There are whispers circulating in the aether that if PrivacyShield is deemed adequate for transfers of personal data from the European Union(EU) to the USA, then in a post-Brexit Britain, something akin to PrivacyShield can allow for adequate transfers of personal data to the UK. Such an “adequacy” determination would mean that the UK would not need to implement the General Data Protection Regulation (GDPR).
Indeed, if PrivacyShield is deemed adequate, why can’t the UK also replace the current Data Protection Act 1988 (DPA) with something as “flexible” as PrivacyShield; after all the DPA is based on a European Data Protection Directive 95/46/EC which will no longer apply in a post-Brexit Britain.
In other words, at one end of the “Brexit means Brexit” spectrum of meaning, there is a vision of a UK free of data protection law (just like the USA). This blog shows that this view, if adopted by a Brexit Government, presents major risks to the free flow of personal data into the UK irrespective of any ‘PrivacyShield’ type agreement that might cover the UK.
Indeed, to the contrary, being a Member of the Council of Europe is likely to require the UK amend the DPA closer to the GDPR. The blog assumes the UK is a Third Country outside the EU with no obligation to implement the GDPR.
Importance of the Council of Europe
Any step towards a UK without a data protection law would require the UK to withdraw from the Council of Europe and its European Convention of Human Rights (ECHR), something that Mrs. May has categorically stated will not happen under her watch as Prime Minister.
Being a Member State of the Council of Europe means that the “Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Convention 108) applies to the UK. The Convention was drafted in 1981 to ensure that all processing of personal data was consistent with Article 8 of the ECHR (which concerns respect for private and family life etc).
Unlike the GDPR, the Convention applies to all data controllers, although there are some provisions that provide for exemptions that are linked to Article 8(2) of the ECHR (e.g. necessary and proportionate exemptions with respect to data controllers involved in policing, state security etc).
The universality of the Convention is specified in Article 3 which requires Member States of the Council of Europe to “undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors” (my emphasis). In other words, the UK is required to enact general data protection legislation based on the Convention’s provisions.
Thus if the UK adopted a PrivacyShield option (i.e. repealed the Data Protection Act 1998 and did not implement a replacement law), then the UK would be in breach of the Convention.
Article 12(2) of the Convention then states that “A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation, transborder flows of personal data going to the territory of another Party” (i.e. if a Member State has enacted a data protection law that meets the Convention’s requirement, then transfers of personal data between signatories to the Convention cannot be halted on data protection grounds).
So if a future UK Government were to decide to leave the Council or Europe (or were to repeal the DPA without replacement), then transborder flows of personal data from a Member State that has signed the Convention can be prohibited on the grounds specified in Article 12(2). Notice that such a prohibition has nothing to do with the concept of adequacy in the GDPR or Directive 95/46/EC or even the content of any putative PrivacyShield type agreement.
Those steeped in the history of data protection will remember that it was to counter the threat of European States that had signed up to the Convention, imposing a blanket transfer prohibition on the UK, which pushed Mrs. Thatcher’s Government into introducing the Data Protection Act 1984.
Mrs. T. enacted a minimalist Act in order to prevent those “Johnny Foreigners” from using the Convention to stop the flows of personal data to the City of London (something which, in my view, will become a major risk if the UK pussyfoots around with the current data protection regime or fails to move the current DPA towards the requirements of GDPR).
In addition, many forget that Directive 95/46/EC was agreed to give effect to the Convention; this is made clear by Recital 11 to the Directive:
“(11) Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data”.
As stated previously, the European Commission has been threatening infraction proceedings as it considers the UK’s DPA a deficient implementation of the Directive; the UK Government has refused since 2005 to publish details (or inform Parliament) as to what these deficiencies are because their release would prejudice international relations (Not a joke! See comments about FS50577377 below).
It follows that if the Europeans see the DPA as not meeting the requirements of Directive 95/46/EC, it cannot be viewed as adequate in relation to the GDPR (see references). It also follows that the UK has arguably not enacted a data protection law that “gives substance” to the Convention, although this point has not been tested.
Could the DPA remain in some form?
Article 3 of the GDPR does not apply to a Controller established outside the EU if the processing activities do not involve:
- “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union”.
So, for example, the vast majority of public sector bodies in a post-Brexit UK would not offer goods and services to data subjects on the Continent, and many small private sector companies do not have a website whereby goods and services are offered to Europeans. For these types of data controllers, it appears that the current DPA could remain instead of the GDPR.
However, the Council of Europe Convention is being modernised from the text formalised in 1981. Given that most Member States of the Convention have also agreed the GDPR, it does not take a rocket scientist to see that any proposed change to the Convention text is likely to be in the direction of the GDPR text.
Thus, in the short-term the current DPA could apply to data controllers that do not provide services into the European Union but in the longer term, any change to the Convention will require the UK to modify the current DPA so it is closer to the GDPR. By contrast, all controllers who do see the European Union as a marketplace, the GDPR will have to be implemented.
In summary, the Council of Europe Convention provides another reason for saying that the GDPR or something very similar is likely to be implemented in the UK for all controllers.
It also follows that those who delay any preparatory work to plan for implementation of the GDPR are merely procrastinating unnecessarily.
Amberhawk is holding all day GDPR Regulation Workshops in London , Leeds, Douglas (Isle of Man) and Edinburgh in the September and October; details on http://www.amberhawk.com/bookevents3.asp In these workshops I present a plan of action of what can be done now until the Government’s road-map on the GDPR is clarified.
We have BCS DP Foundation Courses Qualification (starting in London on September 27 and in Edinburgh on October 4. We have a PIA course in London on September 30)
Full details of courses from September (e.g. FOI and DP Practitioner courses) are on the Amberhawk home page: www.amberhawk.com
“Why does the European Commission think the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC?”. http://amberhawk.typepad.com/amberhawk/2013/02/question-answered-why-does-the-european-commission-think-the-uks-data-protection-act-is-a-deficient-implementation-of.html
Modernisation of the European Convention 108: http://www.coe.int/t/dghl/standardsetting/dataprotection/modernisation_en.asp
All my blog “GDPR and Brexit: what are the options?” is still relevant, except this blog includes Convention 108: http://amberhawk.typepad.com/amberhawk/2016/06/gdpr-and-brexit-what-are-the-options.html
Why the UK introduced Data Protection Act 1984? see “Mrs Thatcher’s data protection legacy”: http://amberhawk.typepad.com/amberhawk/2013/04/mrs-thatchers-data-protection-legacy.html
My latest failure to obtain the details as to why the UK DPA is deficient; see FS50577377: https://ico.org.uk/media/action-weve-taken/decision-notices/2016/1623824/fs_50577377.pdf
Comment on FS50577377
I found the Decision Notice FS50577377 (dated March 2016; three months after the UK had agreed the GDPR) a very poorly reasoned Decision that ignored the main findings of Tribunal Decision EA/2012/0110 (and much more as well) without justification.
However, the main problem (again) was a Decision Notice that considered my request at the time of the request which was made on July 2014. Prior to the issuing of the Decision Notice, I asked the ICO to contact the relevant public authority to check whether it still maintained its refusal after the considerable passage of time, so to avoid the “at the time of the request” problem. This was especially important as the UK had agreed the GDPR (whereas the Decision considered the GDPR as being in the early stage of negotiations).
The ICO surprisingly refused to make such contact, even though I see no provision in the FOI Act that stops him from doing so. I decided that there was no point in wasting another year going to the Tribunal as it would also consider my request “at the time of the request” thus ignoring Brexit vote and the UK’s adoption of the GDPR.
I think the ICO made a serious error in procedure by not asking the public authority for its views on my request when it is obviously key external factors, quoted in the Decision as justifying it, had changed fundamentally.
Suppose there is an EIR request about flood defences two years ago which was subject to an exemption; suppose at the beginning of the year a Tsunami had overwhelmed the flood defences. The ICO’s policy is to consider that EIR request at the time of the request (i.e. as if the Tsunami had not occurred) – completely bonkers if you ask me.