Brexit: No ‘clean break’ for data protection

The House of Lords EU Home Affairs Sub-Committee published its report: Brexit: the EU data protection package on 18th July 2017, having heard evidence from the Rt Hon. Matt Hancock MP (Minister of State for Digital and Culture, Department for Culture, Media and Sport at the time of giving evidence), Elizabeth DenhamUK Information Commissioner, and experts from academiarepresentatives from the Home Office and representatives from the digital technology sector and legal practice.

The committee heard evidence on four legislative measures, namely the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US
Privacy Shield and the EU-US Umbrella Agreement, in order to advise on the options available to the Government for securing uninterrupted data flows between the UK and EU
after the UK leaves the EU.

The Government had already indicated in its White Paper on The United Kingdom’s exit from and new partnership with the European Union that it would seek to maintain the stability
of data transfers between the EU, Member States and the UK
and the committee fleshed out a two-fold rationale for ensuring unhindered and uninterrupted cross-border data flows
between the UK and EU after the UK leaves the EU. The first is economic - trade in services accounts for 44% of the UK’s total global exports, and three quarters of the UK’s cross-border data flows are with EU Member States, so any arrangement that resulted in greater friction could present a non-tariff trade barrier that would put the UK at a competitive disadvantage. The second is policing/security - continued access to information and intelligence via cross-border flows of data is vital for UK law enforcement agencies.  

In his evidence, Mr Hancock, MP, testified that the UK will implement the GDPR in full
because the Government considers it a good piece of legislation and also because “we are keen to “secure the unhindered flow of data between the UK and the EU post-Brexit.”   However, the committee was critical of the lack of detail as to how the Government plans to deliver that outcome: “The Government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome. We were struck by the lack of detail in the Government’s assurances thus far.”

The best way forward – an adequacy decision

The committee heard evidence on the merits of two ways in which unhindered data flows could be facilitated, namely: (1) Requiring individual data controllers and processors adopt their own compliant safeguards in the form of model clauses or binding corporate rules, or (2) Seeking an adequacy decision from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive that the UK provides an essentially equivalent standard of protection. The committee determined that the government should seek an adequacy decision from the EU because it would be the most comprehensive and “least burdensome” option for businesses and, in particular, it would offer more stability and certainty for smaller businesses who could not easily absorb the legal costs associated with drafting and obtaining approval for model clauses.

Adequacy hurdle: Investigatory Powers Act 2016

Given that the UK will have implemented the GDPR prior to exit one might expect data to flow unimpeded and uninterrupted post exit.  However, the UK will face a number of hurdles:

(1) Upon exit the UK will become a ‘third country’ for data protection purposes and it will have to seek an adequacy decision from the European Commission.  This will not be immediately forthcoming since it will require a review of the UK’s legal framework by the European Commission – which is a time consuming process.  It has taken other countries e.g. Canada & New Zealand years to obtain an adequacy decision.  Even if an adequacy decision could be issued quickly e.g. within a matter of months, the UK would face a ‘cliff edge’ on the day of exit unless a transitional arrangement is put in place as part of the withdrawal arrangements.

(2) When considering an adequacy decision, the European Commission will look at the UK’s data protection framework in the round, including national security legislation.  The UK will no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the UK’s data retention and surveillance regime is tested before the Court of Justice of the European Union (CJEU).  Thus, the UK could find itself held to a higher standard as a third country than as a Member
State.  The UK is likely to struggle to obtain an adequacy decision because of provisions in the Investigatory Powers Act 2016 that permit bulk personal data collection and bulk retention of meta data, as in a judgment regarding the UK’s Data Retention and Investigatory Powers Act 2014, (which contained similar provisions to those in its successor, the Investigatory Powers Act), the CJEU ruled that these measures were disproportionate and contravened individuals’ rights to privacy and data protection. Indeed, the UK Information Commissioner expressed concern that  “it seems likely that the UK’s surveillance and data retention regime would be a risk for a positive adequacy finding.” 

(3) Upon exit, the UK will no longer be party to Privacy Shield, which allows for the transfer of data between companies in the EU and US, or to a similar arrangement for law enforcement called the Umbrella Agreement. The UK will have to secure a fresh agreement with US authorities, and the committee warned that any suggestions that the UK would take “a lax approach” to onward data transfers to the US or elsewhere “would put [an] adequacy decision at risk”.

Overall effect: subject to continuing influence
whilst losing ability to influence

Despite prime minister Theresa May’s pronouncements that European courts will cease to
have influence after Brexit, the UK’s data protection laws will have to stay up to date with, and possibly change in response to developments at the EU level in order to ensure dynamic and ongoing adequacy.  The European Court of Justice (CJEU) is therefore going to continue to have an indirect effect on the way the UK’s data protection rules evolve.  Some have speculated that the UK might want, over time, to forge it’s own data protection
path.  The committee speculated that, “In the longer term, it is conceivable that an international treaty on data protection could emerge as the end product of greater coordination between data protection authorities in the world’s largest markets.” However, industry representatives such as Antony Walker of TechUK were quick to point out that digital technology businesses (and any business that processes personal data) operating on a cross-border basis will want legal frameworks to be as harmonized as possible to reduce compliance burdens.  He stressed that in the short-to-medium term the UK government would
do well to remember the size of the UK market versus the size of the European market”, and the importance of the UK’s trading relationship with the EU to the UK’s economy, and the fact that non-EU countries often establish themselves in the UK for the purpose of trading with EU member states, so that “we will have to do [data protection] very much in partnership with the European Union, rather than simply boldly striking out by ourselves and hoping others will follow.”

Indeed, all those giving evidence to the committee stressed the importance of maintaining a good relationship with the EU and expressed concern that the UK might lose its ability to influence data protection law and policy in the EU when it becomes a third country and ceases to have a place on the European Data Protection Board.  To this end, the committee recommended that the UK government consider how best to replace those structures and platforms that have allowed it to influence EU rules on data protection and retention, and
suggested that “It should start by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board,” as part of the withdrawal agreement negotiated.

Conclusions: no clean break

Whilst it is not yet clear what the UK’s trading relationship with the EU will look like after exit, it is evident that there is no prospect of a clean break regarding data protection: the
extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will continue to apply post-exit when data is transferred from the EU to the UK, affecting UK businesses that process EU data.  The UK will have to ensure that its data protection laws closely mirror those of the EU to ensure uninterrupted and unhindered data flows. Undoubtedly, the need for essentially equivalent data protection and indirect influence by the CJEU will be a difficult and unpopular message for ardent Brexiteers [and Theresa May] to hear given their vociferous calls to restore legislative and judicial sovereignty.  However, it is abundantly clear that to do otherwise would result in interrupted data flows and serious harm to the UK’s economy – a cost it simply could not bear. 

This post was also published on the blog: INTERNATIONAL LAW @ UEA: VIEWS FROM THE BROADS

Using Format