Elif Mendos Kuşkonmaz, PhD student at Queen Mary, University of London[*]
Introduction
A Bosnian folk song tells the story of a Pasha who died from a severe illness. When his wife heard about his passing, she died from grief. Similarly, now that the UK has chosen to leave the European Union, will the same fate befall data protection laws once the UK exits the EU?
The UK’s current data protection law, the Data Protection Act 1998 (DPA), incorporates the EU’s 1995 Data Protection Directive. However, this Directive has been succeeded by the General Data Protection Regulation (GDPR), adopted in April 2016. The GDPR introduces several changes, including the establishment of a task force (European Data Protection Board), new obligations for data controllers and processors, and enhanced rights for data subjects, such as data portability and the right to be forgotten. All EU members must integrate this regulation into their national laws by May 25, 2018, before the UK’s expected departure.
In addition to the GDPR, a new EU Directive concerning data protection within the police and justice sectors was also introduced. This Directive creates a comprehensive framework for handling data in criminal justice contexts, including the prevention, investigation, detection, and prosecution of criminal offenses, as well as safeguarding public security. All EU members are required to integrate this Directive into their national legislation by May 6, 2018.
Being an EU regulation, the GDPR will directly apply to the UK without requiring an Act of Parliament starting May 25, 2018. This is because the UK’s official departure from the EU is projected to occur sometime after March 2019, and its EU membership remains valid until then. However, certain provisions within the GDPR allow member states to make adjustments in their national laws, such as permissible exemptions from data protection principles. In preparation for these adjustments, the UK Government initially published a statement of intent on August 7, 2017, to express its commitment to the GDPR. Subsequently, the Data Protection Bill was presented to the House of Lords on September 13, 2017. This Bill is intended to supersede the Data Protection Act 1998 and govern areas where the UK has jurisdiction, encompassing the aforementioned permissible exemptions and areas beyond the GDPR’s purview, such as data processing for law enforcement and national security purposes. Considering these recent developments, it becomes evident that data protection in the UK will not face an immediate demise.
The Data Protection Bill in a nutshell
The Data Protection Bill outlines general definitions and exceptions to data protection principles provided under the GDPR. These exceptions include data processing for journalism, research, and employee data under specific circumstances.
Furthermore, the Bill addresses areas not covered by the GDPR, including data processing within the context of law enforcement (Part 3 of the Bill), a matter that falls under the Data Protection Directive on processing personal data for law enforcement purposes (Law Enforcement Directive). Unlike the GDPR, this Directive is not directly applicable in the UK.
By including data processing by competent public authorities for law enforcement, the Data Protection Bill integrates the Law Enforcement Directive into UK law. It has been suggested that the principles governing this processing resemble the 2014 Regulations, through which the UK previously implemented EU data protection regulations for data processing in law enforcement contexts. The Bill’s broad definition of a ‘competent authority’ for data processing allows for data handling not only by criminal justice agencies in the UK but also by organizations with law enforcement functions such as Her Majesty’s Revenue and Customs, the Health and Safety Executive, and the Office of the Information Commissioner. The Law Enforcement Directive’s definition of a competent authority allows for such a broad interpretation. Another area covered by the Bill but not the GDPR is data processing for intelligence services (Part 4 of the Bill). These provisions are reportedly based on the Council of Europe’s Convention on automatic processing of data (Convention 108) and its amendments. This section of the Bill complements other legislation related to intelligence services, such as the Investigatory Powers Act 2016 (discussed later). It also includes national security exemptions for certain provisions related to data processing by intelligence services (Chapter 6, Part 4 of the Bill).
When the Data Protection Bill receives Royal Assent (expected in May 2018, coinciding with the GDPR’s implementation), the GDPR (incorporated into UK law through the EU (Withdrawal) Bill after Brexit) must be interpreted alongside the Data Protection Bill. For references in the GDPR that will become irrelevant after Brexit, such as ‘Union law’ and ‘Member State law,’ Schedule 6 of the Data Protection Bill introduces amendments.
The Data Protection Bill has garnered both positive and negative feedback. The positive responses highlight the sense of relief it provides to data controllers in the UK. Conversely, some argue that the Bill contains complicated and legally questionable provisions, such as the statement that terms used in Chapter 2 of the Bill and the GDPR have the same meaning. Despite these criticisms, the second reading of the Data Protection Bill in the House of Lords is scheduled for October 10, 2017, indicating potential further modifications before it becomes law.
What is at stake for the future of UK-EU cross-border data transfer after Brexit?
The significance of UK-EU cross-border data transfers is evident from the numbers: 43% of EU tech companies are situated in the UK, and 75% of the UK’s data transfers involve EU member states. This explains why the UK Government has consistently emphasized the need to preserve data flow between the UK and the EU post-Brexit. However, even assuming the Data Protection Bill successfully aligns UK law with the EU data protection framework, it won’t completely resolve the future of this data flow, a point acknowledged by the UK Government in its position paper on exchanging and safeguarding personal data after Brexit.
Following the UK’s departure from the EU, it will be categorized as a third country within the framework of data protection. Consequently, any data transfer from the EU to the UK must comply with regulations governing data transfers to third countries.
Similar to the 1995 Data Protection Directive, the GDPR permits transferring personal data outside the EU/EEA under certain conditions. This includes scenarios where the European Commission determines that the third country receiving the data ensures an ‘adequate level of protection’ (Article 45 of the GDPR), or if UK businesses (as data processors or controllers) independently implement other adequacy mechanisms like standard contractual clauses and binding corporate rules (Articles 46 and 47 of the GDPR). In its position paper on data exchange and protection after Brexit, the UK Government cited the Article 45 adequacy finding and suggested that future UK-EU data transfers could be based on this model. It also emphasized that the UK should be deemed compliant with the EU data protection framework, given its introduction of the Data Protection Bill, which implements both the GDPR and the Law Enforcement Directive. However, as discussed below, achieving a positive adequacy decision for the UK might not be as straightforward as the UK Government believes.
For starters, the UK must be deemed to provide an adequate level of data protection, defined in the Court of Justice of the European Union’s (CJEU) Schrems decision as essentially equivalent data protection to that afforded under EU law. This decision highlighted that US law failed to offer such protection due to broad national security exceptions for personal data use by US intelligence agencies, thereby undermining the privacy and data protection rights of EU citizens whose data reached US servers under the then-valid Safe Harbor principles scheme. This decision underscores that the European Commission scrutinizes the actions of a third country’s intelligence agency regarding personal data transferred from the EU when evaluating an adequacy decision. The GDPR requires the European Commission to consider various factors when making an adequacy decision, including the rule of law, respect for fundamental rights, and legislation concerning national security, public security, and criminal law in the third country. Therefore, the UK Government’s presumption that implementing the GDPR is sufficient for a positive adequacy finding is flawed because UK laws on data processing by intelligence agencies for national security will be reviewed by the European Commission.
Unfortunately, the surveillance practices of UK intelligence services could jeopardize a positive adequacy decision. Discussions surrounding the Investigatory Powers Act (IPA) and its predecessor, the Data Retention and Investigatory Act 2014 (DRIPA), illustrate this concern. The DRIPA allowed for storing telecommunications data for later use by police and security agencies. Following the CJEU’s Digital Rights Ireland decision, which found indiscriminate data retention practices in the fight against terrorism and transnational crime incompatible with EU fundamental rights to privacy and data protection, the DRIPA faced legal challenges in the joined cases of Tele2 and Watson before the CJEU. These challenges argued that the DRIPA, by allowing for such practices, violated the mentioned rights. Consequently, the CJEU deemed the DRIPA unlawful because its data retention scheme went beyond what was strictly necessary and lacked justification.
The IPA, which replaced the DRIPA, retains the contested provisions of the DRIPA and introduces even more contentious data processing practices in some instances. For example, the IPA permits retaining telecommunications data for preventing or detecting crime or disorder (Article 87(1) of the IPA). This provision contradicts the CJEU’s ruling in Tele2 and Watson that “only the objective of fighting serious crime is capable of justifying such access to the retained data.” As such, the IPA clashes with the CJEU’s findings.
In fact, Liberty, a UK-based civil liberties organization, has already filed a legal challenge against the IPA in the UK High Court. It’s also significant that the Investigatory Powers Tribunal referred the question of whether obtaining and using bulk communications data under Section 94 of the Telecommunications Act 1984 aligns with EU law to the CJEU.
It’s crucial to consider the status of the EU Charter of Fundamental Rights (Charter) and the CJEU’s jurisdiction after Brexit. The EU (Withdrawal) Bill stipulates that pre-Brexit CJEU case law remains binding after Brexit, with some exceptions (Clause 6). When deviating from pre-Brexit CJEU case law, the Supreme Court must apply the same criteria used when deciding whether to depart from its own case law. Additionally, Parliament or the executive branch can overrule prior CJEU case law. However, the current form of the EU (Withdrawal) Bill excludes the Charter (Clause 5(4)) and terminates the CJEU’s jurisdiction after Brexit (Clause 6). This does not mean the UK can disregard CJEU decisions made after Brexit, as the EU data protection framework, which the European Commission will reference when assessing adequacy, will be interpreted in light of these decisions. In contrast, the UK Government seems to be ignoring these issues in its post-Brexit plan, as neither the debates surrounding the IPA nor the Charter’s case law after Brexit were addressed in its position paper on exchanging and safeguarding personal data. Only when discussing the UK-EU data exchange model did the UK Government mention that such a model should “respect UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection.” This statement could be construed as a reference to the IPA or any future legislation on surveillance practices and the end of the CJEU’s direct jurisdiction.
Alternatives to the adequacy finding under Article 45 of the GDPR include applying safeguards for data transfers as outlined in Article 46, including Binding Corporate Rules under Article 47. The Government has already indicated that these alternatives are not its primary focus due to their limited scope. However, as evidenced by the ongoing challenge against the standard contractual clause scheme for data transfers under the 1995 Data Protection Directive, neither alternative is safe from legal challenges before the CJEU.
One might wonder if these issues will be relevant for data transfers during a potential transition period after Brexit. In short, yes. Despite the UK Government’s opposition, if the transition period involves the UK joining the European Economic Area (EEA) and the European Free Trade Association (EFTA) - often called the Norway option - data will continue to flow from the EU without an adequacy decision. This is because the GDPR will remain part of UK law after Brexit, and the GDPR is relevant to the EEA, meaning non-EU EEA states will apply the GDPR as it stands.
Alternatively, the UK could seek a transitional agreement as part of the Article 50 negotiations, as hinted at in the Prime Minister’s recent Florence speech. Such an agreement would still be subject to the adequacy requirements discussed above because it would need to meet EU standards, specifically the EU data protection framework and its rules on data transfers.
Data Protection in the field of police and justice sectors
As previously mentioned, the UK aims to transpose the Law Enforcement Directive into UK law through the Data Protection Bill. However, as in the case of the GDPR, maintaining data exchange between law enforcement authorities in the UK and the EU will not be without challenges after Brexit.
Any obstacles to this data exchange after Brexit have been viewed as advantageous for criminals and a threat to public safety. Therefore, it is unsurprising that the UK Government emphasized the importance of smooth data exchange for cross-border law enforcement cooperation in its position paper on security, law enforcement, and criminal justice. Similar to the GDPR, the Data Protection Directive on law enforcement mandates an adequate level of data protection standards for data transfers to third countries (Article 36 of the Law Enforcement Directive). Any future agreement between the EU and the UK regarding exchanging law enforcement information would need to adhere to these standards. The UK Government expressed its intention to “build on” the adequacy scheme for the future of data exchange in law enforcement. However, it believes that implementing the Law Enforcement Directive through the Data Protection Bill is enough to secure a positive adequacy decision. The scope of the adequacy assessment and factors potentially affecting the likelihood of securing such a decision were discussed earlier. Furthermore, in its recent judgment on the compatibility of the EU-Canada Agreement on transferring passenger information for combating terrorism with EU Treaties and the Charter, the CJEU established procedural requirements for exchanging information in this context. These requirements must be met for law enforcement data transfers to comply with the Charter.
What is the EU’s position on data protection?
While these developments and discussions unfold in the UK, the EU focuses on using and protecting personal data obtained or processed before Brexit. This emphasis stems from the need to determine the fate of data processed before Brexit day. Consequently, the EU Commission published a position paper on September 21, 2017, outlining its approach to Article 50 negotiations concerning using and protecting such data. The paper primarily emphasizes the continued application of the general principles of the EU data protection framework in effect on Brexit day to personal data in the UK processed before that day. It also stresses maintaining principal data subject rights, such as the right to be informed, right of access, and right to rectification. Moreover, the paper seeks confirmation that personal data with specific retention periods under sectorial laws will be deleted once those periods expire and that ongoing investigations into compliance with data protection principles on Brexit day will be completed. It is noteworthy that the paper designates the CJEU as the legal authority for interpreting the general principles it references. Overall, the position paper indicates that amidst the uncertainty and complexity surrounding the future partnership with the UK on data protection, the EU Commission aims to ensure that data subjects whose data was transferred to the UK before Brexit are not negatively impacted.
Conclusion
The UK Government has introduced the Data Protection Bill, which aims to harmonize its national data protection laws with the GDPR and the Law Enforcement Directive. This step suggests that at least some EU data protection requirements will be incorporated into UK law by the time the UK leaves the EU. However, this should not be misconstrued as a complete solution for maintaining UK-EU data transfers after Brexit. This is because provisions within the GDPR and the Directive concerning third-country data transfers will still apply to such transfers. Following the CJEU’s Schrems decision, an adequacy finding and other legal mechanisms facilitating such data movement could be influenced by the scope of national security exceptions and their potential interference with the fundamental rights of individuals whose data is transferred from the EU to the UK. Certain provisions within the IPA clash with the CJEU’s findings in the Tele2 and Watson cases, potentially hindering a positive adequacy finding for the UK. The same conclusion applies to any future EU-UK data transfer agreement for law enforcement purposes.
Barnard and Peers: chapter 27
Photo credit: Cyberadvice
[*] Many thanks to Prof Steve Peers for his valuable comments.