Gavin Robinson (University of Luxembourg)
There has been no lack of emphasis in recent years on the importance of maintaining the flow of data between the UK and the EU27 – in particular with trade in mind – and ensuring close cooperation on security and crime post-Brexit.
Yet media coverage in Britain and Brussels alike has tended to focus either on the one hand on continued UK alignment with the General Data Protection Regulation (‘GDPR’) and on the other on discrete mechanisms of judicial cooperation in criminal matters (chiefly the European Arrest Warrant) or of police cooperation such as UK access to the Schengen Information System – not least due to a long-running data-copying scandal. Having bubbled away in digital and tech circles, the tight links between “commercial” data flows and cooperation on security and crime are now hitting the mainstream with the release of the two sides’ negotiating priorities. Indeed, the latest terms of engagement show clear indications that even if one chapter of “political Brexit” has closed and legal Brexit is beginning in earnest, there is no end to the wranglings over data flows, security and crime yet in sight.
In London, the government’s position is that the UK “will have an independent policy on data protection at the end of the transition period and will remain committed to high data protection standards” (para 59). As Don Henley might say: freedom, well that’s just some people talkin’. And the reality is that in order, at a time of broad global convergence toward EU rules as a shared standard, to avoid the prison of walkin’ through this world all alone the UK will either need to secure a data adequacy decision – ultimately a unilateral call on the part of the European Commission – or fall back on the narrower, more onerous, competitivity-sapping alternatives of Standard Contractual Clauses (‘SCCs’) and/or Binding Corporate Rules (‘BCRs’).
Avoiding that kind of tripartite palaver in the event of “no-adequacy” was reportedly one of the reasons for Google’s recent decision to shift its UK customers’ data to the United States. In any case, unless the transition period is extended the UK would be required (in wholly un-British fashion) to jump the queue of Third States including Mexico, South Korea or India who are interested in seeking equivalent decisions – an outcome which seems unlikely.
Does the UK measure up? On an aerial view, if Third States such as Argentina, Japan or Israel have already qualified, then surely the UK – as an exiting EU Member State which has “applied” the GDPR through statute and since reworked its text into a “UK_GDPR” with a view to ensuring future continuity – looks a racing certainty. Realpolitik too may tip the scales in favour of yes, given the heft of the UK’s tech sector.
But even so, and assuming that the substance of the UK’s own rules are GDPR-compliant on day one post-transition and remain so – which looks far from guaranteed – at ground level the adequacy procedure looks very different. That is because the Commission is obliged under the Regulation to fine-comb a plethora of personal data-related aspects of a candidate country’s legal system, including domestic rules on access to personal data for public authorities, the concrete effectiveness of independent supervisory authorities in the data protection field, and international commitments relating to personal data.
This thematic cross-over is further reflected in the EU’s latest negotiating position, which states that any future “security partnership” entailing law enforcement and judicial cooperation on crime will depend on adequate protection per se of personal data in the UK – “a necessary condition for the envisaged cooperation” (para 118). To hammer home the point, the EU adds in the same paragraph that “the level of ambition of the law enforcement and judicial cooperation envisaged in the security partnership will be dependent on the level of protection of personal data envisaged in the United Kingdom”.
Amongst potential sources of UK inadequacy already identified, we find the latest incarnation (following repeated legal challenges both in the UK and before the European Court of Human Rights) of the Investigatory Powers Act 2016, which depending on your vantage point either trammels bulk investigatory powers or enables mass surveillance. On the intelligence-sharing side, the Five Eyes alliance with the US, Canada, Australia, and New Zealand is sure to draw scrutiny, and similar concerns will be stoked by the “CLOUD Act” Agreement between the US and the UK on direct cross-border public-private access to electronic evidence controlled by communications service providers.
Ironically, by virtue of being an EU Member State and given that such matters largely fall outside the scope of EU law, the UK has until now had a free pass – at least within the Union legal framework (I discuss the ECHR below). Post-Brexit, given the breadth of the envisaged data adequacy review by the Commission, there looms the paradoxical prospect of the UK having to take more rules from the EU institutions in order to secure a positive decision than it would be required to observe as a Member State.
Adding to the headache is the uncertainty surrounding the future involvement of the well-regarded (and well-resourced) Information Commissioner’s Office (‘ICO’) on the European Data Protection Board (‘EDPB’), the body with the key frontline role in interpreting and enforcing the GDPR. On this point, back in July 2018 the House of Commons’ Exiting the European Union Committee had urged the UK government to “accept … that the CJEU will continue to have jurisdiction over aspects of data protection law in the UK” post-Brexit in return for continued membership of the EDPB and inclusion in the regulatory one-stop-shop, both to be negotiated into a separate two-way agreement on data.
From an EU law point of view, this kind of settlement seemed hopeful at best at the time. And although we now have confirmation that the UK government will, after all, aim for adequacy decisions under GDPR and the Law Enforcement Directive (para 60 of its approach), the vague intention to seek “appropriate arrangements to allow continued cooperation” between ICO and other national Data Protection Authorities (para 62) would seem to represent, in familiar Brexit fashion, simultaneously a climb-down and a no-deal pressure play ahead of the January 2021 cut-off.
Despite the obvious and urgent need for constructive legal compromise, we can probably expect instead to see “red line” fever rise once more sometime between spring and summer. Why so? Because the European Court of Justice will deliver a judgment in the Schrems II case in which it looks set to examine US “foreign intelligence” (or, again take your pick, mass surveillance) practices against the requirement of essential equivalence with data protection in EU law. The Court may strike down not only the adequacy-conferring EU-US Privacy Shield but also a set of Commission-approved Standard Contractual Clauses which are massively used in practice for global data transfers. Indeed, even if the ECJ – as advised by the Advocate-General – declines to assess the Privacy Shield on this occasion, a direct challenge thereto is waiting in the wings at the General Court, and significant changes to SCCs are in any case likely to be required. Although the complexities of the Schrems II case and its potential ramifications are too great to unpack here, they give a taste of what may await the UK in its new setting as a Third State – especially in a No-Deal scenario.
Whichever the route taken to alignment on data flows, however, another storm is brewing in the shape of the UK’s relationship with human rights law.
Naturally, individuals in the UK will not be able to rely post-Brexit on the fundamental right to data protection enshrined in Article 8 of the Charter of Fundamental Rights of the European Union as the Charter will no longer apply to the UK, whilst there is no equivalent right in domestic law.
There nonetheless remains the Human Rights Act 1998, which incorporates the European Convention on Human Rights (‘ECHR’) and its Article 8 privacy right into UK law – at least for now. For the 2019 Conservative manifesto stated: “We will update the Human Rights Act and administrative law to ensure that there is a proper balance between the rights of individuals, our vital national security and effective government”, and committed the UK government to establish a ‘Constitution, Democracy and Rights Commission’ within its first year. Recently, it was urged by the newly-appointed Attorney General to “take back control, not just from the EU, but from the judiciary”.
Although details of the mooted Commission remain scarce, Sionaidh Douglas-Scott has remarked that (beyond repealing the 1998 Act altogether) an “update” might include removing the duty of the courts to “have regard” to Strasbourg case law, abolishing judges’ power to issue declarations of incompatibility between HRA rights and UK legislation, or diluting the duty to interpret legislation so far as possible in line with ECHR rights.
The EU response? A commitment (in para 118 of its negotiating directives) to automatic termination of law enforcement and judicial cooperation in criminal matters if the UK were to denounce the Convention or abrogate the HRA, thus making it impossible for individuals to invoke the rights under it before UK courts.
The views expressed in this article reflect the position of the author and not necessarily the one of the Brexit Institute Blog
Gavin Robinson is a postdoctoral researcher in criminal law and IT law at the University of Luxembourg