Can I wish blog readers a belated “Happy New Lockdown”.
This blog considers two issues (a) the adequacy arrangements in the EU-UK Trade Agreement (the “Agreement”) and (b) electronic marketing provisions in the Agreement which might sink the “soft opt-in”.
But first a reminder for readers to refer to the UK_GDPR and EU_GDPR from now on. These two GDPR variants are established by the “Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019” (the “Brexit DP Regs”) which also made many changes to the text of the DPA2018 (see references for a link to the changed texts).
However, before starting, I draw attention to Article COMPROV.17 of the Agreement and the definitions in paragraph 1(a) and 1(d). These are the same as the EU_GDPR’s definition of “data subject” and “personal data”; it means that the UK cannot change these definitions in the UK_GDPR without resiling from the Agreement.
For instance, problems would arise if the UK were to introduce a narrower definition of “personal data” on the lines of “PII” (much beloved in the USA) or introduce a nationalistic qualification to the definition of “data subject” (e.g. so that the UK’s DP regime only applied to living UK citizens).
Transfers and adequacy
With respect to transfer arrangements, the Agreement effectively “kicks the can down the road” for 6 months at least; the “can” in this case being “any adequacy determination for the UK”. The detail is found in Article FINPROV.10A dealing with “Interim provision for transmission of personal data to the United Kingdom”.
Paragraph 1 of FINPROV.10A states that transfers of personal data from the EU to the UK are deemed to satisfy the adequacy arrangements of the EU_GDPR for a “specified period”. This specified period is either:
(a) when “adequacy decisions in relation to the UK are adopted by the European Commission”, or
(b) “on the date four months after the specified period begins, which period shall be extended by two further months unless one of the Parties objects”.
In practice, this means there are 4 months, extendable by 2 months, for the European Commission to make an adequacy determination for the UK. This is conditional on the UK not modifying the UK_GDPR to create a significant divergence from the EU_GDPR within the next 4 months (e.g. the Secretary of State designating new UK trading partner countries as being adequate for the transfer of personal data outside the UK as part of a Trade Deal).
If there is such a divergence, then the interim adequacy arrangement described in paragraph 1 end immediately and any transfer from the EU to the UK has to meet the usual transfer to a Third Country EU_GDPR provisions (in A.44-A.50 of the EU_GDPR).
However, there is flexibility for the UK to do some non-controversial tweaking (e.g. make changes to the UK_GDPR which carry the agreement of both Parties; changes to keep the UK_GDPR in step with EU law).
Conclusions about Adequacy
I think the eventual position with respect to adequacy is as follows:
- The UK will not make significant unilateral changes to the UK_GDPR in the next six months.
- This lack of change in turn means the UK is likely to obtain an adequacy determination as the UK_GDPR has not significantly diverged from the EU_GDPR.
- However, such an adequacy determination will be contingent on future non-divergence from data subject rights, major definitions and key obligations of the EU_GDPR.
- The UK will be able make marginal changes to the UK_GDPR without jeopardising any future adequacy determination. However, if the UK were to instigate a major unilateral divergence from the EU_GDPR (e.g. to reduce data subject rights in the UK_GDPR) then the adequacy determination would be in jeopardy.
In previous blogs, I have drawn attention to deficiencies in the UK’s data protection regime; these remain (see references). However, given the extensive economic turbulence associated with COVID (and Brexit), a Nelsonian Blind Eye will be turned on these deficiencies for as long as possible.
As the Agreement excludes services offered by the City of London (e.g. transfers of financial personal data between EU and UK), any major unilateral change to the UK_GDPR would jeopardise any future UK-EU Agreement over such services.
In other words, if the UK wants to expand the Agreement to other areas (e.g. services, law enforcement), or if the Government wants an adequacy agreement to last for say 5 years, it cannot vary the UK_GDPR too far away from the EU_GDPR.
That is why readers who have data protection responsibilities in the European Union should not forget the fallout from Schrems II. For instance, if the UK_GDPR diverged significantly from the EU_GDPR, or even if there is an adequacy determination and no divergence, controllers transferring personal data from the EU to the UK are required by Schrems II to assess whether further data protection safeguards are needed before any transfer from the EU to the UK occurs (see Schrems II blog; reference below).
The more the divergence between EU_GDPR and UK_GDPR, the more there will be a need to consider these further safeguards.
Electronic direct marketing rules
I now turn to my assertion that the “soft-opt-in” might be mortally wounded; this is an inference from “TITLE III: DIGITAL TRADE” of the Agreement.
Article DIGIT.7 on the “Protection of personal data and privacy” commits the EU and UK to recognise “that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade” (my emphasis).
From the EU perspective, the “high standards” are established via the EU_GDPR and any future ePrivacy Regulation (see references for URL to the latest text). Although the UK can adopt different measures to ePrivacy (or ignore ePrivacy), the level of the protection in the UK again cannot diverge too far from the EU’s “high standards” if cross-border personal data transfers in Digital Trade are to occur freely.
Article DIGIT.14 concerns “Unsolicited direct marketing communications” where a "direct marketing communication" is defined to be “any form of commercial advertising by which a natural or legal person communicates marketing messages directly to a user via a public telecommunications service and covers at least electronic mail and text and multimedia messages (SMS and MMS)”. (My emphasis).
Notice that an unsolicited direct marketing communication as defined could, via the use of “at least” in the above, involve a phone call. I shall return to this later.
Paragraph 2 of DIGIT.14 states that the EU and UK “shall ensure that users are effectively protected against unsolicited direct marketing communications” and both parties “shall ensure that direct marketing communications are not sent to users who are natural persons unless they have given their consent in accordance with each Party's laws to receiving such communications” (my emphasis).
“Consent” in the UK, via paragraph 8 of the Brexit DP Regs, is the UK_GDPR’s definition of “consent” (which is the same as the EU_GDPR’s definition in A.7). A “user” for completeness is “any natural or legal person using a public telecommunications service”. So, in the UK, individuals have to consent to EU_GDPR standards if their email address is used for marketing.
Paragraph 3 of DIGIT.14 then adds an exception:
“Notwithstanding paragraph 2, a Party shall allow natural or legal persons who have collected, in accordance with conditions laid down in the law of that Party, the contact details of a user in the context of the supply of goods or services, to send direct marketing communications to that user for their own similar goods or services”. (my emphasis)
The main law of the UK covering electronic direct marketing is currently the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK_GDPR. However, it is the words “who have collected” in the above that provides the argument for the death of the “soft opt-in”.
Recital 22 of PECR states, for instance, that an organisation that “has obtained the contact details” (e.g. an individual’s email address) in “the course of the sale” can use contact details for direct marketing their own similar products via a “soft opt-in” procedure. Note the collection of an email address is “in the course of a sale” (i.e. the collection of email address forms part of the customer’s purchasing transaction).
Now look at the situation in paragraph 3 where the words “in the course of a sale” are missing. The words describing a legal person (e.g. organisation) “who has collected” an email address, describes a person who has already collected a customer email address BEFORE the customer’s purchasing transaction. Such a customer could be a returning customer or existing customer where the email address has been collected previously.
In other words, the “soft-opt-in” can be relied on for marketing existing customers whose email address has already been captured (paragraph 3 of DIGIT.14) but not for new customers who are required to provide their consent to EU_GDPR standards (paragraph 2 of DIGIT.14) if their email address is to be used for marketing. If this analysis is correct, then the “soft opt-in” will decay over time.
Of course, I can easily be wrong; I recognise that the UK can legislate independently so the words “in the course of a sale” could become a “condition laid down” in UK law. But if this is the case, the Agreement permits a “soft opt-in” procedure to apply to unsolicited telemarketing.
The application of the “soft opt-in” to telemarketing is not permitted by the existing PECR Regulations, and if it were to happen in the UK, the EU’s high standards would not be met. Thus, if this were to happen, I doubt whether the UK could maintain any adequacy determination (as the UK could become a haven for unscrupulous marketing calls).
The final two paragraphs of DIGIT.14, for completeness, are a continuation of PECR standards:
- direct marketing communications are: clearly identifiable to users; identify on whose behalf they are made and, contain the necessary information to enable users to request cessation free of charge and at any moment.
- users are provided with access to redress against suppliers of direct marketing communications that do not comply with the measures in 14
Concluding comment
Aging hippies like myself can remember that in the late 1980s, a proudly independent UK under Mrs Thatcher, was not a member of the Exchange Rate Mechanism which kept the currencies of the other Common Market countries at more or less a constant exchange rate (as a precursor to the Euro).
However, Chancellor Nigel Lawson implemented a secret policy of “shadowing the Deutschmark” and instructed the Bank of England to keep the UK exchange rate just under £1.00=3.00DM, but never formulated it as formal policy, nor discussed it with anyone else. In this way, the UK could still claim it had an independent monetary policy, free from this European ERM nonsense – much in the same way that unsubstantiated claims were plastered on the side of a certain red bus in 2016.
It’s a similar position here. The UK has reclaimed its laws, borders and currency and has made an Agreement which commits it to maintain certain data protection standards. If the UK wants an adequacy determination, the price will be that the UK cannot diverge too far from European DP standards.
In other words, to maintain any long-term adequacy determination from the European Commission, the UK_GDPR will have to “shadow the EU_GDPR”.
Upcoming Data Protection Courses
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: on-line, Starts March 15 (5 days)
- Data Protection Upgrade Practitioner: London, April 20-21 (2 days)<LAST ONE
- Data Protection Foundation: London, Starts April 27-29 (3 days)
- Data Protection Practitioner: London, Starts May 11 (6 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
Keeling Schedules for UK_GDPR and changes to the DPA2018 https://www.gov.uk/government/publications/data-protection-law-eu-exit
Deficiencies in the UK’s Data Protection regime: https://amberhawk.typepad.com/amberhawk/2020/11/an-adequacy-determination-does-not-resolve-the-lower-standard-of-data-protection-in-the-uk.html
Blog on Schrems II: https://amberhawk.typepad.com/amberhawk/2020/07/standard-contract-terms-post-schrems-ii-when-do-you-need-additional-safeguards-for-data-subjects.html
Latest ePrivacy Regulation text: https://www.statewatch.org/news/2021/january/eu-e-privacy-regulation-council-presidency-aims-for-consensus-with-amended-text/
Comments
You can follow this conversation by subscribing to the comment feed for this post.