In a previous blog post I outlined the contribution made by these sectors to the UK’s economy and discussed how the loss of passporting rights, access to the single market, and free movement of workers from EU member states could negatively impact these sectors and lead to an economically ruinous exit from the European Union.
This post considers the data protection implications of Brexit for the UK’s economy as many businesses and organisations generate and rely upon huge volumes of personal data in their operations (e.g. in the form of customer records, behavioural, profile and transactional data). The personal data generated, and analysed is a hugely valuable economic asset – European Citizens’ data is predicted to be worth €1 trillion annually by 2020 by
the European Commission.’ Much of this personal data is transferred across national boundaries for processing and storage on servers in data centres, and, as a result, the UK hosts the largest data centre market in Europe, and the third largest in the world.
History of UK Data Protection laws
The UK first introduced data protection legislation in 1984 in response to claims by the business community that the UK was losing cross border trade in personal data because it was a ‘data haven.’ For instance, in 1974, the Swedish Data Inspection Board blocked the export of personal data to the UK for the preparation of embossed health identity cards, citing the UK’s lack of legal protection as justification for the restrictions. (M. Adams, ‘Sweden prohibits sending data to UK,’ New Scientist, 17 April 1975, 133.) The politics and economic impact of such personal data transfer disputes led to calls for a supra-national data protection law to facilitate and manage cross-border data flows, and eventually led to the introduction of Directive 95/46/EC (hereafter ‘the Directive’). Each Member state has implemented the Directive’s provisions through the domestic implementing laws. In the UK, the Directive was implemented through the Data Protection Act 1998 (DPA 1998). However, although each member state transposed the Directive’s provisions into national laws, they did not do so uniformly, and this led to fragmented application and enforcement. Indeed, the failure of member states to properly transpose the Directive was a key factor in the decision to replace it with a Regulation (as well as a concern that it was no longer fit for purpose due to changes in personal data processing technologies).
The GDPR 2016/679
Regulation (EU) 2016/679 (hereafter ‘the GDPR 2016/679’) is scheduled to come into effect on 25th May 2018. It will repeal and replace Directive 95/46/EC and will be directly applicable in the UK without the need for implementing domestic UK legislation. Since it is highly likely that the UK will not have completed the ‘exit process’ by 25th May 2018, the UK Government will initially be obligated to amend the DPA 1998 to bring UK law in line with the requirements in the GDPR 2016/679.
However, withdrawal from the EU will afford the UK an opportunity to pause and reflect on the implications of seeking a trading relationship in which the UK would either be obliged to continue to give effect to the GDPR 2016/679, choose to do so voluntarily, or opt to
devise and implement their own data protection law.
If the UK were to withdraw from the EU but join the European Free Trade Association (EFTA) whose current members, Iceland, Liechtenstein and Norway, and trade with the EU via the European Economic Area (EEA), then it would be obliged to continue to give effect to the GDPR 2016/679 as data protection has been harmonized within the internal market and is part of the EEA agreement (for further discussion see blog post by Olivia Tambou: Brexit or not Brexit: how the GDPR will apply to the UK). However, the Government indicated in its White Paper that: “We will not be seeking membership of the Single Market, but will pursue instead a new strategic partnership with the EU, including an ambitious and comprehensive Free Trade Agreement and a new customs agreement,” so, at first glance, it appears that the UK will not be obliged to continue to give effect to the GDPR 2016/679
once it withdraws from the EU.
Continuing compliance with the GDPR 2016/679?
Some (Including the Federation of Small Businesses) have suggested that the UK Government might introduce a data protection law that is less burdensome for small businesses,
and is more business-friendly in general. Indeed, the Government has indicated an intention to “look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public,” suggesting that it might depart from the provisions in the GDPR 2016/679 in the future. One might think that the introduction of less stringent data protection rules would make the UK more
attractive as a trading partner. However, that would not necessarily be the case for the reasons set out below.
(1) Territorial reach of GDPR 2016/679
Firstly, irrespective of the trade deal negotiated, Article 3(1) of the GDPR 2016/679 will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Furthermore, Art 3 (2) stipulates that it will apply to the processing of personal data by controllers and processors established outside the EU ‘if their processing is related to offering goods or services, including those provided free of charge, to EU individuals or to the monitoring of individuals’ behaviour within the EU/EEA countries.’ Given the extra-territorial reach of the GDPR 2016/679, having to comply with a separate UK data protection framework would represent an additional legal compliance burden for businesses operating on a transnational basis – one that would add to the cost of doing business in the UK and put UK businesses at an economic disadvantage.
(2) Minimisation of compliance costs
Secondly, the EU data protection framework (both Directive 95/46/EC and the forthcoming GDPR 2016/679) is regarded as “gold standard.” Indeed, ‘over half the countries in the world now have a data protection and/or privacy law, and most are strongly influenced by the European approach.’
Consequently, although the UK could adopt a different (lower) standard of data protection for internal UK and non-EU established business it is likely that the UK business
community would exert pressure on the UK government to implement data protection laws in the UK that provide an equivalent level of protection since complying with a separate, different, UK data protection framework would present an unwelcome additional compliance burden for businesses operating on a transnational basis. A failure to do so could result in data transfers to the UK being blocked due to privacy and data protection
concerns (e.g. the Swedish health ID cards). Indeed, countries such as Canada, Switzerland, have actively sought to implement ‘equivalent’ level of data protection law in their jurisdictions to facilitate personal data transfers and processing.
The Investigatory Powers Act 2016 – bar on an adequacy determination?
This prompts the question whether, if the UK withdraws from the EU and EEA, but voluntarily chooses to align its data protection laws with those of the EU e.g. by retaining the provisions enacted in compliance with the GDPR 2016/679 prior to withdrawal, it will be successful in obtaining an ‘adequacy’ determination from the European Commission, thereby allowing it to process the personal data of EU and EEA citizens?
A positive adequacy determination cannot be predicted with certainty at this stage, as when assessing adequacy, the European Commission will no doubt consider provisions in the recently enacted Investigatory Powers Act 2016. This legislation requires internet service providers to retain 12 months of subscriber and users browsing data and make it available to numerous Government bodies including the Food Standards Agency and Her Majesty’s Revenue & Customs (HMRC) for the purpose of fighting crime, with few opportunities for judicial oversight. However, the preliminary reference ruling in the Joined cases cases Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson, Peter Brice, Geoffrey Lewis (hereafter Tele 2 & Watson) determined that national legislation (in the UK, the Data Retention and Investigatory Powers Act (DRIPA) 2014) that contained substantially similar powers was illegal because EU law precludes ‘national
legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent
administrative authority’ (para 134).
Although the Tele 2 & Watson decision was issued too late to influence the passage into law of the Investigatory Powers Act (IPA) 2016 – the successor to DRIPA 2014 (which lapsed at
the end of December 2016), it is clear from this ruling that aspects of the Investigatory Powers Act 2016 (such as the extension of data retention powers to internet connection records (i.e. site-level web browsing histories), the absence of a requirement to inform affected individuals of any orders made, and the absence of a requirement to keep the retained data within the European Union are likely to be challenged. Civil Liberties campaign groups, Liberty and Open Right Group (ORG) have both indicated an intention to bring legal
proceedings. Pending revision (e.g. confining access to retained personal data to what is ‘strictly necessary’ for the purposes of combatting ‘serious crime’ and subject to appropriate privacy safeguards, including prior authorisation by a judge or other independent body), could bar the granting of an adequacy decision.
If an adequacy finding was not forthcoming, it would likely prejudice the UK from receiving
business from EU member states as UK established businesses would have to put arrangements in place in order to send personal data to the UK as a ‘third country’ such as reliance upon unambiguous consent, model clauses or binding corporate rules to effect data transfers (for more information see blog post by Olivia Tambou: How the GDPR rules will apply to the UK after the Brexit, part. 2). This would increase the regulatory burden and costs
of UK established businesses that process personal data of EU citizens since these approved mechanisms for lawfully transferring data add an additional administrative layer and vary between jurisdictions.
Irrespective of the trade deal the UK Government negotiates upon exit of the European Union, personal data is, and will remain, a key economic asset, and cross-border transfers of personal data will continue to underpin the UK’s economy. So, if the UK is to avoid
an economically ruinous Brexit strategy it will have to ensure that adequate data protection measures are in place to protect the personal data of European citizens.
The easiest way to achieve this is to ensure that UK data protection law is fully compliant with provisions in the GDPR 2016/679. Also, the UK Government should revise provisions in the Investigatory Powers Act 2016 to ensure compliance with the preliminary reference ruling in Tele 2 & Watson, since the absence of an adequate or equivalent level of data protection would impede cross-border personal data transfers, cause global business established in the UK to relocate and prompt them to reconsider future investment in the country; the antithesis of the White Paper’s objectives.
Note: This blog post is adapted from a roundtable presentation “Data protection after Brexit” by Dr Karen Mc Cullagh at the Computers, Privacy and Data Protection Conference 2017. For an in-depth critical evaluation of the various types of trade deals the UK might negotiate upon exit (with a particular focus on financial, digital and Fintech services) and the data protection implications of each trade model, see: Mc Cullagh, K. “Brexit: Potential Implications for Digital and ‘Fintech’ industries,” International Data Privacy Law, (2017) Vol 7, Iss.1.