Today’s Sunday Telegraph reports, on its front page, that the UK Government is sympathetic to the idea that Judgments made by the European Court of Human Rights (ECHR) in Strasbourg do not automatically apply in the UK. If such non-application occurred, then it would jeopardise the Adequacy Agreement concerning personal data flows from the EU to the UK, as finalised by the European Commission last Friday.
Why is the UK deemed adequate?
Recital 5 to the Agreement states “that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom”.
I am sure many privacy advocates will disagree with the above statement. However, in my view, it is difficult to say the UK is not adequate, if UK data protection law is almost the same (word for word) as the GDPR. For instance, the EU_GDPR has the same definitions, Principles, rights and controller and processor obligations as the UK_GDPR.
The only exception is with the transfer arrangements of the UK_GDPR and even these are aligned with, or very similar to, the EU_GDPR provisions.
Some Privacy NGOs on the continent are likely consider commencing the long march through the legal institutions to challenge the Adequacy Agreement, but until such a challenge succeeds, and the CJEU determines that the UK is not adequate, then all is well for transfers to the UK from the EU.
Of course, the UK’s version of the GDPR can be modified at the drop of a hat but until that happens to a significant degree, in a way that impacts on the rights and freedoms of EU citizens, then the UK would remain adequate and transfers of personal data from the EU can continue. Remember the EU's concern is EU data subjects; it is not interested in the privacy protection afforded to UK citizens.
Note that the Adequacy Agreement accommodates the recent Court of Appeal judgement that determined the immigration exemption unlawful (see references), Article 1 of the Adequacy Agreement excludes any transfer that covers “personal data that is transferred for purposes of United Kingdom immigration control or that otherwise falls within the scope of the exemption…”.
Clearly, this exemption is likely to cover Human Resources personal data flowing into the UK from the EU, but as the Border Agency obtains personal data from: the sponsors of data subjects, UK government departments, credit reference agencies, fraud prevention agencies, banks, local authorities and public health bodies, several other types of transfers might not be able to rely on the Agreement (i.e. other methods in Article 44-49 of the EU_GDPR have to be used to enable the transfer of personal data from the EU to the UK). The Border Agency's privacy notice tells you where they source their personal data (see references).
Human Rights considerations
However, the Telegraph’s front page story has opened up another area of significant risk to the Adequacy Agreement; it reported that “British Judges would be told that they would no longer bound by European Human Rights Judgments”.
At the last Election the Conservative Party Manifesto promised to “update the Human Rights [Act] …. to ensure that there is a proper balance between the rights of individuals, our vital national security and effective government”. Consequently, the Human Rights Act 1998 is under review by an “independent expert panel” whose members have been hand-picked by the Government.
We have perhaps become over-familiar with Human Rights challenges in the UK Courts where Government has lost (e.g. facial recognition CCTV use by the police, immigration exemption in the DPA2018, bulk personal data collections of national security agencies, retention of DNA personal data from those who have been acquitted). Often such action is the only way of assessing the lawfulness of Government processing or Ministerial decision-making. Clearly “effective Government”, as understood under Mr. Johnson’s leadership, needs fewer such losses.
However, Recital 277 of the Adequacy Agreement states: “This conclusion [about Adequacy of the UK’s DP regime] is based on both the relevant UK domestic regime and its international commitments, in particular adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights. Continued adherence to such international obligations is therefore a particularly important element of the assessment on which this Decision is based”. (my emphasis)
I should add the same sentiment about submissive adherence to the ECHR’s jurisdiction can be found in Recitals 111, 116, 120, 173 and 272 (whilst other places stress the important role of the Human Rights Act in the UK). This to my mind warns the UK Ministers to remain submissive about the Human Rights regine and not deviate too far from A.8 requirements when legitimising public sector interference with private and family life. In summary, this expectation from the European Commission that some Brexit Ministers submit to European law lies in “red rag to a bull” territory.
The EU position is reinforced by the Agreement which, in Article 3, promises detailed monitoring arrangements. These will apply to:
- “how public authorities [in the UK] have access to data transferred on the basis of this Decision” (e.g. excessive data sharing arrangements);
- “cases where the Information Commissioner, or any other competent United Kingdom authority, fails to ensure compliance with the legal framework upon which this Decision is based” (e.g. cases where a Regulator turns a blind eye to the UK Government’s Big Data sharing objectives);
- “any indications that interferences by United Kingdom public authorities with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences” (e.g. action to diminish the protection afforded by A.8 ECHR).
The Article ends by stating that “Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent United Kingdom authorities and may suspend, repeal or amend this Decision” (e.g. Adequacy no more).
Enter Schrems I
Thanks to the enduring legacy of the Schrems 1 decision, Europe’s data protection authorities can themselves assess adequacy of the UK’s DP regime.
The CJEU ruled that a Data Protection Authority’s ability to independently assess adequacy applied universally to any international agreement on data protection (e.g. such as Safe Harbor or the current Adequacy Agreement). An adequacy determination:….
“….does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection” (para 66 of Case C‑362/14).
Note the implication of this. If a Data Protection Authority, following a data subject complaint, found that the level of protection in the UK was inadequate, then it could act to protect the interests of data subjects (e.g. by banning specific transfers) despite any political agreement asserting adequacy in general.
So, should we expect European privacy advocates to devote their energies to providing complaints to DP Authorities? Answer is ”you bet”.
Conclusion
So there you have it. The more Ministers dilute the Human Rights regime or the less submissive they become, especially if this impacts on the rights and freedoms of EU citizens, then the greater the risk to the loss of the EU adequacy decision. “Taking back control of the UK’s data protection laws” to the extent promoted by TIGRR (see the last blog) does not appear to be a safe option.
The really dangerous factor is if the Northern Ireland protocol goes completely pear-shaped. In that case, a two fingered salute to this Agreement could become an attractive proposition for those UK “leaders” who have always wanted to drop most European Community law.
Upcoming Data Protection Course
Because of Indian variant and the consequent COVID lockdown uncertainty, the following course can be attended in person or via Zoom or a mixture (it's up to you). The Data Protection Practitioner Course is in London, and starts July 13 (6 days).
Full details on www.amberhawk.com/StandardDP.asp or by emailing [email protected]
References
Schrems 1 judgement: https://amberhawk.typepad.com/amberhawk/2016/02/politicians-agree-a-privacy-shield-as-the-working-party-of-data-protection-commissioners-display-a-s.html
Border Agency Department Privacy Notice: https://www.gov.uk/government/publications/personal-information-use-in-borders-immigration-and-citizenship/borders-immigration-and-citizenship-privacy-information-notice
Immigration exemption discussion: https://amberhawk.typepad.com/amberhawk/2021/05/judgement-in-immigration-exemption-case-could-cause-chaos-and-threaten-any-adequacy-determination-fo.html
TIGRR’s suggested extensive changes to the UK’s DP regime: https://amberhawk.typepad.com/amberhawk/2021/06/tigrr-eeyore-and-pooh-bear-decide-to-destroy-the-gdpr.html
Adequacy Agreement (leaked draft): down load here Download UK GDPR Adequacy Decision - june2021
Comments
You can follow this conversation by subscribing to the comment feed for this post.