU standards are in place in the UK-US agreement on data access for criminal investigations. In their letter, the EDPB states that ‘the agreement concluded between the UK and the US will have to be taken into account by the [EC] in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country.’

Although this is a preliminary assessment, the EDPB expressed concerns as to whether the safeguards within the Brexit withdrawal agreement for access to personal data in the UK would apply to disclosure obligations to digital platforms operating in the US, and whether they would apply to US Cloud Act law enforcement requests for access to data.

As the EC is presently negotiating its own agreement with the US for allowing the sharing of information between law enforcement authorities, the EDPB affirmed that any such agreement must prevail over US domestic laws, and include adequate protections to safeguard EU citizens’ rights. As noted by the EDPB ‘this notably includes ensuring the continuity of data protection in case of onward sharing and onward transfers… the EDPB wishes to repeat its call for further improvements to the level of safeguards established by the EU-US Umbrella Agreement, for instance as regards the availability of judicial redress.’ The EDPB stressed the importance of including mandatory prior judicial authorisation for access to data, and pointed out that no such provisions had been identified in the UK-US agreement to date. If the EC elects to present a draft adequacy decision for the UK, the EDPB also confirmed that it will provide its own assessment in a dedicated opinion.

A UK adequacy decision post-transition period has become a contentious and important issue within the data protection community. Estimates by the UK government suggest that, in 2018, personal data enabled services exports between the UK and EU were worth roughly £100 billion. Furthermore, as the import and export of goods and services between the UK and EU is heavily reliant on the free flow of information, the government has expressed a keen interest in achieving an adequacy decision quickly. However, an adequacy decision is dependent upon an EC examination of the UK’s data protection framework, and as such the final decision on the matter will ultimately be made in Brussels.  Though no one should assume data flows must stop without an adequacy decision, the flow of data can continue under suitable contractual terms. The adequacy decision makes everyone’s lives easier but it is not the only way to stay compliant.

Lithuania suspends contact-tracing app

On May 25th, the Lithuanian data authority, the State Data Protection Inspectorate (SDPI) announced that it had suspended the country’s Covid-19 contact-tracing app, as the app’s personal data processing may have violated the General Data Protection Regulation’s (GDPR) principle of accountability.

The SDPI has undertaken an investigation into the contact-tracing app as a result of media coverage regarding the app’s collection and processing activities. Upon review of the data collected by the app, the SDPI decided that the Lithuanian health minister, the data controller, lacked the requisite accountability for lawful processing, which presented a risk to the rights of data subjects utilizing the app. The SDPI did not respond to a request for comment, and they have explained that no further information will be provided while the investigation is ongoing.

Local data protection experts believe the investigation was triggered by news coverage of the app’s data collection practices, and public opinion voiced by data protection practitioners in Lithuania. Specifically, concerns arose regarding the app’s collection of precise location data, when proximity data relative to other app users would have been sufficient for the app’s purposes. This suggests that the app will not be relaunched until these concerns have been remedied.

The app’s suspension, similar to the situation in Norway (outlined below), stems from concerns regarding privacy and location tracking of users, and whether the data collected is more than sufficient for its purpose.

Norway contact-tracing app suspended over privacy concerns

On June 15th, Norway’s health authorities announced that they had suspended Smittestopp, an app designed to track the spread of the coronavirus in the country, as a result of concerns regarding the invasion of user privacy.

Smittestopp was launched in April, and collected user location data to enable authorities to trace the virus’ spread, and to notify users if they had come into contact with a person who had tested positive for Covid-19. The app’s suspension follows an announcement by the Norwegian data protection authority (Datatilsynet) which warned that it would prevent the Norwegian Institute of Public Health from handling Smittestopp data.

Datatilsynet announced that given the limited spread of the virus in Norway, as well as Smittestopp’s limited effectiveness, as a result of having so few users, the risk to the data subject’s rights from the app’s use was disproportionate, and risked invading their privacy. While the health authority expressed their disagreement with Datatilsynet’s conclusion, they agreed to suspend the app and delete all data collected.

Of Norway’s 5.4 million inhabitants, only 600,000 had downloaded the app, as its use was voluntary. Similar to the approach initially proposed for a tracing app in the UK, Smittestopp utilised a central data storage system, rather than a distributed approach with data held on users’ phones. The UK tracing app experienced considerable setbacks from its inception (covered here), and most recently has been abandoned in favour of a model developed by Apple and Google.

Clearview AI likely illegal under EU data protection law

On June 10th, the EDPB expressed its opinion concerning the use of Clearview AI’s facial recognition services, suggesting that its use by law enforcement would likely be illegal under EU data protection law.

Earlier this year, it was reported that Clearview AI, which scraped billions of social media photos from around the internet to enhance facial recognition technology, had provided its software services to hundreds of law enforcement bodies, including London’s Metropolitan Police. When asked by MEPs to comment on Clearview’s legality, the EDPB stated that it has ‘doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI…Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.’

This announcement is unwelcome news for law enforcement bodies that have adopted Clearview’s technology, and comes amid growing concerns in Europe regarding the use of facial recognition technology (which we recently covered here).

For more information please contact Partner, James Tumbridge at