Edoardo Celeste (Dublin City University)
Upcoming DCU Brexit Institute Event: Cross-Border Data Protection After Brexit, September 16-17, in association with the Cross-Border Data Protection Network. For more information and to register, see here.
Data protection is continuing to be a destabilizing factor in the roller-coaster relationship between the EU and the UK. Less than two months after the formal adoption of an adequacy decision by the EU Commission in relation to the UK legal framework, British newspapers report statements from members of the British government revealing a willingness to depart from EU data protection rules. The ePrivacy Directive’s requirement of requesting the user’s consent in relation to cookies on webpages is mentioned as an example of provision that a new, modern UK data protection law should no longer include after Brexit.
Leaving aside the potential criticism that one can share in relation to the cookie consent requirement – certainly not one of the most successful EU norms, these political statements confirm the UK’s suffering from the fact it is now in effect an EU satellite state from a data protection perspective. Commenting on the Trade and Cooperation Agreement and the shared EU-UK strategy to adopt an adequacy decision in order to preserve personal data flows across the English Channel, I have argued that Brexit has paradoxically fastened a tighter link between EU and UK law from a data protection standpoint. I talked of an ‘incomplete emancipation’ because with Brexit the UK had hoped to end its normative vassalage vis-à-vis the EU. However, by becoming a third state from a data protection perspective, the UK must now subject its data protection law to a constant monitoring by the EU Commission to maintain its adequacy status and keep personal data flowing between the two jurisdictions. This essentially means that the adequacy decision works as a sort of ‘bridle’ vis-à-vis UK law. The UK cannot freely amend its legal framework (not only its data protection law strictly speaking) without considering the consequences that may ensue for its adequacy determination. Indeed, a cookie could cost to the UK millions of data (and pounds) flowing from the EU across the Channel.
In one of my previous articles, I argued that the UK adequacy decision is subject to a time bomb. In particular, I referred to the precarious status of UK national security law vis-à-vis EU fundamental rights. Strategic litigations could start at any time and lead the EU Court of Justice to invalidate the Commission’s adequacy decision since this area of UK law has multiple times being declared as infringing the rights to privacy and data protection. This may be regarded as an exogenous destabilizing factor, essentially for two reasons: firstly, because it depends on the assessment of UK national security law, which does not represent data protection law strictly speaking, and, secondly, because judicial cases would have to be triggered by external actors (activists or NGOs) in other EU jurisdictions. In light of the recent policy declarations mentioned at the start of this post, however, one may identify the existence of an endogenous destabilizing factor, too: the UK data protection adequacy decision may collapse due to internal pressures to definitively depart from EU data protection law. If the UK desires to fully emancipate itself from a data protection perspective, finally putting an end at its suffered position as a satellite state that has to comply with EU standards without having the power to define them, this will unavoidably lead to the adoption of a new data protection model. In that case, the UK will have to satisfy the EU Commission that such a new legal framework can still be regarded as adequate from an EU point of view. An arduous task, considering that the UK intentionally wants to depart from EU law.
In conclusion, these political statements generate significant tensions from a data protection perspective. The delicate equilibrium that the EU Commission has reached in adopting an already precarious adequacy decision is unavoidably shaken by these claims. Activists and NGOs will now pay more attention also to the next moves of the British government in relation to potential reforms of UK data protection law itself, with the hope to find there too a valid justification to denounce the invalidity of the UK adequacy decision. Hopefully, a strong oversight will be guaranteed by the EU Commission, and constant conversations between the EU and the UK will help prevent further normative arm-wrestling by both parties. Certainly, EU companies, especially those based in Ireland with strong commercial ties with the UK, do not deserve any more uncertainty, after the complexities of the Brexit process, in a climate where the collapse of the UK adequacy decision is looming.
Dr Edoardo Celeste is an Assistant Professor in Law, Technology and Innovation at Dublin City University. He coordinates the project ‘Cross-Border Data Protection Network’, which explores data protection challenges in the post-Brexit era.
The views expressed in this blog reflect the position of the author and not necessarily that of the Brexit Institute Blog.