pascal-croweThe Investigatory Powers Act, also widely known as the Snooper’s Charter, received Royal Assent on 29 November, 2016, and thus is now law. However, 2016 also saw the General Data Protection Regulation (GDPR) being approved by the EU Parliament in April. Pascal Crowe, postgraduate student at the LSE, attended a recent conference organised by Alison Harcourt of the University of Exeter on the future of data protection and privacy policy between the EU and the UK. Here, he explains in which ways the Investigatory Powers Act and the GDPR are in conflict with each other.

One of the most interesting conclusions of the conference was a point that has been given little thought until now. The GDPR will, if enacted, constitute the most comprehensive enhancement of individual digital rights and reform of digital customer protection law that the UK has seen so far. However, its enactment in the UK may frustrate the application of the controversial Investigatory Powers Act.

As a European regulation in the age of Brexit, one might question whether the GDPR will be enacted in the UK at all. The answer is that it is very likely, for two reasons: The first is simply a matter of timing – GDPR will come into force across Member States on 25 May 2018, well before the projected Brexit date of summer 2019. The second is a consumer protection issue – companies from outside the EU that are handling EU citizen’s personal data must conform to the standards outlined in Article 75, or risk sanctions (either 20m EUR, or up to 4% of global turnover). These standards are very similar to those to which EU companies will have to adhere to anyway. The clearest path for the Government in avoiding such an outcome for British companies is to adopt the GDPR.

In seeking to grow the digital economy, the Government will surely want to avoid policy choices that prioritise ‘data nationalism’ by refusing to comply with the increasingly international data privacy standards and trust standards that underpin the functioning of the digital economy. Therefore, in a time of economic uncertainty where one of the few growing sectors nationally is the digital economy, it is highly unlikely the UK government will reject implementing GDPR in the first instance. However, this also means that UK citizens would, for the meantime at least, have the same digital rights as EU citizens. It is this that will conflict with the Investigatory Powers Act.

In its capacity as consumer protection law, the GDPR will endow citizens with new digital rights and requirements, such as the right to erasure (‘to be forgotten’), and the need for companies to gain clear and affirmed consent to use their personal data. While the UK did not implement article 2 of the Data Protection Directive (previous EU legislation on this topic), the GDPR states in article 7 that consent must be freely given. Organisations are not allowed to use personal data for a purpose secondary to that for which this consent was given without notifying the data subject, who may choose to then withdraw this consent.

This will directly conflict with some of the new powers conferred on the state by the Investigatory Powers Act. For example, a data retention notice can be served on a telecommunications provider which orders them to generate or obtain and retain communications data from users. Any company that does not inform citizens of this will be breaking a law, and if they do, who would consent to it? This throws pre-existing monitoring arrangements under scrutiny as well as those in the new Investigatory Powers Act.

There is a list of exemptions for the proper processing of personal data in GDPR, in Article 2 paragraph 2. This includes investigating criminal offences. But the Investigatory Powers Act does not apply exclusively to criminal acts. Additionally, a large part of its controversy has been with its lumping together and treating the online communications of terrorists and paedophiles with those whose crimes are far less severe. There is a serious lack of clarity over which law would take precedent.

Enacting the GDPR to its fullest extent would therefore place the Government in a legislative conflict of interest. No doubt GDPR may be opposed by Brexiteers, and the ‘Snoopers Charter’ by civil liberties groups; the two may even overlap. The conflict between the Investigatory Powers Act and the GDPR might not result in a complete binary ‘either or’ decision. However, the government will have to decide on its priorities: emphasizing the GDPR and thus prioritizing the growth of the British digital economy, or emphasizing the Investigatory Powers Act and therefore increasing the level of surveillance in the UK in the name of national security.

This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.