With the existing data protection regime based on EU law, and in light of the fact that the recently finalised General Data Protection Regulation comes into force in less than two years, what will Brexit mean exactly for data privacy, asks Gareth Raisbeck.
Days after the UK voted to leave the EU, the Information Commissioner’s Office (ICO) hosted its annual report launch. At the event, Information Commissioner Christopher Graham said: ‘Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.’
The referendum result has put the proverbial spanner in their collective works somewhat.
The Data Protection Act 1998 (DPA 1998) has become standard fare of which almost everyone has become aware since its implementation. I am going to focus here on principle 8: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’
The definition of ‘adequate level’ is the crux of the principle.
For certain countries, the EC has confirmed adequacy under article 25(6) of EC Directive 95/46/EC (the Data Protection Directive (DPD)).
The most significant other (or third) country is, of course, the US.
Unlike the UK, the US federal (and, indeed, state) legislatures have a typically American laissez-faire attitude to intervention in business or market practices where possible.
The US has no overarching data protection legislation, and instead relies upon industry-specific legislation or self-regulation. There is no specific personal data protection legislation akin to the directive or emanating national legislation.
Unsurprisingly, data processors within the US were wholly unaccustomed to EU-style regulation. Without any appropriate regulation, European personal data could not have been processed there, creating significant administrative issues for international corporations primarily based in the US.
The EU-US solution was the ‘safe harbour’ agreement, whereby US firms would be required to self-certify that they would adequately protect personal data emanating from the EU.
Rather unsurprisingly, the agreement was challenged in 2015 by a Austrian data protection campaigner, who contended that his personal data held by Facebook was inadequately safeguarded in the US owing to the ability of governmental agencies, such as the National Security Agency. Following proceedings in Ireland (where Facebook’s European offices were based), the Grand Chamber ruled that the safe harbour agreement was invalid.
Following proceedings in Ireland (where Facebook’s European offices were based), the Grand Chamber ruled that the safe harbour agreement was invalid.
This judgment caused quite a stir, but where it applied, it was easily circumvented. Article 26 of the DPD permits processing in a third country if the data subject provided ‘his consent unambiguously to the proposed transfer’, among other loopholes. Appropriate contractual clauses could also resolve the issue.
The EC responded on 6 November 2015, with what I believe are a set of solutions. In essence, carefully considered changes to terms and conditions would probably suffice and American firms could continue as before. However, the US was no longer the approved realm of ‘adequate’ data protection for EU personal data that it once was.
The privacy shield
Negotiations took place between the US and EU to produce the US-EU Privacy Shield, which was approved on 26 July 2016.
This, in essence, replaces safe harbour, providing assurances that indiscriminate monitoring of EU citizens’ personal data will not take place, and that a US-based ombudsman service will hear complaints by EU citizens on data protection spying issues. Whilst welcomed, Dr Paul Bernal of the University of East Anglia remarked that the shield was ‘almost certainly inadequate’.
A ‘best of a bad situation’, you may say.
The General Data Protection Regulation
The importance of the US’ position becomes clear when we consider the newly drawn General Data Protection Regulation (GPDR), which was passed on 27 April 2016. The Regulation’s explicit purpose is to:
- increase the effectiveness of the fundamental right to data protection;
- put individuals in control of their data;
- enhance the internal market dimension of data protection; and
- establish a comprehensive data protection framework covering all areas.
As a Regulation and not a directive, it does not require national implementing legislation and applies regardless from 25 May 2018 following a two-year transition.
From a UK perspective, the first thing to note is that article 50 of the Treaty of Lisbon has not been invoked. The two-year time period for extricating the UK from the EU has not commenced and, on that basis, the UK will be subject to the GDPR proper at the end of the transition.
Whilst this may likely only be an interim period, the mere fact that enabling legislation is not required may cause necessary regulatory shifts in the UK to allow for implementation. (This is, of course, unless the UK otherwise negotiates an alternative with the EU in the interim.)
In a vacuum, assuming the UK has already exited by 25 May 2018, the Regulation will not directly apply to the UK. There would be no direct application or possible intervention by the EU.
However, this is not the end of the story.
What happens next?
Under the DPD, the US is at a disadvantage following the collapse of safe harbour. Whilst suitable loopholes and caveats (and now the privacy shield) would permit certain organisations to transfer and process data across the Atlantic, other organisations are safe from intervention by data protection regulators owing to the scope of article 4 of the DPD.
Under the current regime, article 4 of the DPD sets out when national law on data protection applies to companies beyond EU borders.
Data protection legislation, such as the DPA 1998, only has effect where data processing occurs within a member state territory, where a member state’s national law applies, or where the data processor makes use of equipment (automated or otherwise) in a member state. The GDPR has a much further reach.
Paragraph 23 describes the increased scope of its regulatory power: ‘In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.’
Paragraph 24 confirms that the regulation equally applies to monitoring of EU citizens’ behaviour. The territorial scope, or jurisdiction, of the regulation is enshrined in article 3, GDPR.
In other words, the GDPR applies to companies processing data beyond the realms of the EU and applies to the US, and the UK, in an entirely different way. Compliance is, for better or worse, largely mandatory for companies wishing to conduct business in or with the EU.
Where does this leave the UK when dealing with EU citizens and, second, what is the likely future of legislative protection for the UK?
Safe harbour was not the safe haven it was believed to be. On that basis, the likelihood of the US or the UK being able to continue to operate with permissible non-compliance with the GDPR or piecemeal adoption is unlikely to be sufficient in the long term.
As Baroness Neville-Rolfe, minister for data protection, confirmed recently, the UK will have to provide an adequate level of data protection and ‘this will be a major consideration in the UK’s negotiations going forward’.
American attorney W Scott Blackmer, however, has said in a recent article on Brexit that the DPA 1998 and the Privacy and Electronic Communications Regulations may be enough in the short term to allow for adequacy in data privacy protection, as the EU is unlikely to revoke previously approved adequacy decisions for other extra-EU countries.
The UK is in a rather strong position in that it can produce a compliance with the GDPR (regardless of its application to the UK post-Brexit), thereby allowing the market to operate on a par and in compliance with EU law. This would permit and promote ongoing trade with the EU, and the continued transfer and processing of EU nationals’ data within the UK.
Baroness Neville-Rolfe said that: ‘On one hand, if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones.’ Any ‘replacement’ would not be necessary if the DPA 1998 was sufficient. This is, however, highly unlikely.
Sufficiency with the GDPR would evidently not be achievable without replacement or amendment of the DPA 1998. As such, I think that UK compliance – enforced or voluntary – with the GDPR, or the spirit of it, is vital for continued operational trade with the EU. Certainly, the government is unlikely to disadvantage UK businesses by creating a disparity that may be a barrier to trade.
However, as the Baroness quite rightly points out: ‘Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.’
The UK has been an integral negotiator of data protection legislation within the EU. Practicalities dictate that we are likely to either operate within the GDPR or at an equivalent level for a considerable time after 2018. The ICO seems to agree:
‘If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove “adequacy” – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.’
This seems entirely realistic and appropriate and this point is not, of course, restricted to data protection – it will no doubt apply to a plethora of consumer and commercial legislation. Simon Calder of The Independent stated shortly after Brexit that he did not believe that there would be any significant change to consumer legislation to which we have become accustomed under the EU.
Data protection is an area of significant regulation and will remain so, most likely in tune with Europe. The UK can now determine its own destiny, but must keep a keen eye on EU regulation and trade with the bloc. We have departed our seat at the table, but our laws must protect UK business – and to do so may well continue to require adherence to EU law. It certainly seems to in respect of data protection.
Data protection seminar: prepare and protect your organisation (28 September 2016)
This event will provide you with further clarification on the General Data Protection Regulation (GDPR), address the issues surrounding the impact of Brexit and highlight the key issues firms will have to consider during this transitional phase between the current regulation and the new framework. Civil Litigation Section members are entitled to book at the discounted rate of £200 + VAT.