Introduction
A Bosnian folk song tells the death
of a severely ill Ottoman Pasha. After hearing of the Pasha’s death, his wife
also passes away from sorrow. Now that the UK voted to leave
the European Union (EU) on 23 June 2016, will data protection laws also pass
away from sorrow after the UK leaves the EU?
The Data
Protection Act 1998 (DPA), which is the UK’s current key regulatory
regime for data protection, implements the EU’s Data
Protection Directive of 1995 into the UK national law. This Directive is replaced
by the General Data Protection Regulation (GDPR) adopted in April 2016, which introduces
a task force (European
Data Protection Board), new responsibilities
for data controllers and processors, and new
rights for data subjects such as right to transfer data from one server to
another and right to be forgotten. All EU Member States have to transpose this
Regulation by 25 May 2018 (before the UK is due to leave the EU). Accompanying
the GDPR, a new Directive
in relation to data protection in the field of police and justice sectors was also
introduced at the EU level. This Directive creates a comprehensive framework for
data processing activities performed for the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention of threats to
public security. All EU Member States have to transpose this Directive into
their national laws by 6 May 2018.
As an EU regulation, the GDPR
will be directly applicable in the UK without the need for an Act of Parliament
from 25 May 2018 forwards as the UK is expected to leave the EU officially some
point after March 2019 and its EU membership continues until then. Still, there
exists some provisions under the GDPR that Member States can adapt in their
national laws such as permitted derogations from data protection principles (Article
23 on derogations from transparency obligations and data subject rights for
purposes of national security, defence, public security etc., and Articles
85-91 on derogations for specific data processing situations such as necessary
for freedom of expression, employee data, and scientific and historical
research purposes). So, in anticipation of dealing with these issues, first, a
statement of intent was published by the UK Government on 7 August 2017 as
a form of commitment to the GDPR. Then, the Data
Protection Bill was introduced
to the House of Lords on 13 September 2017. (Also, see here
for the House of Lords’ report on Brexit and data protection). This Bill will
replace the Data Protection Act 1998,
and will regulate the areas where the UK has competence to do so such as the
permitted derogations mentioned above and areas that fall outside the scope of
the GDPR like data processing for law enforcement purposes or for national
security interests. So, in light of these recent developments, it is clear that
the data protection in the UK will not experience an immediate death.
The Data Protection Bill in a nutshell
As a whole, the Data Protection
Bill contains the general definitions under the GDPR and the derogations from
data protection principles provided under it. These derogations
include data processing for journalism, for research, and by employees under
certain conditions.
It also covers the areas that are
not covered by the GDPR. The first area is the data processing in the context
of law enforcement (Part 3 of the Data Protection Bill), which is in fact
covered by the Data Protection Directive on processing of personal data for law
enforcement purposes (the ‘Law Enforcement Directive’). Unlike the GPDR, this
Directive is not directly applicable in the UK.
Therefore, with the inclusion of
the data processing by competent public authorities in relation to law
enforcement purposes, the Data Protection Bill transposes the Law Enforcement Directive
into UK law. It is said
that the principles for such processing resembles the
2014 Regulations, through which the UK transposed the previous EU data
protection rules
for data processing in the context of law enforcement. On the basis of the
broad definition of a competent authority for data processing under the Bill, data
can be processed not only by criminal justice agencies in the UK, but also
other organisations with law enforcement functions such as such as Her
Majesty’s Revenue and Customs, the Health and Safety Executive and the Office
of the Information Commissioner. The competent authority definition under the
Law Enforcement Directive provides for such broad definition (Article 3(7) of
the Law Enforcement Directive). Another area that is covered by the Bill and
not by the GDPR is data processing for intelligence services (Part 4 of the Data
Protection Bill). It is said
that the provisions on this processing are based upon the Council of Europe’s
Convention on automatic processing of data (Convention
108) and changes
which are being made to that Convention [note 40 of the
Explanatory Notes for the Data Protection Bill]. This part of the Bill is
complementary to the other legislation in relation to intelligence services
such as the Investigatory
Powers Act 2016 (discussed below) [note 47], and therefore constantly
refers to this legislation. It also provides for national security exemptions
for certain provisions it sets forth for data processing by intelligence
services (Chapter 6 of the Part 4 of the Data Protection Bill).
Consequently, when the Data
Protection Bill receives Royal Assent (in principle, in May 2018 on the same
day the GPDR is due to be applicable) the GDPR, which will be converted to UK
law with the EU
(Withdrawal) Bill upon Brexit, has to read alongside the Data Protection Bill.
For references in the GDPR such as ‘Union law’ and ‘Member State law’ that will
be no longer relevant after Brexit, Schedule
6 of the Data Protection Bill introduces amendments.
The Data Protection Bill has
received both positive and negative comments. The positive
ones hinged on the relief it has brought to data controllers based in the UK.
That said, it is argued
that the Bill contains some complex and legally questionable provisions, like
this sentence: ‘Terms used in Chapter 2 and in the GDPR have the same meaning
in Chapter 2 as they have in the GDPR’ (Section 4). Or this sentence: ‘GDPR
applies to the processing of personal data to which this Chapter applies but as
if its Articles were part of an Act extending to England and Wales, Scotland
and Northern Ireland’ (Section 20(1)). Nevertheless, the second reading of the
Data Protection Bill in the House of Lords is due on 10 October 2017 and there
might be further changes to it before it becomes law.
What is at stake for the future of UK-EU cross-border data transfer
after Brexit?
For the importance of the UK-EU
cross-border data transfers the numbers speak for themselves. 43%
of EU tech companies are based in the UK and 75%
of the UK’s data transfers are with the EU Member States. It is for this reason
that the UK Government has consistently referred
to the importance of maintaining the data flow between the UK and the EU after
Brexit [note 8.38]. However, even if one assumes that the Data Protection Bill
successfully aligns UK law with the EU data protection framework, this does not
mean that the Bill is a panacea for the future of this flow post-Brexit. This
point was also accepted by the UK Government in their position
paper on the exchange and protection of personal data after Brexit [note 4].
Upon the UK’s exit from the EU, the UK will be considered as a third country
within the meaning of the abovementioned framework and any data transfer from
the EU to there will have to comply with the rules on data transfer to a third
country under the same framework.
Like the Data Protection
Directive of 1995, the GDPR allows for transfer of personal data outside the
EU/EEA, for instance if the European Commission decides that third country to
which data are transferred ensures an ‘adequate level of protection’ for those
data (Article 45 of the GDPR) or if the UK businesses (either as data
processors or controllers) individually adopt other adequacy mechanisms such as
standard contractual clauses and binding corporate rules (Articles 46 and 47 of
the GDPR). In its position
paper on the exchange and protection of personal data after Brexit, the UK
Government referred to the Article 45 adequacy finding and mentioned that the
future UK-EU data transfers could built upon this adequacy model [paras. 22,
32-41]. Moreover, it noted that the UK should be found as compliant with EU
data protection framework as it introduced the Data Protection Bill, which
implemented the GDPR and the Law Enforcement Directive [ibid, para. 23]. As
discussed below, achieving a positive adequacy decision for the UK is not as uncontentious
as the UK Government think it is.
At the outset, the UK should be
found to afford an adequate level of data protection, which was defined in the CJEU’s
Schrems
decision (discussed here)
as ‘essentially equivalent’ data protection to that of afforded under EU law. The
crux of this decision is that in the Court’s view, US law failed to offer that
level of protection because it included expansive national security derogations
for the use of personal data by the US intelligence agency, which in turn meant
that EU citizens were stripped of their privacy and data protection rights once
their data reached the shores of the US under the then valid Safe Harbour
principles scheme. It is evident from this decision that the activities of
intelligence agency of a third country with respect to personal data
transferred from the EU comes under the scrutiny of the European Commission in
its quest for an adequacy decision for that country. Indeed, the GDPR requires
the European Commission to consider a wide array of issues such as the rule of
law, respect for fundamental rights, and legislation on national security,
public security, and criminal law in that country (Article 45(2) of the GDPR). So,
the UK Government’s assumption that the implementation of the GDPR will suffice
for a positive adequacy finding for the UK is false because UK laws on data
processing by intelligence agencies’ for national security purposes will come
under the scrutiny of the European Commission.
Regretfully, the surveillance
practices of UK intelligence services may imperil a positive adequacy decision.
The discussions surrounding the Investigatory
Powers Act (IPA), and its predecessor the Data
Retention and Investigatory Act 2014 (DRIPA) is illustrative in this
matter. The latter Act provided for the storage of telecommunications’ data for
later to be used by police and security agencies. Following the CJEU’s Digital
Rights Ireland decision (discussed here)
finding practices of indiscriminate data retention in the context of fight
against terrorism and transnational crime incompatible with EU fundamental
rights of privacy and data protection, the DRIPA was challenged in the joined
cases of Tele2
and Watson before the CJEU on the ground that it provided for such
practices, and thus violated the mentioned rights. Consequently, the CJEU found
the DRIPA unlawful as the data retention scheme established under it exceeded
the limits of what is strictly necessary and was not justified. (See here
for Prof Lorna Woods’s take on the Tele2
and Watson decision).
The IPA, which took the place of
DRIPA, retains the contested provisions of the DRIPA, and in some situations
provides for more controversial data processing. For example, the IPA provides
for the retention of telecommunications data for preventing or detecting crime
or preventing disorder (Article 87(1) of the IPA), which does not comply with
the CJEU’s finding in Tele2 and Watson
that ‘only the objective of fighting serious crime is capable of justifying
such access to the retained data [para. 172]’. Therefore, the IPA sits at odds
with the CJEU’s finding in Tele2 and
Watson.
In fact, a legal
challenge to the IPA in this matter has already been brought before the UK
High Court by the UK based civil liberties organisation Liberty. Equally relevant
is that Investigatory Powers Tribunal referred the question on the
compatibility of the acquisition and use of bulk communications data under s.94
of the Telecommunications Act 1984
with EU law to the CJEU. (See here
for Matthew White’s review on the matter).
Here, the status of the EU
Charter of Fundamental Rights (Charter) and the jurisdiction of the CJEU after
Brexit requires further attention. The EU (Withdrawal) Bill provides that
pre-Brexit case-law of the CJEU stays binding after Brexit with certain
exceptions (Clause 6. When departing from pre-Brexit case-law of the CJEU, the
Supreme Court must apply the same test it applies when deciding whether to
depart from its own case law, and Parliament or the executive can override that
prior CJEU case law). However, the EU (Withdrawal) Bill in its current form excludes
the Charter (Clause 5(4)), and puts an end to the jurisdiction of the CJEU
(Clause 6) after Brexit. Still, this does not mean that the UK can ignore the
decisions of CJEU given after Brexit because the EU data protection framework,
which the European Commission will refer to when considering the adequacy
question, will be interpreted in light of those decisions. The UK Government,
on the other hand, seems to sweep these issues under the carpet in its
post-Brexit paper because neither the discussions surrounding the IPA nor the
case-law of the Charter after Brexit were mentioned in its position paper on
the exchange and protection of personal data. Only when dealing with the UK-EU
model of data exchange, it referred that such model should ‘respect UK
sovereignty, including the UK’s ability to protect the security of its citizens
and its ability to maintain and develop its position as a leader in data
protection [note
22.] This statement might be read as a reference to the IPA, or any future
law on surveillance practices and the end of the direct jurisdiction of the
CJEU.
Alternatives to the adequacy
finding under Article 45 of the GDPR include subjecting the data transfers to
safeguards under Article 46, which include Binding Corporate Rules under
Article 47. The Government already noted that these alternatives are not its
primary target due to their limited scope [Annex
A]. Still, as the ongoing challenge against the standard contractual clause
scheme for data transfers under the Data Protection Directive of 1995 shows,
neither alternative is immune from a legal challenge before the CJEU.
One might ask whether all these
will be relevant for the data transfer during the transitional period should
there be a transitional period after Brexit. The short answer is: yes, they
will be. Despite the UK Government’s discontent,
if the transitional period is based on the UK’s joining of the European
Economic Area (EEA) and the
European Free Trade Association (EFTA)– the so-called Norway option-, the
data will continue to flow from the EU without an adequacy decision by way of
retaining the GDPR as parts of UK law after Brexit since the GDPR has EEA
relevance (ie, non-EU EEA states will apply the GDPR as such).
Other than that, the UK may seek
to conclude a transitional agreement as part of the Article 50 negotiations, as
indicated in the Prime Minister’s recent Florence speech (discussed here).
That agreement will not be immune from the adequacy requirements discussed
above because it will have to match the EU standards, and particularly the EU
data protection framework and its rules on data transfers.
Data Protection in the field of police and justice sectors
As mentioned above, the UK aims
to transpose the Law Enforcement Directive in to UK law with the Data
Protection Bill. Yet, as in the case of GDPR, maintaining the data exchange
between law enforcement authorities in the UK and in the EU will not be
undisputed upon Brexit.
Any obstacle to this data
exchange after Brexit has been considered as a gift for criminals and as a threat for public safety.
So, it should not come as a surprise that the UK Government highlighted the
importance of facilitating this data exchange for cross-border law enforcement
cooperation in its position
paper on security, law enforcement, and criminal justice [note 21]. Just
like the GDPR, the Data Protection Directive on law enforcement requires an
adequate level of data protection standards for data transfers to a third
country (Article 36 of the Law Enforcement Directive). So, any future agreement
between the EU and the UK on law enforcement information exchange would have to
comply with these standards. The UK Government voiced its intention
to ‘build on’ the adequacy scheme for the future of data exchange for law
enforcement. Still, it was of the opinion that the implementation of the Law
Enforcement Directive through the introduction of the Data Protection Bill is
enough for the UK to secure a positive adequacy decision. I discussed earlier
the scope of the adequacy assessment and the matters that may affect the
likelihood of securing such decision. Besides, in the recent judgment
by the CJEU on the compatibility of the EU-Canada Agreement on transferring
passenger information in the fight against terrorism with the EU Treaties and
Charter, the Court set a list of procedural requirements for the transfer of
information in that context. In this regard, these requirements must be met for
law enforcement data transfers to be compatible with the Charter. (See here
Prof Lorna Wood’s review of Opinion 1/15.)
What is the EU’s position on data protection?
While all these developments and
discussions are unravelling in the UK, the EU’s position on the matter focuses
on the use and protection of personal data obtained or processed before Brexit
for good reason – the need to determine what happens to data processed before
Brexit Day. Accordingly, the EU Commission published a position
paper as part of its approach to Article 50 negotiations in relation to
such use and protection, updated on 21 September 2017. On the whole, the paper
provides for the continuity of the application of the general principles of the
EU data protection framework in force on Brexit day to personal data in the UK
processed before that day. It also notes the continuity of the principal data
subject rights’ such as right to be informed, right of access, and right to
rectification. Moreover, it seeks the confirmation that the personal data with
specific retention periods under sectorial laws must be erased upon the
exhaustion of those periods, and that the ongoing investigations in relation to
compliance with data protection principles on the Brexit day should be
completed. It does not go unnoticed that the paper mentions to the CJEU as the
legal authority to interpret the general principles that it refers to. As a
whole, the position paper indicates that amidst the ambiguousness and the
complexity that the future partnership with the UK on data protection holds,
the EU Commission seeks to secure that this uncharted water will not be
detrimental to data subjects whose data were transferred to the UK before
Brexit.
Conclusion
The UK Government introduced the
Data Protection Bill, which seeks to adjust its national laws on data
protection with the GDPR and the Law Enforcement Directive. This development
may mean that at least some EU data protection requirements will be implemented
in UK law on the day the UK leaves the EU. Still, it should not be read as a
solution for the issue of maintaining the UK-EU data transfer after Brexit
because the GDPR’s and the Directive’s provisions on third country data
transfer will be relevant for such transfer. After the CJEU’s Schrems decision, an adequacy finding
and other legal mechanisms to enable that movement could trigger the extent of
national security derogations and their interferences with fundamental rights
of the persons whose data are transferred from the EU to the UK. Certain
provisions of the IPA and the CJEU’s findings in Tele2 and Watson cannot be reconciled, and this may hinder a
positive adequacy finding for the UK. The same conclusion can be drawn for any
future EU-UK data transfer deal for law enforcement purposes.
Barnard and Peers: chapter 27
Photo credit: Cyberadvice