The Government’s Brexit policy assumes that the Data Protection Act 2018 is good enough to obtain an adequacy determination and envisages the ICO playing a full part in the European Data Protection Board; this is to protect the free flow of personal data to the UK. This policy was brutally murdered last Friday by the EU’s lead Brexit negotiator who stated that the UK would have to seek an adequacy determination.
Sadly, in March, the Information Commissioner told Parliament that there were significant doubts as to whether the UK would gain that prized adequacy status.
In our Data Protection Act 2018 courses, I advise delegates to identify transfers from the EU to the UK as these transfers are at risk on hard Brexit. I add that around October/November they should consider Plan B to protect transfers should there be no adequacy decision. Of course, I usually add, sweetness and light can still illuminate a Brexit UK flowing with milk and honey; however, I would not bank on it.
This blog suggests that Controllers should prepare plan B to safeguard transfers from the European Union to the UK s before the summer break. So how have I come to this view?
Prime Minister proposes
On 17 Feb 2018, the Prime Minister said that:
“The UK’s Data Protection Bill will ensure that we are aligned with the EU framework. But we want to go further and seek a bespoke arrangement to reflect the UK’s exceptionally high standards of data protection. And we envisage an ongoing role for the UK’s Information Commissioner’s Office, which would be beneficial in providing stability and confidence for EU and UK individuals and businesses alike”.
I must add that the phrase “the UK’s exceptionally high standards of data protection” borders on the delusional; for example, the European Commission told me in March last year that the 1998 Act was a defective implementation of Directive 95/46/EC in twenty places and that they were concerned that four serious defects would carry over into the UK’s implementation of the GDPR (see references).
European Commission disposes
Michel Barnier, speaking at the 28th Congress of the International Federation for European Law (24 May) rejected the UK’s bespoke data protection deal. He said that the problem was that “It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work”.
Warming to his theme he cited the General Data Protection Regulation and said:
“According to the United Kingdom's position first presented – and published – this week on data protection:
- The United Kingdom would like its supervisor to remain on the European Data Protection Board, created by the GDPR.
- It wants to remain in the one-stop-shop.
- It believes that this is in the interest of EU businesses”.
Barnier continued that UK's proposals posed real problems for the EU. For instance, given that the UK was outside the European Court of Justice:
- “Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR?”
- “Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR?”
- “How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?”.
He concluded that “the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”. (my emphasis on only).
Information Commissioner doubts adequacy
It is therefore slightly worrying to learn that the ICO thinks the UK could fail to obtain an adequacy decision. Giving evidence to the DCMS Select Committee exploring “Fake News”, there was a revealing exchange between a Scottish National Party politician who asked the Information Commissioner, with Paxman-like tenacity, the same question six times.
Eventually, the Commissioner revealed that the she had doubts that the UK would get an adequacy decision. The exchange was as follows;
Q916 Brendan O'Hara: What about the derogation against the backdrop of achieving adequacy? Is that something that you have considered and could that be problematic?
Elizabeth Denham: I don’t see anything in the derogations in the Data Protection Bill that would compromise an adequacy assessment. I don’t see anything directly in the derogations. We have to remember that, if there is going to be an adequacy assessment, it will be done in the round and it will be done comprehensively by the European Commission, where the Commission will be looking at our intelligence gathering, the bulk collection of data and whether there is proper oversight and transparency for the collection of data by the intelligence agencies. That is one thing. They will look at our laws in the round, and I don’t have specific issues about the derogations
Q917 Brendan O'Hara: So you have no concerns, when the Data Protection Bill is finally passed, that the form in which it is passed could compromise an adequacy agreement?
Elizabeth Denham: Not the derogations—
Q919 Brendan O'Hara: So you’ve no concerns about adequacy?
Elizabeth Denham: I have no concerns about the derogations and the impact on adequacy.
Q920 Brendan O'Hara: But have you no concerns about achieving adequacy?
Elizabeth Denham: I think if the Government decide to go down that route to get an assessment of adequacy, that is the right way to go. There will be some challenges, especially related to our national security agencies and bulk collection and retention of data.
There is a joke version of the three laws of thermodynamics much beloved by classical physicists. This version goes as follows:
- First law of thermodynamics: you can never win, one can only break even
- Second law: you can only break even at absolute zero
- Third law: you can never reach absolute zero.
Now there is a data protection equivalent:
- The UK Government can have unfettered personal data flows if it obtains an adequacy assessment from the Commission.
- The Commission will examine all UK privacy laws and consider the ICO’s views
- The ICO thinks the UK is not adequate.
Hence the need for Plan B is urgent
I am running a Data Protection Workshop (1 day) on Friday July 13 covering how the Act interacts with the Applied GDPR; for details email firstname.lastname@example.org
There are still places on the Data Protection Act 2018 Practitioner and Foundation qualification courses (BCS syllabus); details on www.amberhawk.com.
Barnier speech: https://europa.eu/rapid/press-release_SPEECH-18-3962_en.htm
ICO Oral Evidence to the DCMS committee exploring “Fake News” (6th March 2018), HC 363 https://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/digital-culture-media-and-sport-committee/fake-news/oral/79824.html
My blog: UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate; https://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html