Last week’s Queen’s Speech has been regarded as the Conservative Government’s shop-window of measures for its forthcoming General Election campaign; last Saturday’s vote on the New Withdrawal Agreement relates to what happens to Brexit in the meantime.
This blog assumes the risk of hard Brexit is diminished until December 2020 and that the UK leaves the EU; it covers the relevance of these two events to data protection and concludes:
Item 1: GDPR standards maintained. If there is eventual Parliamentary agreement to the New Withdrawal Agreement and related legislation, there will be no major change to the UK’s data protection regime (apart from some transfers to Gibraltar) until the end of the New Withdrawal Agreement (latest December 2020); all processing will remain subject to GDPR requirements whilst the Agreement applies.
Item 2.- new transfer arrangements for the UK. The UK’s new transfer regime is specified in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419); these will apply from Exit Day (which may or may not be 11pm on October 31st). The Regulations anticipate that the UK’s data protection regime will diverge from the GDPR.
Item 3. The Political Declaration. The Declaration associated with the New Withdrawal Agreement does not commit the UK to maintain European GDPR or Human Rights standards.
Item 4: Conservative Party manifestos. The next Conservative Manifesto is likely to include a commitment to repeal the Human Rights Act 1998, withdraw from the Court that adjudicates on the European Convention on Human Rights, and introduce a new UK wide Bill of Rights. Whether this withdrawal includes the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Council of Europe Convention No. 108) is not clear.
Item 5. Adequacy determination for the UK?. Although the European Commission will assess adequacy of the UK’s Data Protection regime by the end of December 2020, I think it unlikely that the UK’s regime will ever be judged adequate if the UK is not aligned with EU standards in any final Trade Agreement (especially if Items 3 and 4 are followed).
The rest of the blog gives more detail on Items 1 to 5 above and substantiates the above claims.
Item 1: GDPR standards maintained.
The fact that GDPR standards apply if there is Parliamentary approval of the New Withdrawal Agreement follows from the text of Article 71 (Protection of personal data). This states that:
“Union law (e.g. the GDPR) on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data were processed under Union law in the United Kingdom before the end of the transition period …”
This provision protects personal data relating to data subjects outside the UK. However, the UK has implemented the GDPR (derogations in the DPA2018) and this law applies to data subjects inside the UK.
Since all data subjects are either inside or outside the UK, then GDPR standards currently apply to the processing concerning all data subjects so long as the New Withdrawal Agreement applies. In other words, there are no exceptional transfer or DP issues (except the compliance options that arise from the GDPR itself).
Item 2.- new transfer arrangements for the UK
Paragraph 9 of the Political Declaration states that “….the United Kingdom will be establishing its own international transfer regime, the United Kingdom will in the same timeframe take steps to ensure the comparable facilitation of transfers of personal data to the Union…”.
This new UK international transfer regime (and other details) can be found in the “Data Protection, Privacy and Electronic Communications (Eu Exit) Regulations (SI 2019/419)” which comes into force on “Exit day” (whenever that is). In summary, these Regulations:
- Preserves GDPR standards in domestic law via the creation of a “UK_GDPR” which is separate to what is known as the “EU_GDPR”; it is the separation into two GDPRs that provides a mechanism for eventual divergence between the two GDPRs (e.g. post New Withdrawal Agreement).
- Recognises all EEA/EU countries (and Gibraltar) as ‘adequate’ for transfers outside the UK. Note that the European Commission has not identified Gibraltar as being adequate and this might be problematic for those controllers involved in transfers of personal data between Member States of the EU and Gibraltar (e.g. when the UK is an intermediary in the transfer arrangements – EU to UK to Gibraltar).
- Preserves all existing European Commission adequacy decisions (e.g. Privacy Shield and for territories such as Isle of Man, Jersey and Guernsey).
- Recognises European Commission Standard Contractual Clauses as valid for transfers and gives the ICO or Secretary of State the power to issue new contract clauses.
- Recognises all Binding Corporate Rules authorised before Exit Day as being valid.
- Gives powers to the Secretary of State to determine or revoke adequacy (via negative resolution with no input from the ICO); this risks the prospect that UK data protection adequacy determinations can form part of a future trade deal.
- Introduces an extraterritoriality into the UK data protection framework (e.g. EU controllers offering services into the UK will need to appoint a representative in the UK when the New Withdrawal Agreement ends). This representative position also applies if a UK controller (as a fully-fledged Third Country after December 2020), offers services into the EU.
- The “Applied GDPR” is removed in favour of the “UK_GDPR” (so public bodies should update references to the interface between Data Protection and FOI(S)A or EIR(S) which were subject to the Applied GDPR).
The main structural change is the notion of an UK_GDPR and an EU_GDPR as this allows a future Government flexibility to diverge the UK data protection regime away from the GDPR standards (e.g. after December 2020 when the Withdrawal Agreement ends). Of course, politicians will claim that UK DP standards could be enhanced but look at Items 3 and 4 before you decide whether to believe them.
Item 3. The Political Declaration
The following quotes are from the Political Declaration (a set of broad objectives for UK-EU negotiations for the transition period) associated with the New Withdrawal Agreement; my comments are at the end of each paragraph quoted (my emphasis throughout).
The text of the Declaration suggests that, unlike EU Member States, the UK is not committed to maintain European standards of data protection and privacy rights enshrined in the Human Rights Act and European Convention on Human Rights. Indeed, Item 4 shows the Conservatives are likely to promote a “British Bill of Rights” which is likely to diverge from European Human Rights standards.
- From Paragraph 7. “….The future relationship should incorporate the United Kingdom's continued commitment to respect the framework of the European Convention on Human Rights (ECHR), while the Union and its Member States will remain bound by the Charter of Fundamental Rights of the European Union, which reaffirms the rights as they result in particular from the ECHR….” Comment: contrast the mandatory nature of the European Union (“remain bound”) by the non-committal use of words that applies to the UK (should…respect the ECHR).
- From Paragraph 9. ….”The future relationship will not affect the Parties' autonomy over their respective personal data protection rules..” Comment: the text allows the UK, as an autonomous state, to enact changes to the UK_GDPR that diverge from European norms of data protection in the EU_GDPR.
- From Paragraph 38…. “The Parties will retain their autonomy and the ability to regulate economic activity according to the levels of protection each deems appropriate in order to achieve legitimate public policy objectives such as …. privacy and data protection….”. Comment: repeating the suggestion that the UK can diverge from European norms of data protection.
- From Paragraph 81 ….”The Parties agree that the scale and scope of future arrangements should …. be underpinned by long-standing commitments to the fundamental rights of individuals, including continued adherence and giving effect to the ECHR, and adequate protection of personal data...”. Comment: As Paragraph 7 above states that the EU is not diverging from European norms of data protection and fundamental rights, it follows that the use of the word should applies to the UK (as in the UK should follow the ECHR but is not bound to do so).
Item 4: Conservative Party manifestos
The Conservative’s promise to repeal the UK’s Human Rights regime has been enshrined in three previous General Election Manifestos over the last decade, and is unlikely to change. The text in these Manifestos is as follows:
- “…To protect our freedoms from state encroachment and encourage greater social responsibility, we will replace the Human Rights Act with a UK Bill of Rights…” (2010 Manifesto).
- “…The next Conservative Government will scrap the Human Rights Act, and introduce a British Bill of Rights. This will break the formal link between British courts and the European Court of Human Rights…” (2015 Manifesto).
- “…We will not repeal or replace the Human Rights Act while the process of Brexit is underway but we will consider our human rights legal framework when the process of leaving the EU concludes…”. (2017 Manifesto).
Comments posted by the current Foreign and Home Secretaries (Dominic Raab MP and Priti Patel MP) concerning UK Human Rights regime reinforce the view that the Human Rights Act is in trouble. For example, Ms. Patel said the Human Rights Act was a “glaring example of what is going wrong in our country”; Dominic Raab has been advocating a British Bill of Rights to replace the Human Rights Act since 2009.
The problem is that there are several Article 8 cases taken to the ECHR Courts that overturn the judgment of the most senior British Courts (e.g. most notably in UK v Marper which concerned DNA retention; a 5-0 decision by the House of Lords in favour of the Home Office became a 17-0 defeat in the European Court of Human Rights; see references). If the UK were reliant on a UK limited “Bill of Rights”, these types of cases that protect data subjects would not be overturned.
Of course, if the UK withdraws from the ECHR it could also withdraw from Council of Europe Convention No 108 which has been the lynch-pin of European Data Protection law (e.g. in favour of the OECD Guidelines).
Item 5: UK and a adequacy determination
Difficulties arise from the fact the European Commission has to seek the views of the European Data Protection Board over any UK adequacy determination; this makes it more difficult to have a “politically motivated” adequacy determination which happened under Directive 95/46/EC.
The Board will quickly see that:
- Further modifications of the UK_GDPR are possible using wide powers in the European Withdrawal Act 2018 in areas where Member States cannot vary the provisions EU_GDPR (e.g. in areas such as rights, Principles, any definition, powers of regulators, fines). This means that if the European Commission were to determine the UK_GDPR as adequate prior to December 2020 (as expected by the Political Declaration), a future Secretary of State after December 2020 (when the UK is wholly independent Third Country) can vary, by order, any provision of the UK_GDPR that was important to that adequacy determination.
In other words, the European Commission when looking at the data protection regime, will need guarantees of what they consider adequate will remain as part of UK data protection law.
- If you look at the current ICO Guidance on the GDPR, it is often linked to the Recitals in the GDPR. In UK data protection terms (e.g. after December 2020), these Recitals relate to the EU_GDPR and not the UK_GDPR.
It is therefore difficult to see what reliance can be placed on these Recitals if they relate to the EU_GDPR and not the UK_GDPR. These Recitals will be central to the interpretation of the GDPR by the European Data Protection Board (and its determinations) which obviously will have no effect in the UK (as an independent Third Country).
In other words, any analysis of the UK_GDPR has to start from the premise that it is, at best, a partial implementation of the EU_GDPR (which can be changed very easily – see paragraph 1 immediately above).
- There could be exemptions in Schedules 2-4 of the DPA2018 that are not mirrored in other Member State national data protection law (e.g. immigration, confidential references etc) which diminish the rights and freedoms of EU nationals in the UK. The same goes for the conditions for processing special category of personal data and criminal offence information of EU nationals in Schedule 1.
- There is an absence of the implementation of A.23(2) in the DPA2018 which relates to legislative safeguards for data subjects when exemptions are fashioned by Member States. In the UK_GDPR, the safeguards have to be introduced by regulations under S.16 of the DPA2018; if there no regulations (the current position), the safeguard in A.23(2) will be effectively removed from the UK_GDPR.
- The status of Codes of Practice produced by the Secretary of State (e.g. under Digital Economy Act 2017) and the Framework for Data Processing by Government (in S.191-S.194 of the DPA2018) raises the question of whether the ICO is an independent regulator. These documents are produced by a Secretary of State responsible for the processing of personal data by the relevant Government Department and represent a conflict of interest.
As Government Departments are large controllers, there is a risk that these documents could skew delicate data protection balances between data subjects and controller in favour of the controller and Departmental processing interests (and the political interests of the relevant Secretary of State as being accountable for the actions of the Department).
For instance, as the Framework must be taken into account when the ICO is using his enforcement powers, there is a risk that it could fetter the independence of the ICO when acting to protect data subjects.
- Investigatory Powers Act 2016 and bulk personal data collection is a problem; especially if the UK departs from European standards of Human Rights (see Item 4). This is well known and so I won’t repeat the arguments here
Given all of the above, I think it unlikely that the UK will gain an adequacy determination if the final Trade Agreement allows for the UK to significantly diverge from EU standards (e.g. the loose type of Trade Agreement favoured by many Conservative MPs).
Concluding comments
The next General Election before Xmas will be important to data protection in the UK; those who worry about the state of privacy in the UK should engage with the hustings in earnest.
References
New Withdrawal agreement and political declaration on: https://www.gov.uk/government/publications/new-withdrawal-agreement-and-political-declaration
Text of the UK_GDPR and revised DPA2018 on: https://www.gov.uk/government/publications/data-protection-law-eu-exit
Blog on the draft “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (which have been enacted as SI 2019/419) https://amberhawk.typepad.com/amberhawk/2019/01/draft-brexit-data-protection-regulations-would-undermine-adequacy-determination-for-the-uk.html
Blog on the problems arising from the Marper DNA retention case and a British Bill of Rights; see from the middle of https://amberhawk.typepad.com/amberhawk/2015/05/index.html
Detail of popular UPDATE session is on (1 day, November 18)
AGENDA: Monday, 18 November 2019, London
Update on Brexit, adequacy and the replacement for the Privacy and Electronic Regulations (PECR). Elisabeth Stafford, DCMS, Head of Policy on EU Data Flows
Case Law Review or Morrisons case. Rosemary Jay (Solicitor, Hunton Andrews Kurth LLP)
"Google's approach to transparency, control and grounds for processing" ; William Malcolm; Legal Director of Google, Privacy
Update on PI’s campaign against ad-tech companies and mental health websites. Eliot Bendinelli, Privacy International
News from the FOIA/DPA interface? Sue Cullen (Director, Amberhawk)
Guidance from the ICO/EDPB checklist and related comments. Dr. C. N. M. Pounder (Director, Amberhawk).
News Roundup: Recent enforcement and audit reports. Dr. C. N. M. Pounder (Director, Amberhawk)
Venue for the Update is in Central London; £260+VAT for the day, booking arrangements from http://www.amberhawk.com/bookevents.asp or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.