The current mismatch between UK and EU data protection rules could be a problem in the Brexit negotiations.
Later this year, the UK will attempt to agree a future trade relationship with the EU, as we move to the second phase of negotiations. This will by no means be straightforward; the UK will have to untangle and rearrange 40 years worth of integration with the bloc in a very short space of time.
Among the most contentious issues will include immigration controls and the Irish border. But there is one area which should be given as much attention, and that is data protection.
In August, the UK government set out its proposals to ensure that “personal data would continue to move back and forth between the UK and the EU in the future in a safe, properly regulated way.” Both tech and non-tech businesses would like to see the free flow of data maintained between the two. According to the ONS, there was £511 billion worth of sales conducted by firms in the UK’s non-financial sector in 2016, up from £503 billion the year before. It is no secret that the tech sector in the UK is a great contributor to the economy. The free flow of data between the UK and the EU should be of high importance.
But to ensure that such a free flow is maintained as it currently exists, there are a number of hurdles that the UK may need to overcome. The first is the General Data Protection Regulation. This is the new EU law which not only strengthens some of the provisions of the Data Protection Directive but also goes further. The Regulation is arguably one of the most advanced set of data protection rules anywhere in the world.
One of the ways in which the Regulation goes further is with its extra-territorial reach. Article 45 of the GDPR states that transfers of personal data “to a third country…may take place where the [EU] Commission has decided”. The Regulation comes into force in May, so the UK, assuming it is still a Member of the EU at that point, will need to amend the Data Protection Act of 1998 to ensure it falls in line with the provisions of the new EU rules.
After the UK leaves the bloc, transfers to and from the EU will be subject to the adequacy test in Article 45. The EU Commission will look at a range of factors, from the UK’s human rights record to its commitment to international obligations, to determine whether personal data transfers to and from the UK should be permitted.
Whatever arrangement the UK agrees with the EU in the second phase of negotiations, the GDPR will apply. Under a ‘Norway’ model, the UK, as a member of the EEA, would refer data protection matters to the EFTA court. This court closely aligns itself with the decisions of the Court of Justice of the EU. In addition, transfers to countries outside of the EEA will be subject to an adequacy decision by the Commission. A disadvantage here for the UK is that it will not have a seat at the table when making these decisions, such is the effect of withdrawing from the bloc. This would also be the case under a ‘Swiss’ model.
Under a ‘Canadian’ model, which would see the UK negotiate a unique trading arrangement with the EU, it is possible that data transfers could be accommodated for in the new agreement. But it is likely, in order to do so, that the UK will have to comply with the GDPR and would thus be subject to laws that it will have little to no influence over. Establishing completely separate data protection rules under a WTO arrangement may not be ideal either, as it may mean that businesses would have the cumbersome task of complying with different sets of laws.
The trading arrangement aside, the amendment of the 1998 Act may also be troublesome. This is because, when the UK leaves, it will have not have the equivalent of Article 8 of the EU Charter in domestic law. Article 8 provides “the right to the protection of personal data.” As such, the Charter provides the right while the GDPR merely provides a means for that right to be recognised and protected.
But in the EU Withdrawal Bill, the legislation designed to implement EU law into UK law, Clause 5, states that the Charter will “not be part of domestic law on or after exit day.” At the moment, the UK does not provide the right which is currently provided by Article 8 of the Charter.
Thus, amending the 1998 Act to mirror the GDPR would seem a nugatory task, since it would provide a framework to protect and enforce a right which essentially does not exist. This could have a negative impact on the UK’s ability to obtain an adequacy decision from the Commission post-Brexit.
There is also the Investigatory Powers Act 2016, the UK’s controversial security and intelligence laws. Part 4 of the 2016 Act, which details the provisions concerning a data retention regime, does not provide the protections and limits required under EU law in accordance with the Digital Rights Ireland decision and Article 8.
As it stands, the free flow of data between the UK and the EU is at stake. Achieving a data protection environment which would allow for data transfers is only one of the many issues which the UK and the EU will have to address. But it could prove more difficult than initially thought.