Tuesday, 26 September 2017

Brexit and Data Protection: The Tale of the Data Protection Bill and UK-EU Data Transfers

Elif Mendos Kuşkonmaz, PhD student at Queen Mary, University of London[*]


A Bosnian folk song tells the death of a severely ill Ottoman Pasha. After hearing of the Pasha’s death, his wife also passes away from sorrow. Now that the UK voted to leave the European Union (EU) on 23 June 2016, will data protection laws also pass away from sorrow after the UK leaves the EU?

The Data Protection Act 1998 (DPA), which is the UK’s current key regulatory regime for data protection, implements the EU’s Data Protection Directive of 1995 into the UK national law. This Directive is replaced by the General Data Protection Regulation (GDPR) adopted in April 2016, which introduces a task force (European Data Protection Board), new responsibilities for data controllers and processors, and new rights for data subjects such as right to transfer data from one server to another and right to be forgotten. All EU Member States have to transpose this Regulation by 25 May 2018 (before the UK is due to leave the EU). Accompanying the GDPR, a new Directive in relation to data protection in the field of police and justice sectors was also introduced at the EU level. This Directive creates a comprehensive framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. All EU Member States have to transpose this Directive into their national laws by 6 May 2018.

As an EU regulation, the GDPR will be directly applicable in the UK without the need for an Act of Parliament from 25 May 2018 forwards as the UK is expected to leave the EU officially some point after March 2019 and its EU membership continues until then. Still, there exists some provisions under the GDPR that Member States can adapt in their national laws such as permitted derogations from data protection principles (Article 23 on derogations from transparency obligations and data subject rights for purposes of national security, defence, public security etc., and Articles 85-91 on derogations for specific data processing situations such as necessary for freedom of expression, employee data, and scientific and historical research purposes). So, in anticipation of dealing with these issues, first, a statement of intent was published by the UK Government on 7 August 2017 as a form of commitment to the GDPR. Then, the Data Protection Bill was introduced to the House of Lords on 13 September 2017. (Also, see here for the House of Lords’ report on Brexit and data protection). This Bill will replace the Data Protection Act 1998, and will regulate the areas where the UK has competence to do so such as the permitted derogations mentioned above and areas that fall outside the scope of the GDPR like data processing for law enforcement purposes or for national security interests. So, in light of these recent developments, it is clear that the data protection in the UK will not experience an immediate death.

The Data Protection Bill in a nutshell

As a whole, the Data Protection Bill contains the general definitions under the GDPR and the derogations from data protection principles provided under it. These derogations include data processing for journalism, for research, and by employees under certain conditions.

It also covers the areas that are not covered by the GDPR. The first area is the data processing in the context of law enforcement (Part 3 of the Data Protection Bill), which is in fact covered by the Data Protection Directive on processing of personal data for law enforcement purposes (the ‘Law Enforcement Directive’). Unlike the GPDR, this Directive is not directly applicable in the UK.

Therefore, with the inclusion of the data processing by competent public authorities in relation to law enforcement purposes, the Data Protection Bill transposes the Law Enforcement Directive into UK law. It is said that the principles for such processing resembles the 2014 Regulations, through which the UK transposed the previous EU data protection rules for data processing in the context of law enforcement. On the basis of the broad definition of a competent authority for data processing under the Bill, data can be processed not only by criminal justice agencies in the UK, but also other organisations with law enforcement functions such as such as Her Majesty’s Revenue and Customs, the Health and Safety Executive and the Office of the Information Commissioner. The competent authority definition under the Law Enforcement Directive provides for such broad definition (Article 3(7) of the Law Enforcement Directive). Another area that is covered by the Bill and not by the GDPR is data processing for intelligence services (Part 4 of the Data Protection Bill). It is said that the provisions on this processing are based upon the Council of Europe’s Convention on automatic processing of data (Convention 108) and changes which are being made to that Convention [note 40 of the Explanatory Notes for the Data Protection Bill]. This part of the Bill is complementary to the other legislation in relation to intelligence services such as the Investigatory Powers Act 2016 (discussed below) [note 47], and therefore constantly refers to this legislation. It also provides for national security exemptions for certain provisions it sets forth for data processing by intelligence services (Chapter 6 of the Part 4 of the Data Protection Bill).

Consequently, when the Data Protection Bill receives Royal Assent (in principle, in May 2018 on the same day the GPDR is due to be applicable) the GDPR, which will be converted to UK law with the EU (Withdrawal) Bill upon Brexit, has to read alongside the Data Protection Bill. For references in the GDPR such as ‘Union law’ and ‘Member State law’ that will be no longer relevant after Brexit, Schedule 6 of the Data Protection Bill introduces amendments.

The Data Protection Bill has received both positive and negative comments. The positive ones hinged on the relief it has brought to data controllers based in the UK. That said, it is argued that the Bill contains some complex and legally questionable provisions, like this sentence: ‘Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR’ (Section 4). Or this sentence: ‘GDPR applies to the processing of personal data to which this Chapter applies but as if its Articles were part of an Act extending to England and Wales, Scotland and Northern Ireland’ (Section 20(1)). Nevertheless, the second reading of the Data Protection Bill in the House of Lords is due on 10 October 2017 and there might be further changes to it before it becomes law.

What is at stake for the future of UK-EU cross-border data transfer after Brexit?

For the importance of the UK-EU cross-border data transfers the numbers speak for themselves. 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with the EU Member States. It is for this reason that the UK Government has consistently referred to the importance of maintaining the data flow between the UK and the EU after Brexit [note 8.38]. However, even if one assumes that the Data Protection Bill successfully aligns UK law with the EU data protection framework, this does not mean that the Bill is a panacea for the future of this flow post-Brexit. This point was also accepted by the UK Government in their position paper on the exchange and protection of personal data after Brexit [note 4]. Upon the UK’s exit from the EU, the UK will be considered as a third country within the meaning of the abovementioned framework and any data transfer from the EU to there will have to comply with the rules on data transfer to a third country under the same framework.

Like the Data Protection Directive of 1995, the GDPR allows for transfer of personal data outside the EU/EEA, for instance if the European Commission decides that third country to which data are transferred ensures an ‘adequate level of protection’ for those data (Article 45 of the GDPR) or if the UK businesses (either as data processors or controllers) individually adopt other adequacy mechanisms such as standard contractual clauses and binding corporate rules (Articles 46 and 47 of the GDPR). In its position paper on the exchange and protection of personal data after Brexit, the UK Government referred to the Article 45 adequacy finding and mentioned that the future UK-EU data transfers could built upon this adequacy model [paras. 22, 32-41]. Moreover, it noted that the UK should be found as compliant with EU data protection framework as it introduced the Data Protection Bill, which implemented the GDPR and the Law Enforcement Directive [ibid, para. 23]. As discussed below, achieving a positive adequacy decision for the UK is not as uncontentious as the UK Government think it is.

At the outset, the UK should be found to afford an adequate level of data protection, which was defined in the CJEU’s Schrems decision (discussed here) as ‘essentially equivalent’ data protection to that of afforded under EU law. The crux of this decision is that in the Court’s view, US law failed to offer that level of protection because it included expansive national security derogations for the use of personal data by the US intelligence agency, which in turn meant that EU citizens were stripped of their privacy and data protection rights once their data reached the shores of the US under the then valid Safe Harbour principles scheme. It is evident from this decision that the activities of intelligence agency of a third country with respect to personal data transferred from the EU comes under the scrutiny of the European Commission in its quest for an adequacy decision for that country. Indeed, the GDPR requires the European Commission to consider a wide array of issues such as the rule of law, respect for fundamental rights, and legislation on national security, public security, and criminal law in that country (Article 45(2) of the GDPR). So, the UK Government’s assumption that the implementation of the GDPR will suffice for a positive adequacy finding for the UK is false because UK laws on data processing by intelligence agencies’ for national security purposes will come under the scrutiny of the European Commission.

Regretfully, the surveillance practices of UK intelligence services may imperil a positive adequacy decision. The discussions surrounding the Investigatory Powers Act (IPA), and its predecessor the Data Retention and Investigatory Act 2014 (DRIPA) is illustrative in this matter. The latter Act provided for the storage of telecommunications’ data for later to be used by police and security agencies. Following the CJEU’s Digital Rights Ireland decision (discussed here) finding practices of indiscriminate data retention in the context of fight against terrorism and transnational crime incompatible with EU fundamental rights of privacy and data protection, the DRIPA was challenged in the joined cases of Tele2 and Watson before the CJEU on the ground that it provided for such practices, and thus violated the mentioned rights. Consequently, the CJEU found the DRIPA unlawful as the data retention scheme established under it exceeded the limits of what is strictly necessary and was not justified. (See here for Prof Lorna Woods’s take on the Tele2 and Watson decision).

The IPA, which took the place of DRIPA, retains the contested provisions of the DRIPA, and in some situations provides for more controversial data processing. For example, the IPA provides for the retention of telecommunications data for preventing or detecting crime or preventing disorder (Article 87(1) of the IPA), which does not comply with the CJEU’s finding in Tele2 and Watson that ‘only the objective of fighting serious crime is capable of justifying such access to the retained data [para. 172]’. Therefore, the IPA sits at odds with the CJEU’s finding in Tele2 and Watson.

In fact, a legal challenge to the IPA in this matter has already been brought before the UK High Court by the UK based civil liberties organisation Liberty. Equally relevant is that Investigatory Powers Tribunal referred the question on the compatibility of the acquisition and use of bulk communications data under s.94 of the Telecommunications Act 1984 with EU law to the CJEU. (See here for Matthew White’s review on the matter).

Here, the status of the EU Charter of Fundamental Rights (Charter) and the jurisdiction of the CJEU after Brexit requires further attention. The EU (Withdrawal) Bill provides that pre-Brexit case-law of the CJEU stays binding after Brexit with certain exceptions (Clause 6. When departing from pre-Brexit case-law of the CJEU, the Supreme Court must apply the same test it applies when deciding whether to depart from its own case law, and Parliament or the executive can override that prior CJEU case law). However, the EU (Withdrawal) Bill in its current form excludes the Charter (Clause 5(4)), and puts an end to the jurisdiction of the CJEU (Clause 6) after Brexit. Still, this does not mean that the UK can ignore the decisions of CJEU given after Brexit because the EU data protection framework, which the European Commission will refer to when considering the adequacy question, will be interpreted in light of those decisions. The UK Government, on the other hand, seems to sweep these issues under the carpet in its post-Brexit paper because neither the discussions surrounding the IPA nor the case-law of the Charter after Brexit were mentioned in its position paper on the exchange and protection of personal data. Only when dealing with the UK-EU model of data exchange, it referred that such model should ‘respect UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection [note 22.] This statement might be read as a reference to the IPA, or any future law on surveillance practices and the end of the direct jurisdiction of the CJEU.

Alternatives to the adequacy finding under Article 45 of the GDPR include subjecting the data transfers to safeguards under Article 46, which include Binding Corporate Rules under Article 47. The Government already noted that these alternatives are not its primary target due to their limited scope [Annex A]. Still, as the ongoing challenge against the standard contractual clause scheme for data transfers under the Data Protection Directive of 1995 shows, neither alternative is immune from a legal challenge before the CJEU.

One might ask whether all these will be relevant for the data transfer during the transitional period should there be a transitional period after Brexit. The short answer is: yes, they will be. Despite the UK Government’s discontent, if the transitional period is based on the UK’s joining of the European Economic Area (EEA) and the European Free Trade Association (EFTA)– the so-called Norway option-, the data will continue to flow from the EU without an adequacy decision by way of retaining the GDPR as parts of UK law after Brexit since the GDPR has EEA relevance (ie, non-EU EEA states will apply the GDPR as such).

Other than that, the UK may seek to conclude a transitional agreement as part of the Article 50 negotiations, as indicated in the Prime Minister’s recent Florence speech (discussed here). That agreement will not be immune from the adequacy requirements discussed above because it will have to match the EU standards, and particularly the EU data protection framework and its rules on data transfers.

Data Protection in the field of police and justice sectors

As mentioned above, the UK aims to transpose the Law Enforcement Directive in to UK law with the Data Protection Bill. Yet, as in the case of GDPR, maintaining the data exchange between law enforcement authorities in the UK and in the EU will not be undisputed upon Brexit.

Any obstacle to this data exchange after Brexit has been considered as a gift for criminals and as a threat for public safety. So, it should not come as a surprise that the UK Government highlighted the importance of facilitating this data exchange for cross-border law enforcement cooperation in its position paper on security, law enforcement, and criminal justice [note 21]. Just like the GDPR, the Data Protection Directive on law enforcement requires an adequate level of data protection standards for data transfers to a third country (Article 36 of the Law Enforcement Directive). So, any future agreement between the EU and the UK on law enforcement information exchange would have to comply with these standards. The UK Government voiced its intention to ‘build on’ the adequacy scheme for the future of data exchange for law enforcement. Still, it was of the opinion that the implementation of the Law Enforcement Directive through the introduction of the Data Protection Bill is enough for the UK to secure a positive adequacy decision. I discussed earlier the scope of the adequacy assessment and the matters that may affect the likelihood of securing such decision. Besides, in the recent judgment by the CJEU on the compatibility of the EU-Canada Agreement on transferring passenger information in the fight against terrorism with the EU Treaties and Charter, the Court set a list of procedural requirements for the transfer of information in that context. In this regard, these requirements must be met for law enforcement data transfers to be compatible with the Charter. (See here Prof Lorna Wood’s review of Opinion 1/15.)

What is the EU’s position on data protection?

While all these developments and discussions are unravelling in the UK, the EU’s position on the matter focuses on the use and protection of personal data obtained or processed before Brexit for good reason – the need to determine what happens to data processed before Brexit Day. Accordingly, the EU Commission published a position paper as part of its approach to Article 50 negotiations in relation to such use and protection, updated on 21 September 2017. On the whole, the paper provides for the continuity of the application of the general principles of the EU data protection framework in force on Brexit day to personal data in the UK processed before that day. It also notes the continuity of the principal data subject rights’ such as right to be informed, right of access, and right to rectification. Moreover, it seeks the confirmation that the personal data with specific retention periods under sectorial laws must be erased upon the exhaustion of those periods, and that the ongoing investigations in relation to compliance with data protection principles on the Brexit day should be completed. It does not go unnoticed that the paper mentions to the CJEU as the legal authority to interpret the general principles that it refers to. As a whole, the position paper indicates that amidst the ambiguousness and the complexity that the future partnership with the UK on data protection holds, the EU Commission seeks to secure that this uncharted water will not be detrimental to data subjects whose data were transferred to the UK before Brexit.


The UK Government introduced the Data Protection Bill, which seeks to adjust its national laws on data protection with the GDPR and the Law Enforcement Directive. This development may mean that at least some EU data protection requirements will be implemented in UK law on the day the UK leaves the EU. Still, it should not be read as a solution for the issue of maintaining the UK-EU data transfer after Brexit because the GDPR’s and the Directive’s provisions on third country data transfer will be relevant for such transfer. After the CJEU’s Schrems decision, an adequacy finding and other legal mechanisms to enable that movement could trigger the extent of national security derogations and their interferences with fundamental rights of the persons whose data are transferred from the EU to the UK. Certain provisions of the IPA and the CJEU’s findings in Tele2 and Watson cannot be reconciled, and this may hinder a positive adequacy finding for the UK. The same conclusion can be drawn for any future EU-UK data transfer deal for law enforcement purposes.

Barnard and Peers: chapter 27
Photo credit: Cyberadvice

[*] Many thanks to Prof Steve Peers for his valuable comments.

No comments:

Post a Comment