How do you think Brexit is going? When you ask this question, most people shake their heads, or utter an expletive or refer to sayings that contain words such as “brewery” and “organise”.
Anyway, the draft Withdrawal Agreement has been made public and there has been quite a lot of data protection commentary saying that the UK does not need to worry about transfers of personal data from the European Union (EU) after March 29 (assuming the Agreement keeps its current text).
For instance, one major law firm reported:
“In practical terms, assuming that the draft Withdrawal Agreement is adopted in its current form, personal data flows between the EU and the UK will likely continue unrestricted during the transition period, until at least December 31, 2020” (Hunton’s blog; see references).
Well, I don’t share this view (mainly because of the Schrems ECJ judgment); this blog is devoted to explaining why. I also provide a check-list of actions if your organisation transfers personal data to and from Europe.
What happens on March 29 next year?
There are two facts: (1) Government intends the UK becomes a “Third Country” on 29th March 2019; (2) the Government’s objective of having a “special data protection deal” or “a prior assessment of adequacy from the EU” because it has implemented the GDPR has failed.
The draft Withdrawal Agreement at Article 71(2) implies an adequacy assessment by the European Commission could happen in future (this is expected before the end of the transition period in December 2019), but first the UK has to leave the EU and then the Commission has to follow the rules in Article 45 of the GDPR.
This means that the Commission has to involve the European Data Protection Board (EDPB) as part of the adequacy determination process so it won’t be a quick process. In fact, for the reasons stated below, I suspect the UK will not get an assessment of adequacy at all. (I asserted this in previous blogs for different reasons; see references).
Editorial note: I am using the term “DPA2018” to mean the UK’s implementation of the GDPR via Data Protection Act 2018.
UK’s DPA2018 can be scrutinised
The issue is whether European supervisory authorities can scrutinise the DPA2018 despite the draft Agreement (e.g. if they received a complaint from EU data subjects following a transfer of personal data from the EU to the UK, or following a service offered to EU nationals from by a UK based controller, or perhaps a complaint directly from an EU national residing in the UK).
Such scrutiny is made possible as a result of the Schrems Decision in 2015, as this guarantees the independence of Europe’s supervisory (Data Protection) authorities (see references).
The key part of this judgement, in the context of an adequacy determination under Directive 95/46/EC, states:
“The fact that the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority … from examining the claim of a person … that the law and practices in force in the third country do not ensure an adequate level of protection (paragraph 66 of the judgment).
In my view, this means any of the 27 EU supervisory authorities can assess whether, in respect of Article 71(1) of the draft Agreement that: Union law on the protection of personal data of data subjects outside the United Kingdom actually applies in practice in the United Kingdom.
To make this clear, I have modified the ECJ judgment’s in paragraph 66 to show this:
The fact that the EU has agreed that Union Law such as the GDPR (or Law Enforcement Directive) applies in the UK (third country) does not prevent a supervisory authority (in the EU) … from examining the claim of a person (e.g. an EU national) … that the law and practices in force in the third country (the UK) do not implement the GDPR (or Law Enforcement Directive).
Could a Supervisory Authority find the DPA2018 deficient?
One major reason that is likely to give supervisory authorities concern about the data protection offered to “data subjects outside the United Kingdom” is the UK’s Government’s decision is to discount the Recitals to the GDPR in its legislative regime. This was made clear in Parliamentary passage of the DPBill when, a Government Minister said:
“….the Recitals to the GDPR do not have normative effect—they are more akin to Explanatory Notes—and there is no requirement for the UK to enshrine them in legislation …. It is important to say that Recitals do not contain substantive law, nor can they override the express language of a regulation”. (Column 1189, Lords Hansard of 30 Oct 2017, Baroness Chisholm of Owlpen).
In practice, the EDPB will use the Recitals to interpret the GDPR and make binding decisions for harmonising the GDPR across the EU; these decisions are not applicable to a Third Country UK.
In other words, whatever the EDPB determines in the next two years (and beyond) that depends on the Recitals is not likely to be enforceable in the UK with the result that the UK’s DPA regime is set to diverge from European GDPR standards established at the EDPB.
Other issues
Recital 10, for instance, refers to a “margin of manoeuvre” for Member States to vary the GDPR provisions and there are 50 Articles in the GDPR where this margin can be used.
The question that follows from this is whether supervisory authorities will encounter an problem that requires them to assess: (a) whether the UK Government has used this “margin of manoeuvre” in a limited or precise way, or (b) whether it has used flexibility to drive a “coach and horse” through a particular GDPR provision.
I think there are specific problems that could impact on “data subjects outside the United Kingdom”; these include:
- There could be exemptions in the DPA2018 that are not implemented in any other European data protection implementation of the GDPR (e.g. the immigration exemption, confidential references) or in the Law Enforcement Directive. These could reduce the data protection rights of European data subjects outside the UK (e.g. with respect of personal data transferred from the EU to the UK or residing in the UK).
- There could be conditions in Schedule 1 of the DPA2018 that permit the processing of special category of personal data or criminal offence personal data concerning European data subjects outside the UK (e.g. with respect of personal data transferred from the EU to the UK in circumstances not implemented in other European data protection laws).
- The unrestrained public task legal basis in Section 8 of the DPA2018 permits broad public task justification for the disclosures of personal data to public sector bodies; these too could concern European data subjects outside the UK.
- Similarly, the “Framework for Data Processing by Government” in Sections 194(4)&(5) of the DPA2018 can fetter the independence of the ICO when enforcing the DPA2018 to protect European data subjects. The fettering arises because it is the Secretary of State (and not the ICO) who provides the text of this Framework which must be considered by the ICO and the Courts when dealing with data protection issues (see my blog on this Framework).
And all this is before we get to consider the exclusion of the ICO (or other UK regulators) from enforcing data protection rules by the national security agencies or of the impact of the bulk personal data processing of EU nationals outside the UK which are made lawful under the Investigatory Powers Act 2016.
A check list of actions for UK based controllers and processors
Controllers/processors should, as a matter of urgency, identify the transfers between the EU and UK as these are at risk; I would assume the Withdrawal Agreement does not exist (given the political uncertainity) and there is hard Brexit on March 29 next year. This identification of transfers includes any transfer of personal data made by a Cloud-based service used by them.
Understand that an adequacy determination by the Commission before March 29 is definitely not going to happen – so forget that option.
If controllers/processors depend on controllers (or processors) in the EU transferring personal data to the UK, when the UK is a Third Country, they should consider adopting EU Contract Terms before next March (this is the Government’s preferred option if there is “no deal” – see references).
Alternatively, controllers/processors should open up discussion with their European controllers or processors before Xmas with respect to their preferred transfer alternatives in Articles 44-49 of the GDPR.
Note that Brexit could have a devastating impact on Binding Corporate Rules that have been approved by the ICO; Article 47 states BCRs have to be approved by the competent supervisory authority (i.e. in Europe). In other words, ICO approved BCRs won’t work after next March.
If you are a private sector controller/processor offering services to data subjects residing in the EU, you might need to appoint a Representative in a Member State of the EU with respect of the processing of personal data related to these services. So please look at the exceptions in Article 27.
The location of any Representative in a Member State will make that State’s data protection law supreme (i.e. the UK’s DPA2018 could well be irrelevant for that processing associated with those services). For instance, if your Representative is in France, your Representative will be judged with respect to the French Data Protection law (not the DPA2018). In other words, compliance with two data protection regimes is on the cards; one for these services and the DPA2018 for the rest.
Concluding soundbites
If I were to summarise the above:
- Controllers/processors are likely to need to find a way of safeguarding transfers between the UK and the EU without relying on the Withdrawal Agreement or an adequacy determination by next March; the first step is to identify what transfers take place.
- At any time after Brexit, Europe’s supervisory authorities can assess the protection associated with respect to personal data processed in the UK by a controller or processor when such data: (a) are transferred to the UK, (b) relate to services offered into the EU (c) or, perhaps, relating to EU citizens residing in the UK who complain to their national supervisory authority.
- It’s a complete mess (especially if there is no Withdrawal Agreement).
When implementing the DPA2018, the UK Government “took generously” to the “flexibility” offered by the GDPR in 50 Articles of the GDPR to ease the pain on controllers (often at the expense of the protection afforded to data subject).
Such generosity could now rebound as this flexibility applies to EU nationals outside the UK; this could be scrutinised by any European data protection authority following Schrems.
Professor Korff’s view
Professor Douwe Korff, is Emeritus Professor of International Law, London Metropolitan University and Associate at Oxford Martin School, University of Oxford. He has been involved in data protection for decades and has made a detailed analysis of the Withdraw Agreement. He concludes:
“ …It seems likely that transfers of personal data from the EU/EEA to the UK will require onerous measures such as detailed data transfer contract clauses from 30 March 2019. Transferring data without such safeguards will be unlawful and will often also breach contracts…”
I am pleased to provide a link his far more detailed analysis, which covers aspects not covered here.
Professor Korff’s view: https://ssrn.com/abstract=3287659
References used in the blog:
Hunton’s blog; https://www.huntonprivacyblog.com/2018/11/16/uk-eu-draft-withdrawal-agreement/
Why the UK will not get adequacy? https://amberhawk.typepad.com/amberhawk/2017/01/why-the-uk-is-unlikely-to-get-an-adequacy-determination-post-brexit.html and https://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html
See under "Harmonisation: can a Supervisory Authority challenge Member State law": https://amberhawk.typepad.com/amberhawk/2016/05/will-the-uks-approach-to-the-gdpr-be-harmonised.html
UK Guidance: “Data protection if there’s no Brexit deal”: https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal
Schrems Decision: CJEU Case C‑362/14; Maximillian Schrems v Data Protection Commissioner; 6 October 2015
“A Framework to undermine the ICO’s ability to enforce the new Data Protection Bill across the public sector”: https://amberhawk.typepad.com/amberhawk/2017/11/a-framework-to-undermine-the-icos-ability-to-enforce-the-new-data-protection-bill-across-the-public-.html
Withdrawal Agreement itself: https://www.gov.uk/government/publications/withdrawal-agreement-explainer-and-technical-explanatory-note-on-articles-6-8-on-the-northern-ireland-protocol
Upcoming Data Protection qualification courses
- BCS Data Protection Practitioner Upgrade/Conversion (2 days; London Jan 9 & 10)
- BCS Data Protection Foundation (3 days; London, January 29-31)
- BCS Data Protection Practitioner, London (6 days starts Feb 12)
Details on www.amberhawk.com or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.