Unless the European Union (Withdrawal) Bill is modified, the new Data Protection Bill that implements the UK’s version of the GDPR (expected tomorrow) can be modified or even repealed using Ministerial powers that are not subject to detailed scrutiny.
Indeed, I will go so far to say that the European Commission would be advised not to grant the UK the status of offering an adequate level of protection until further legislative guarantees are enacted by the UK. So bad is the position.
So how did I get to this conclusion. Can we start with the Regulation itself?
- Article 1(2) of the GDPR states that “This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.
- Recital 1 of the GDPR explains that “The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her”.
- Recital 4 adds: “This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data ….” (my emphasis).
So, the purpose of the Regulation is to provide the detail implementation of the “right to data protection”. This right is enshrined by Article 8 of the Charter which under the heading “Protection of personal data” states:
- “Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority”.
Also, relevant to this blog is Article 7 of the Charter, which repeats the text of Article 8(1) of the European Convention of Human Rights (“Everyone has the right to respect for his or her private and family life, home and communications”); i.e. the "right to data protection" is additional to the A.8 ECHR right.
The European Union (Withdrawal) Bill
The important elements of the Bill are as follows:
- Clause 5(4): “The Charter of Fundamental Rights is not part of domestic law on or after exit day”. Comment: on “exit day” the rationale for implementing the GDPR also goes.
- Clause 6(1): “A court or tribunal (a) is not bound by any principles laid down, or any decisions made, on or after exit day by the European Court, and (b) cannot refer any matter to the European Court on or after exit day”. Comment: ECJ decisions are not binding in UK legal cases after exit day; however Clause 6(4)(a) states at any time before exit day, the Supreme Court is not bound by cases such as Lindqvist (domestic purposes), Breyer (definition of personal data), Schrems (independence of data protection authorities) and Gonzalez (Right to be forgotten).
- Clause 6(2): “A court or tribunal need not have regard to anything done on or after exit day by the European Court, another EU entity or the EU but may do so if it considers it appropriate to do so”. Comment: decisions of the European Data Protection Board (if it is an EU entity) to harmonise the GDPR are not binding in the UK; if the Board is not an EU entity, then its decisions are not binding as the Charter of Fundamental Rights is not applicable.
- In several Clauses, the Bill states (e.g. Clause 7(6)): “But regulations under this section may not…(e) amend, repeal or revoke the Human Rights Act 1998 or any subordinate legislation made under it”. Comment: Human Rights Act cannot be amended but this safeguard has to be considered in the context that Mrs May is also seeking to repeal this Act (see references).
- In several clauses (e.g. Clause 17(1)) there are powers where: “a Minister of the Crown may by regulations make such provision as the Minister considers appropriate in consequence of this Act” where the powers may modify primary and secondary legislation but not “primary legislation passed or made after the end of the Session in which this Act is passed”. Comment: The Data Protection Bill is not legislation enacted after the Withdrawal Bill; as it falls in the same Session of Parliament as the Withdrawal Bill, the DP Bill can be amended using Withdrawal Bill powers.
Finally, I want to explain two “features” of the Withdrawal Bill:
- “Exit day” is not when the UK leaves the EU. In the Bill, it “means such day as a Minister of the Crown may by regulations appoint”; so there might be many exit days!!
- The powers are only exercisable for two years after “exit day” and in the vast majority of cases exercised by reference to negative resolution procedures. This means the powers are used, perhaps with some limited scrutiny by a Committee of MPs, where the House as a whole has to vote down the use of powers (i.e. even if the Committee is 100% opposed to the exercise of powers, that does not negate their use).
Just imagine you are at the European Commission and you can see the following consequences of the Withdrawal Bill on the new UK Data Protection law. For example:
- UK Ministers can change the UK's GDPR implementation in its new Data Protection Act at any time from exit day in any direction using powers that are not scrutinised.
- There is no guarantee that established case law derived from ECJ Decisions or harmonising determinations from the European Data Protection Board are considered in cases involving personal data about European citizens processed by UK data controllers.
- Legal arguments such as “the Charter of Fundamental Rights is no longer applicable in the UK, therefore the basis of the UK’s Data Protection regime has questionable legal foundations” are possible in the UK. If these succeed the new DP Act cannot be enforced.
- The Withdrawal Bill explicitly protects the Human Rights Act; it does not protect the new Data Protection Act. Therefore, the latter is vulnerable to modification.
Given the above, would you give the UK an adequacy determination?
In my view, it does not matter what the Data Protection Bill contains or even how good it is; the Government’s incoherent approach to Brexit has just undermined the whole data protection show.
- DATA PROTECTION BCS FOUNDATION QUALIFICATION: Edinburgh (3,4 and 5 October).
- GDPR/DP Bill WORKSHOPS: Edinburgh (6 October).
- DATA PROTECTION BCS PRACTITIONER QUALIFICATION: London (13 November).
- NEW DATA PROTECTION BILL ALL DAY UPDATE: London (20 November)
The European Union (Withdrawal) Bill and related Explanatory Notes can be found at https://services.parliament.uk/bills/2017-19/europeanunionwithdrawal.html
Mrs May’s opposition to the Human Rights Act: https://amberhawk.typepad.com/amberhawk/2017/01/why-the-uk-is-unlikely-to-get-an-adequacy-determination-post-brexit.html