by Monica Cappelletti, Post-Doc in European Data Protection Law, Dublin City University.
The EU is widely recognized as having one of the strongest data protection regimes in the world. The right of protection of personal data is codified in Article 8 of the Charter of Fundamental Rights of the EU. However, as with so much else, this regime has been cast into doubt by Brexit. Immediately after the results of the Brexit referendum, scholars pointed out that “data protection has the potential to be among the issues that “make” or “break” a possibly successful Brexit” (see this article by de Hert, Papakonstantinou) It is unclear what sort of political and legal solutions will be found for this problem.
The crux of the discussion can be summarized as the need to continue guaranteeing Data Flow. The question is how to fuel Data Exchange and Data Transfer between the UK and the EU since this Data Flow is the cornerstone for both private economic activities and (above all) for police and judicial cooperation. This will certainly require a general legal framework that guarantees the complex and increasingly refined system of legal protection of individuals concerning their personal information and their rights concerning these data.
At European level, in order to protect and guarantee the fundamental right of protection of personal data, the General Data Protection Regulation (GDPR) has been adopted and will enter into force in May 2018.
But what will happen with Brexit? What will be the relationship in terms of Data Exchange between the European Union and the UK? What could be the solution adopted by the UK in the medium term? The UK is still a Member State and consequently has a duty to respect the GDPR and to adopt the derogations from this general regulation. At the same time, however, the British Government has initiated the Article 50 procedure to withdraw from the Union. These questions can only be partially answered, as there are still many issues to be discussed politically.
On the European Union side, on 20 September 2017 the Commission’s Task Force for the Brexit negotiations adopted a position paper on the use of data and protection of information obtained or processed before the withdrawal date. This position paper is very clear: regarding the data collected before the withdrawal date the rules of the European Union have to be applied with all limits and restrictions on the use of data (for example, data storage only for a limited period of time and subsequent automatic erasing after this period), guarantees of all data subject’s rights (rights of access, rectification, erasure, restriction of processing, data portability, and to object to automated processing), and that any transfer of such data to third countries (outside EU-27) must be in accordance with Union law. This highly restrictive position, in line with the European protection and guarantee system, could mean that, in the event of non-agreement, the United Kingdom will have to destroy all data received from the EU within six months (see Tele2 Sverige and Watson case of the Court of Justice of the European Union, C-203/15 and C-698/15). The UK “crashing out” of the EU could thus result in a catastrophic Data Flow scenario.
Furthermore, although the Commission has not yet addressed the further crucial issue (Data Exchange post-Brexit), it is worth noting that it has recently presented the internal preparatory discussions for the EU-27 on the framework for the future relationship: “Police & judicial cooperation in criminal matters”, including several proposals concerning the UK position as a third country after Brexit. A new position paper should therefore be expected shortly.
On the other hand, from the British side, ideas are actually much clearer. As anticipated in the House of Lords White Paper of last summer, the goal is to continue ensuring Data Flow without interruption. For this reason, the legislative policy strategy that is being pursued is the adoption of a new legislative provision on the protection of personal data that complies with new European standards (GDPR) and, post-Brexit, the signature of a specific agreement with the EU on Data Exchange, a specific UK/EU Shield.
Considering this statement, the House of Lords started the examination of the Data Protection Bill (DPB) last September, and currently, after receiving the first approval of the House of Lords last November, the discussion of the project has just started in the House of Commons.
The DPB, which must be read in conjunction with the main EU (Withdrawal) Bill (see our recent blog post by Chiara Graziani), has two objectives: to specify the derogation clauses from the GDPR (as also other EU Member States are doing) and implement the LEA Directive (Directive 2016/680 on the protection of natural persons with regards to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data).
The UK aims to ensure immediately the same European standard of guarantees and protection for citizens with regard to personal data by default, in a sort of “forced harmonization” with the European rules to confirm a quick agreement on Data Exchange. Not by chance, in fact, the provisions in question contain not only measures for implementing the GDPR (parts I, II, and V) and the LEA Directive (Part III), but introduce other rules on national security and intelligence services in processing personal data (Part IV). The final goal is to overcome the European “adequacy decision” for the UK/EU Shield, which as claimed by the CJEU must be substantial and the Commission has to evaluate all possible “applicable” rules that may limit fundamental rights of the individual (see Schrems case, C-362/14).
Is this regulatory exercise able to guarantee for the UK the continuation of Data Flow and the agreement for the UK/EU Shield? The DPB has received several criticisms (see comments of Privacy International or Open Rights Group) since the British legislator seems to have adopted a minimum standard level of protection in the definitions of derogation from the GDPR (such as the age limit of 13 for the use of children’s data) or insufficient measures for the automatic decision-making comparing with the EU level. However, the most striking point, immediately noted by scholars (see this comment by Oliver Butler), is related to the attribution of new powers to the Secretary of State (clause 15) for altering the data protection legislation in the public interest, bypassing the Parliament de facto. This provision does not seem to be coherent with the current EU legislative framework and above all is contrary to principles set out in the Tele 2 Sverige and Watson case. To these criticisms it should be added that, although not part of the current DPB, there is a further statute that could be the object of attention of the European Union in the phase of adequacy decision. Specifically, the Investigatory Powers Act (IPA) has already received many other criticisms as an invasive tool with regard to privacy and the protection of personal information.
In this perspective, even if the European Commission were to evaluate the new DP rules on the powers of the Secretary of State as non-invasive, the Commission itself is always obliged to analyse the whole system of protection of fundamentals rights and, as a consequence, the IPA could constitute an obstacle to the UK/EU Shield (and maybe for these reasons the British Government is considering whether to reform the IPA).
The question is in the hands of the Parliament. Data Flow is a crucial element for any economic activity in our current technological society. Not guaranteeing this flow would have considerable economic and political consequences. The House of Commons has the task of deciding whether to confirm what is already approved by the House of Lords or to risk that after six months from the withdrawal date the UK would no longer have a large amount of information. Otherwise, it could try to impose a level of protection that respects not only the standards of the European Union but also to those of the Council of Europe, perhaps opening to the possibility of starting to contract the UK/EU Shield even before the withdrawal date.