Belated Happy New Year.
One thing can be certain following the recent Brexit Parliamentary shenanigans. The UK will eventually choose from: (a) a hard Brexit; (b) a deferred Brexit; (c) a Brexit perhaps softer than Mrs May’s defeated Brexit, or (d) no Brexit. As most options involve Brexit, the approach the Government has adopted to align Brexit with the GDPR is important.
The draft “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (the “Regulations”) were tabled in revised form in January this year; there are hundreds of similar Regulations covering a myriad of Brexit issues and it is reasonable to assume there will be little Parliamentary scrutiny of many Regulations.
The DP Regulations, in my view, undermine the prospect of any UK adequacy determination from the European Commission. This is primarily because of the changes to the DPA2018 that relate to transferring personal data outside the UK (although the Regulations raise concerns over independence of the Information Commissioner (ICO)).
The Regulations comprise 64 pages of terse amendments to both the DPA2018 and GDPR. As there is not much in the way of official documentation explaining the amendments, understanding the detail impact of them has been made unnecessarily difficult. That is why also there has not been much in the way of critical commentary on them.
Although implementation of the Regulations depends on whether Brexit is going ahead, controllers should assume that these Regulations will be approved. In other words, the actions identified at the end of last month’s blog remain essential; the ICO has issued Brexit Guidance this month which covers the same area (see references).
Why the Regulations undermine adequacy
The Regulations define an “EU GDPR” and an “UK GDPR”, the latter being distinguished from the “EU GDPR” by 80 paragraphs of modifications found in Schedule 1 of the Regulations.
The objective is to fashion a new UK version of the GDPR (called the “UK GDPR”) and remove the existing “applied GDPR” from the DPA2018. The “applied GDPR” has always been a mystery: it is the form of the GDPR that applies when processing of personal data is not subject to the GDPR (which of course, includes that processing of personal data if the UK was not a Member State of the EU following Brexit).
Note that the concepts of “EU GDPR” and “UK GDPR” create two versions of the GDPR, and implies that these two versions will diverge over time as the UK “takes back control”. This view is a confirmed by the decision to expunge any reference to “harmonisation” from the text of the UK GDPR. So, if harmonisation between the “EU GDPR” and “UK GDPR” is no longer a legislative objective, it follows that these two versions of the GDPR can diverge.
Powers to diverge differ
The European Withdrawal Act allows for modifications to the UK GDPR across any Article. This means the UK GDPR can be modified to a greater extent than the GDPR which only allows Member States to modify certain limited provisions in about 50 Articles.
Recital 10 of the GDPR describes the potential for Member States to modify the GDPR as a relatively narrow “margin of manoeuvre” so to establish data protection mechanisms that accommodate national custom (e.g. Member States can fashion their own GDPR/FOI interface, for instance).
By contrast, the UK GDPR’s potential for modification is better described as permitting a “coach and horse” to be driven through it. This is because the (European Withdrawal Act) powers available to Ministers can permit variation to any obligation in the UK GDPR (including to Principles, definitions, rights, security and transfer arrangements). Such fundamental changes to the data protection regime cannot be applied by Member States to the GDPR.
This means that the DPA2018 and the UK GDPR can be changed significantly, at short notice, via the use of these powers (e.g. if a post-Brexit UK Government sees trade benefits in reducing established standards of data protection).
Representative in the UK
The main variation specified in the Regulations concern transferring personal data outside the UK. Here the UK GDPR introduces a definition of “Third Country” (Regulation 6(13)) as a “country or territory outside the UK”. This raises the prospect that a controller in the EU offering services into the UK, needs to appoint a Representative in the UK.
I have not been able to fathom what this Representative does or indeed why such a position is necessary for controllers satisfying the EU GDPR. However, I suspect some “tit for tat” is afoot (e.g. if a UK controller offering services into the EU needs to appoint a representative, then any EU controller offering services into the UK can jolly well do the same).
So, consider an EU multinational that has controllers established in the UK, Greece, Malta and France. The UK GDPR controller has to establish one representative in the EU but each of the controllers in Greece, Malta and France has to establish a representative in the UK. If I am correct here, this appears to be rather petty.
Transfers outside the UK
The Regulations give Secretary of State (“SoS”) powers to determine whether a Third Country offers an adequate level of protection. When making an adequacy determination, there is no prior requirement placed on the SoS to consult the ICO about the status of data protection in that Third Country.
In addition, any SoS adequacy determination is approved via a negative resolution procedure, thereby guaranteeing hardly any Parliamentary scrutiny. Use of the negative resolution procedure means that any adequacy determination will become law on the day the SoS signs the paperwork and automatically remains law unless a motion – or ‘prayer’ – to reject the determination is agreed by either House within 40 sitting days.
In summary, there is a prospect that UK GDPR adequacy determinations are made with no data protection input and no Parliamentary scrutiny. This enhances the prospect that the transfer provisions form part of trade negotiations between the UK and Third Countries: “if you take our cars without import tariffs, we will take your chlorinated chickens and chuck in an adequacy determination as well”.
For example, one can easily see the SoS making an adequacy determination for Australia as part of any trade deal. This compares with the EU GDPR, where the Commission has to seek the views of the European Data Protection Board if the Commission wants to consider an adequacy determination, and where adequacy determinations can be challenged by the European Parliament. It is noteworthy that the European Commission has not determined that Australia is adequate under Directive 95/46/EC (although New Zealand is adequate).
The Regulations state that Gibraltar is adequate; this is not the case with the Commission's current list of territories that are adequate.
Questions and more Questions
There are two questions that immediately follow:
- Can the European Commission assess the UK as offering an adequate level of protection, if the Secretary of State can determine that a Third Country offers an adequate level of data protection when the Commission thinks that Third Country is not adequate?
- Can a European controller safely transfer personal data into the UK when the SoS determines that onward transfer to a Third Country is adequate but the Commission has not made such an adequacy determination?
The above questions have to be combined with the SoS’s flexibility to change any provision of the UK GDPR via powers (described above).
- Can the European Commission and the European Data Protection Board assess the adequacy status of the UK GDPR if, at any time after that adequacy determination, the UK GDPR can be changed significantly almost at the whim of the Secretary of State?
Independence of the Commissioner?
The modified Article 52 still allows the ICO independence of action; however, the ICO is not wholly independent. Consider changes proposed by Regulation 45(3) which says:
In paragraph 1 (of Article 51) —
(a) for “Each Member State shall provide for one or more independent public authorities to be” substitute “The Commissioner is”;
(b) omit “within the Union (“supervisory authority”)”.
Applying the above changes, Article 51(1) of the GDPR becomes:
51(1). Each Member State shall provide for one or more independent public authorities to be [The Commissioner is] responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data. within the Union ('supervisory authority').
Note that the amendments could have easily kept the notion of an independent Commissioner. For instance:
51(1). The Commissioner is an independent public authority responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data.
Now ask yourself a simple question: could the non-inclusion of the word “independent” hinder an adequacy determination on the grounds that it suggests the ICO is not “independent”?
The changes have been made so that the ICO continues to fall within the responsibility of the SoS of the DCMS and does not directly report to Parliament as previous Commissioners have wanted. In addition, the Regulations remove the obligation in Article 52(4) to 52(6) which effectively provide for adequate resources to be allocated to the ICO, for the ICO to choose his own staff and the obligation not to starve the ICO of funding.
Will these exclusions influence any adequacy determination by the Commission? What do you think?
References used in the blog:
The draft “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (as published in January 2019 not December 2018) http://www.legislation.gov.uk/ukdsi/2019/9780111178300/pdfs/ukdsi_9780111178300_en.pdf
ICO advice on Brexit: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/data-protection-and-brexit-ico-advice-for-organisations/
Blog on Brexit and the Withdrawal Agreement: https://amberhawk.typepad.com/amberhawk/2018/11/draft-withdrawal-agreement-does-not-guarantee-frictionless-free-flow-of-personal-data-from-european-union.html
Update Conference
The next conference is on 4th March in London. It includes two sessions on Auditing GDPR compliance, a session on Marketing under the GDPR, the new UK GDPR Regulations and Brexit, the recent actions of Privacy International. We round up with problems with the GDPR/FOI interface and a review of relevant GDPR documentation. The draft agenda is on: http://www.amberhawk.com/bookevents.asp
Upcoming Data Protection qualification courses
BCS Data Protection Practitioner Upgrade/Conversion (2 days; London Feb 6 & 7)
BCS Data Protection Foundation (3 days; London, January 29-31)
BCS Data Protection Practitioner, London (6 days starts April 2)
Details on www.amberhawk.com or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.