Brexit: Implications for data protection in the UK, by Karen Mac Cullagh

Pour lire la version en français cliquez ICI

In a previous blog post: “Brexit White Paper: Implications for Financial Services, Digital and ‘Fintech’ Industries,” I outlined the contribution made by these sectors to the UK’s economy and discussed how the loss of passporting rights, access to the single market, and free movement of workers from EU member states could negatively impact these sectors and lead to an economically ruinous exit from the European Union.

This post considers the data protection implications of Brexit for the UK’s economy as many businesses and organisations generate and rely upon huge volumes of personal data in their operations (e.g. in the form of customer records, behavioural, profile and transactional data).  The personal data generated, and analysed is a hugely valuable economic asset – European Citizens’ data is predicted to be worth €1 trillion annually by 2020.’ as said the European Commission.  Much of this personal data is transferred across national boundaries for processing and storage on servers in data centres, and, as a result, the UK hosts the largest data centre market in Europe, and the third largest in the world.

History of UK Data Protection laws

The UK first introduced data protection legislation in 1984 in response to claims by the business community that the UK was losing cross border trade in personal data because it was a ‘data haven.’  For instance, in 1974, the Swedish Data Inspection Board blocked the export of personal data to the UK for the preparation of embossed health identity cards, citing the UK’s lack of legal protection as justification for the restrictions. (M. Adams, ‘Sweden prohibits sending data to UK,’ New Scientist, 17 April 1975, 133.) The political and economic impact of such personal data transfer disputes led to calls for a supra-national data protection law to facilitate and manage cross-border data flows, and eventually led to the introduction of Directive 95/46/EC (hereafter ‘the Directive’).  Each Member state has implemented the Directive’s provisions through the domestic implementing laws.  In the UK, the Directive was implemented through the Data Protection Act 1998 (DPA 1998). It repealed the Data Protection Act 1984. The DPA 1998 applies to England & Wales, Scotland, N. Ireland, and is overseen by the Information Commissioner’s Office.However, although each member state transposed the Directive’s provisions into national laws, they did not do so uniformly, and this led to fragmented application and enforcement.  Indeed, the failure of member states to properly transpose the Directive was a key factor in the decision to it with a Regulation (as well as a concern that it was no longer fit for purpose due to changes in personal data processing technologies).

The GDPR 2016/679

Regulation (EU) 2016/679 (hereafter ‘the GDPR 2016/679’) is scheduled to come into effect on 25th May 2018.  It will repeal and replace Directive 95/46/EC and will be directly applicable in the UK without the need for implementing domestic UK legislation.  Since it is highly likely that the UK will not have completed the ‘exit process’ by 25th May 2018, the UK Government will initially be obligated to amend the DPA 1998 to bring UK law in line with the requirements in the GDPR 2016/679. (see former post on Olivia Tambou on Brexit or not Brexit: how the GDPR will apply to the UK.)

However, withdrawal from the EU will afford the UK an opportunity to pause and reflect on the implications of seeking a trading relationship in which the UK would either be obliged to continue to give effect to the GDPR 2016/679, choose to do so voluntarily, or opt to devise and implement their own data protection law.

If the UK were to withdraw from the EU but join the European Free Trade Association (EFTA) whose current members, Iceland, Liechtenstein and Norway, and trade with the EU via the European Economic Area (EEA), then it would be obliged to continue to give effect to the GDPR 2016/679 since data protection has been harmonized within the internal market and is part of the EEA agreement. However, the Government indicated in its White Paper that: “We will not be seeking membership of the Single Market, but will pursue instead a new strategic partnership with the EU, including an ambitious and comprehensive Free Trade Agreement and a new customs agreement,” so, at first glance, it appears that that the UK will not be obliged to continue to give effect to the Regulation once it withdraws from the EU.

Continuing compliance with the GDPR 2016/679?

Some have suggested that the UK Government might introduce a data protection law that is less burdensome for small businesses, ( Federation of Small Businesses, ‘Manifesto European Elections 2014,’ (February 2014) and is more business-friendly in general.  Indeed, the Government has indicated an intention to ‘look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public,’ suggesting that it might depart from the provisions in the GDPR 2016/679 in the future. (House of Commons, Culture, Media and Sport Committee, Oral evidence: Responsibilities of the Secretary of State for Culture, Media and Sport, HC 764, Response to Q 72 by Karen Bradley, MP, Monday 24 October 2016).  One might think that the introduction of less stringent data protection rules would make the UK more attractive as a trading partner.  However, that would not necessarily be the case for the reasons set out below.

(1) Territorial reach of GDPR 2016/679

Firstly, irrespective of the trade deal negotiated, Article 3(1) of the GDPR 2016/679 will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.  Furthermore, Art 3 (2) stipulates that it will apply to the processing of personal data by controllers and processors established outside the EU ‘if their processing is related to offering goods or services, including those provided free of charge, to EU individuals or to the monitoring of individuals’ behaviour within the EU/EEA countries.’  Article 3(2). Given the extra-territorial reach of the GDPR 2016/679, having to comply with a separate UK data protection framework would represent an additional legal compliance burden for businesses operating on a transnational basis – one that would add to the cost of doing business in the UK and put UK businesses at an economic disadvantage.

(2) Minimisation of compliance costs

Secondly, the EU data protection framework (both Directive 95/46/EC and the forthcoming GDPR 2016/679) are regarded as “gold standard” Indeed, ‘over half the countries in the world now have a data protection and/or privacy law, and most are strongly influenced by the European approach.’

Consequently, although the UK could adopt a different (lower) standard of data protection for internal UK and non-EU established business it is likely that the UK business community would exert pressure on the UK government to implement data protection laws in the UK that provide an equivalent level of protection since complying with a separate, different, UK data protection framework would present an unwelcome additional compliance burden for businesses operating on a transnational basis.  A failure to do so could result in data transfers to the UK being blocked due to privacy and data protection concerns (e.g. the Swedish health ID cards).  Indeed, countries such as Canada, Switzerland, have actively sought to implement ‘equivalent’ level of data protection law in their jurisdictions to facilitate personal data transfers and processing.

The Investigatory Powers Act 2016 – bar on an adequacy determination?  

This prompts the question whether, if the UK withdraws from the EU and EEA, but voluntarily chooses to align its data protection laws with those of the EU e.g. by retaining the provisions enacted in compliance with the GDPR 2016/679 prior to withdrawal, it will be successful in obtaining an ‘adequacy’ determination from the European Commission, thereby allowing it to process the personal data of EU and EEA citizens?

A positive adequacy determination cannot be predicted with certainty at this stage, as when assessing adequacy, the European Commission will no doubt consider provisions in the recently enacted Investigatory Powers Act 2016.  This legislation requires internet service providers to retain 12 months of subscriber and users browsing data and make it available to numerous Government bodies including the Food Standards Agency and Her Majesty’s Revenue & Customs (HMRC) for the purpose of fighting crime, with few opportunities for judicial oversight.  However, the preliminary reference ruling in the Joined cases Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson, Peter Brice, Geoffrey Lewis (hereafter Tele 2 & Watson) determined that national legislation (in the UK, the Data Retention and Investigatory Powers Act (DRIPA) 2014) that contained substantially similar powers was illegal because EU law precludes ‘national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority.’ (para 134).

Although the Tele 2 & Watson decision was issued too late to influence the passage into law of the Investigatory Powers Act (IPA) 2016 – the successor to DRIPA 2014 (which lapsed at the end of December 2016), it is clear from this ruling that aspects of the Investigatory Powers Act 2016 (such as the extension of data retention powers to internet connection records (i.e. site-level web browsing histories), the absence of a requirement to inform informing affected individuals of any orders made, and the absence of a requirement to keep the retained data within the European Union are likely to be challenged. Civil Liberties campaign groups, Liberty and Open Right Group (ORG) have both indicated an intention to bring legal proceedings. Pending revision (e.g. confining access to retained personal data to what is ‘strictly necessary’ for the purposes of combatting ‘serious crime’ and subject to appropriate privacy safeguards, including prior authorisation by a judge or other independent body), could bar the granting of an adequacy decision.

If an adequacy finding was not forthcoming, it would likely prejudice the UK from receiving business from EU member states as UK established businesses would have to put arrangements in place in order to send personal data to the UK as a ‘third country’ such as reliance upon unambiguous consent, model clauses or binding corporate rules to effect data transfers – for more information see blog forthcomming posts by Olivia Tambou on How the GDPR rules will apply to the UK after the Brexit part. 2 forthcoming.  This would increase the regulatory burden and costs of UK established businesses that process personal data of EU citizens since these approved mechanisms for lawfully transferring data add an additional administrative layer and vary between jurisdictions.

Conclusions

Irrespective of the trade deal the UK Government negotiates upon exit of the European Union, personal data is, and will remain, a key economic asset, and cross-border transfers of personal data will continue to underpin the UK’s economy. So, if the UK is to avoid an economically ruinous Brexit strategy it will have to ensure that adequate data protection measures are in place to protect the personal data of European citizens.

The easiest way to achieve this is to ensure that UK data protection law is fully compliant with provisions in the GDPR 2016/679.  Also, the UK Government should revise provisions in the Investigatory Powers Act 2016 to ensure compliance with the preliminary reference ruling in Tele 2 & Watson, since the absence of an adequate or equivalent level of data protection would impede cross-border personal data transfers, cause global business established in the UK to relocate and prompt them to reconsider future investment in the country; the antithesis of the White Paper’s objectives.

Dr. Karen Mac Cullagh, Course Director, LLM Media Law, Policy & Practice at the Unversity of East Anglia, Norwich

Further reading

For an in-depth critical evaluation of the various types of trade deals the UK might negotiate upon exit (with a particular focus on financial and digital services) and the data protection implications of each trade model, see: Mc Cullagh, K. “Brexit: Potential Implications for Digital and ‘Fintech’ industries,” International Data Privacy Law, (2017) Vol 7, Iss.1.

Posts in connexion with this post:

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s