In his speech in Greenwich on Monday, Boris Johnson, signalled that he is prepared, if needed, for the UK to depart from GDPR norms of data protection. About an hour earlier, the European Union published a document which stated that any such departure would likely put the kibosh on any adequacy determination for the UK and stall co-operation (e.g. data sharing) in the field of law enforcement.
In this Blog I provide quotes from the documents and speech so readers can identify the central data protection issues; I also make a few comments on what I think the situation is.
In his speech, the Prime Minister said:
“There is no need for a free trade agreement to involve accepting EU rules on competition policy, subsidies, social protection, the environment, or anything similar any more than the EU should be obliged to accept UK rules”.
Followed by
“We will restore full sovereign control over our borders and immigration, competition and subsidy rules, procurement and data protection” (my emphasis)
No documentation was published by the UK Government that fleshes out what the Prime Minister meant by the above reference to “data protection”. However, all I point out is that the European Union (Withdrawal) Act 2018 has anticipated diversion from the GDPR; the Government has created an UK_GDPR by using powers in that Act to modify most Articles of the GDPR. The unamended GDPR is to be called the EU_GDPR.
These changes are delivered by the “Data Protection, Privacy and Electronic Communications (EU Exit) Regulations” SI 419/2019 (“the Regulations”). Apart from the provisions that relate to transfers of personal data outside the UK, the Regulations make a diversity of superficial changes (e.g. change “GDPR” to “UK_GDPR). However, if the Prime Minister is true to his word, powers could make future changes that are far more substantial if trade negotiations with the Commission fail and the UK decides not to follow established EU standards.
For instance, Ministers have the powers under the European Union (Withdrawal) Act to modify any data subject right, any Principle, any enforcement mechanism, the offences in the DPA2018, or any controller or processor obligation - all with little recourse to Parliamentary scrutiny. Perhaps this is what is meant by “taking back control”.
By contrast, the Commission’s “Recommendation for a Council Decision authorising the opening of negotiations for a new partnership with the United Kingdom of Great Britain and Northern Ireland” (the “Recommendation”; see references) make some important data protection comments which, in summary, state any divergence by the UK from the GDPR creates a increasing risk to any adequacy determination in favour of the UK.
For instance, the Recommendation states:
“In view of the importance of data flows, the envisaged partnership should affirm the Parties’ commitment to ensuring a high level of personal data protection, and fully respect the Union’s personal data protection rules, including the Union’s decision-making process as regards adequacy decisions” (Recommendation, paragraph 12). Comment: The Regulations specify Gibraltar as offering an adequate level of protection; the Commission has not made such an adequacy determination for Gibraltar. Could this become an example of the UK not showing “respect”?
“…. the envisaged partnership should include provisions …(that) …provide for consumer protection in the online environment and on unsolicited direct marketing communication. These provisions should address data flows, while not affecting the Union’s personal data protection rules” (Recommendation, paragraph 44). Comment: If the UK ignores the replacement PECR rules that the European Union expect to agree this year, this too could impact on an adequacy determination.
With respect to law enforcement and judicial cooperation in criminal matters, “…The envisaged partnership should be underpinned by commitments to respect fundamental rights including adequate protection of personal data....(and) …should provide for automatic termination of the law enforcement cooperation and judicial cooperation in criminal matters if the United Kingdom were to denounce the European Convention of Human Rights) (ECHR)” (Recommendation, paragraph 112) Comment: there appears to be an EU red-line here; if the UK withdraws from the ECHR to a significant degree, then law enforcement co-operation stops. I remind readers that the Conservative Manifesto for last year’s General Election promises to “update the Human Rights Act and administrative law” (whatever “update” means in practice).
The envisaged partnership “…should also provide for automatic suspension if the United Kingdom were to abrogate domestic law giving effect to the ECHR, thus making it impossible for individuals to invoke the rights under the ECHR before the United Kingdom’s courts. The level of ambition of the law enforcement and judicial cooperation envisaged in the security partnership will be dependent on the level of protection of personal data ensured in the United Kingdom” (Recommendation, paragraph 113) Comment: no comment required; the Commission’s meaning is abundantly clear.
“…The envisaged partnership should provide for suspension of the law enforcement and judicial cooperation set out in the security partnership, if the adequacy decision is repealed or suspended by the Commission or declared invalid by the Court of Justice of the European Union (CJEU)…” (Recommendation, paragraph 113) . Comment: this appears to threaten any UK adequacy determination, if Ministers use powers to ensure the UK_GDPR diverges significantly from the EU_GDPR
“…The security partnership should also provide for judicial guarantees for a fair trial, including procedural rights, e.g. effective access to a lawyer…”(Recommendation, paragraph 113). Comment: I find this statement gobsmacking as I have seen nothing which has led me to believe that the UK is going down this route. However, given the controversy today about emergency terrorism legislation, I can see circumstances where a hypothetical, right-wing, populist Home Secretary, supported by a large, docile Parliamentary majority, entertaining ideas like this.
“…reciprocal exchanges between Passenger Information Units of Passenger Name Record (PNR) data and of the results of processing such data stored in respective national PNR processing systems… should comply with the relevant requirements, including those set out in the Opinion 1/15 of the CJEU” ((Recommendation, paragraph 114). Comment: Opinion 1/15 sets out a number of requirements to ensure that the transfer and processing of Passenger Name Record personal data is compatible with European data protection and human right obligations. The Government has stated that it is not going to be subject to CJEU decisions.
When looking at the above remember the Prime Minister’s Election mantra: “get Brexit done”. The problem for data protection specialists is that we have yet to find out who has been “done”.
Upcoming Data Protection Courses (in London) – (earlier DP courses are full)
All courses lead to the relevant BCS qualification:
- Data Protection Foundation: April 21-23 (3 days)
- Data Protection Practitioner: June 2-4, 16-18 (6 days)
- Data Protection Upgrade Practitioner: June 23-24 (2 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
Opinion 1/15 of the CJEU on PNR: http://curia.europa.eu/juris/document/document.jsf?text=&docid=193216&doclang=EN
The “Data Protection, Privacy and Electronic Communications (EU Exit) Regulations” SI 419/2019; http://www.legislation.gov.uk/uksi/2019/419/made
Recommendation for a Council Decision authorising the opening of negotiations for a new partnership with the United Kingdom of Great Britain and Northern Ireland. Download Blog Commission negotiating-position
Comments
You can follow this conversation by subscribing to the comment feed for this post.