Data protection has been high on Parliament’s agenda, with the Data Protection Bill, intended to bring UK law in line with the EU’s General Data Protection Regulation making its way through both Houses, and the House of Commons holding a debate on “Exiting the European Union and Data Protection”. The government has produced a “Future Partnership Paper” on the exchange and protection of personal data, and the House of Lords European Union Committee has reported on “Brexit: the EU data protection package”. Elizabeth Campion (University of Cambridge), writes that this flurry of materials reflects the importance of data to the UK’s economy today and in the future and the crucial importance to the UK’s future commercial success of maintaining high standards of data protection and the continuance of cross-border transfers after Brexit.
There appears to be a degree of complacency in the area data protection, based on the idea that UK law is identical to EU law and that the immediate recognition of this will prevent disruption in data transfers – and thus to business – on exit day. However, for a number of reasons which I outline below, UK law, in fact, deviates from EU law in a number of ways which tend to lower the standard of protection of personal data, notably in the areas of interception and surveillance. This is important because it places an obstacle in the way of obtaining an adequacy decision, the UK’s favoured strategy for avoiding post-Brexit difficulties with data.
It is estimated that much the UK’s trade in services – itself around 80% of the UK’s total economy – depends on the free flow of personal data. Around 75% of the UK’s cross-border data transfers go into and out of the EU. As an EU member state, the UK’s data protection laws are assumed to conform to EU standards, but EU law generally forbids transfers of data to third countries on the basis that their laws not been proven to provide adequate protection of personal data. If a large proportion of the UK’s cross-border data transfers become illegal on exit day as the UK becomes a third country, the effects will likely be catastrophic. There are ways around the prohibition for individual organisations, for example using Binding Corporate Rules or Standard Contractual Clauses when data is transferred, but these would entail significant supplementary administrative and financial costs and would impact disproportionately on SMEs.
The best way to avoid a fiasco therefore seems to be that the UK should seek an adequacy decision (or “new arrangements… which could build on the existing adequacy model”), which involves the European Commission confirming that the law of a third country provides “adequate” protection to the personal data of EU citizens’ data transferred there. As the process of assessment can take time and cannot begin until the UK is a third country, the reports also recommend transitional measures to avoid a “cliff edge” on exit day. In the government’s view, this should be relatively simple, as “the UK starts from an unprecedented point of alignment with the EU”. This is, to put it mildly, debatable.
Last year, the powers contained Data Retention and Investigatory Powers Act 2014 (DRIPA) were ruled by the CJEU to infringe the rights to privacy and data protection in the EU Charter of Fundamental Rights (“the Charter”). DRIPA has since been repealed and replaced with the Investigatory Powers Act 2016, which contains even wider and more intrusive powers than its predecessor, such that Eduardo Ustaran, a partner specialising in data protection law, has stated that it would be a “tall order” to convince the Commission that the Investigatory Powers Act is compatible with fundamental rights.
This discrepancy may become especially pertinent given the fact national security remains within the UK’s sole competence and outside the Commission’s purview while it is a member state of the EU, but may be taken into account during an adequacy decision. Thus the UK might effectively be held to a higher standard once it is a third country than it is as a member. However, it would be much easier to convince the Commission that the right to data protection will be protected if the UK were bringing the Charter into UK law alongside the rest of the entire corpus of EU law in the European Union (Withdrawal) Bill (“Withdrawal Bill”). The Withdrawal Bill specifically and explicitly excludes the Charter in clause 5(4), which is especially problematic given that GDPR is intended to provide the detailed implementation of Article 8 of the Charter. In clauses 7-9, the Bill confers powers on Ministers which extend to amending Acts of Parliament if this is expedient in implementing the withdrawal agreement or to remedy a “deficiency” in retained EU law. These powers could be used to amend the Data Protection Bill once it is on the statute book, and the lack of Article 8 in domestic law will only increase its vulnerability. This is unlikely to reassure external observers that EU standards of protection, as set out in GDPR, will be respected.
Even if the Charter is not part of UK law, we will remain parties to the European Convention on Human Rights (“the ECHR”), and data protection is an aspect of the Article 8 Convention right to privacy. However, UK practice in relation to mass surveillance will soon come before the European Court of Human Rights in the case of Big Brother Watch v the United Kingdom, raising the possibility that the UK be found in breach of the Convention as well as EU law in this area. It is also the government’s explicit policy to leave the ECHR after the next general election, in keeping with a history of anti-human rights rhetoric which runs counter to the EU’s own prioritising of rights.
It might be argued, in response to all this, that the EU does not generally require exactly identical laws or slavish adherence to judicial decisions when it is deciding whether adequate protection is provided. However, as Christopher Knight has noted, Jersey, Guernsey and the Isle of Man are interesting analogies to the UK. As Ruth Boardman, a witness before the EU Committee, cautioned, concerns were expressed about these three jurisdictions precisely because they resembled UK law. Even if an adequacy decision is secured, following the decision of the CJEU in Schrems, data protection authorities have both the right and the obligation to keep such a decision under review. While the UK wishes its influence – heretofore pragmatic and business-friendly – on EU policy to continue, even EEA states such as Norway have a passive observer role in policy-making bodies. If the UK continues in its hostility towards the CJEU and to international human rights instruments while the EU continues to legislate to promote individual rights, there will be an increased risk of drift and of UK data protection laws becoming inadequate by EU standards.
Ostensible, based on the substance of the law, adequacy decisions are in fact highly political, and particularly in the context of Brexit, the EU has time and negotiating power on its side in addition to the problems outlined above and the necessity – on both sides – of data transfers being able to continue after exit day. Whether this will be the area in which the UK will be forced to modify its hardline stance on issues such as the CJEU, human rights and even the sweeping powers contained within the Withdrawal Bill remains to be seen. What is certain, however, is that this is an even more important and more difficult area than seems to be recognised at present.
This post represents the views of the authors and not those of the Brexit blog, nor the LSE.
Elizabeth Campion is a trainee solicitor and paralegal pursuing an LLM degree at the University of Cambridge.