Many commentators have reported the statement from the Secretary of State at the Department of Culture, Media and Sport (DCMS) that the UK Government is to implement the General Data Protection Regulation (GDPR). However, those who reported the announcement have failed to follow through with a detailed analysis of this position.
For example, data controllers should not assume that UK’s adoption of the GDPR will automatically mean that the UK offers an adequate level of protection. This blog explains this important conclusion.
First, the announcement of implementation of the GDPR did not come as a formal Written Statement focusing on the GDPR; it came in as a throwaway oral response to a question that did not involve the GDPR. One hopes that the Secretary of State will table such a Statement soon.
The exchange, in the middle of a Parliamentary Committee meeting about the “Responsibilities of the Secretary of State for Culture, Media and Sport”, is as follows.
“Q72 Nigel Huddleston: A final question: it is this cross-departmental approach (towards Brexit) that I know is broadening. Is that working?
Karen Bradley: “…An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” (my emphasis; see references)
This statement that “…it would be expected and quite normal for us to opt into the GDPR” is not a firm commitment. What one “expects” could become the unexpected, especially if Brexit negotiations go sour. For instance, after our DP courses “it would be expected and quite normal” for delegates to follow the results of Barnsley Football Club (Google “It’s just like watching Brazil” to see why).
In addition, the use of “opt into” the GDPR is a curious term to use given that the GDPR is a binding commitment on Member States; it implies the “opt-out” was explored in detail (and perhaps remains a residual possibility, as you will see below).
However, as GDPR was mentioned, one can assume more official GDPR commentary will soon be forthcoming. Indeed, I have heard reliable rumours of some relevant paperwork being published by DCMS before Xmas, perhaps as early as the end of the month.
So, let’s take assume the GDPR is going to be implemented. I read the Minister’s comment as saying the GDPR might be implemented in the UK in a pretty full form at first, but then the “Great Repeal Act” (GRA) powers (when enacted) could be used to reduce some of the burdens on some data controllers at a later stage (e.g. after there has been an adequacy assessment from the European Commission).
Note the Secretary of State focuses on “burdens on some data controllers” and NOT protections for data subjects. This could allow the UK to relax such issues such as mandatory data protection officers, reporting data losses “as soon as reasonably practicable” rather than in 72 hrs and some of the other administrative minutia in the GDPR for those data controllers who do not sell into the European Union (i.e. not subject to Article 3).
Please remember that an “adequate level of protection” (the requirement of the current Eighth Principle) means “adequate level of protection” from the standpoint of the data subject. This means that the UK version of the GDPR cannot mess too much with the Principles and Rights; to do so risks “an inadequate level of protection”.
However, an adequacy assessment is not a slam dunk, even if the UK adopts the GDPR. One assumes that Ministers have the wherewithal to ensure an adequate UK is an outcome of the Brexit negotiations as the UK will have implemented the GDPR.
However, if the UK obtains Brexit with no deal (the view of many hard-line Government Ministers who want no truck with the Single Market), then even though the UK has adopted the GDPR, there would be no assessment of adequacy. And of course, if this is the outcome, why implement the GDPR at all (that explains why the Minister said “opt-in”; I suspect that “opt-out” of the GDPR was considered in detail).
I have to say that I think the latter aspect (i.e. Brexit with no deal) is a realistic outcome. The UK is one of the largest economies in Europe and the European politicians cannot agree a deal that risks giving the UK a competitive advantage over European economies. One way to avoid all blame for a duff Brexit deal is for the UK to Brexit with no deal.
So, assume no Brexit deal but GDPR implemented. The UK, when it leaves, would have NO adequacy determination in the bag (as there is no Brexit deal) and will have to rely on the European Commission and Article 45 for it to make a determination of adequacy. Now, if there is Brexit with no deal, how long will it take for the Commission to do this? Add in some acrimonious negotiations, and the length of time taken doubles.
It is important to understand that the UK cannot apply to the Commission for an adequacy determination; any adequacy determination is in the gift of the Commission. With acrimonious or no deal Brexit, “gifts” will be rather thin on the ground.
The Commission could easily justify any delay citing the Investigatory Powers Bill (soon to be an Act) because its bulk personal data set collection powers are accompanied with a double lock that does not consider the data protection issues. In addition, the European Data Protection Board could consider that all the problems that afflict Privacy Shield now apply to the UK.
It follows that data controllers who are relying on an adequacy determination following the Ministerial announcement should not do so.
My final comment in this section relates to those Islands that rely of UK legislation and often incorporate UK legislation (e.g. Jersey, Isle of Man). If adoption of UK’s GDPR legislation in the above circumstances does not guarantee adequacy; perhaps the time has come to assure adequacy independently of the UK.
Of course, the above might not happen. However, you have to understand that lurking around is the following unanswered question which might come to the fore after any consultation on the GDPR: if adopting the GDPR is not a guarantee of adequacy, then why adopt it in the first place?
Advanced warning: we have devoted the next UPDATE session on 3rd April 2017 to the GDPR. We have an impressive array of speakers lined up including from ICO and DCMS: http://www.amberhawk.com/bookevents.asp
Forthcoming Amberhawk’s courses in November/December:
- GDPR Workshops: 10 November (Douglas IoM); 7 December (London)
- DP Practitioner Course: Starts 14 November (BCS syllabus; London)
- CISMP Course: Starts 28 November (BCS syllabus; London)
Oral evidence: Responsibilities of the Secretary of State for Culture, Media and Sport, HC 764, Monday 24 October 2016 (GDPR at Q72 on http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/culture-media-and-sport-committee/responsibilities-of-the-secretary-of-state-for-culture-media-and-sport/oral/42119.html)