Post-Brexit data protection law: another cliff edge?

Introduction

Brexit is commonly described as one of the biggest political upheavals in a generation. The implementation of the General Data Protection Regulation (GDPR) is, in the words of the UK Information Commissioner, “the biggest change to data protection law for a generation”. With these two events coinciding, change is inevitable. With that in mind and with the recent publication of The House of Lords European Union Committee report ‘Brexit: The EU Data Protection Package’ on 13 July 2017, this is an opportune time to consider the impact of Brexit on UK data protection law, looking at how said impact may range from significant changes to those with a lower potential for upheaval.

Significant Impact post Brexit

The biggest potential impact Brexit may have on UK data protection law is that the UK will no longer automatically maintain unhindered and uninterrupted data flows with the EU and its Member States. One of the core tenets of (both current EU data protection law and) the GDPR, is the control of extra-EU cross border data flows. The idea is that whilst cross border data flows within the EU should be unrestricted (as part of the harmonisation of the single market), any third country outside the EU should be subject to legal controls to prevent EU law being circumvented by data being transferred to a place with less stringent data protection standards. Post Brexit, the UK will be a third country and, as such, subject to such legal controls.  The controls can roughly be split between EU/Member State level controls and data controller level controls. In the case of EU/Member State level controls, the European Commission (or potentially a Member State) may certify a third country as providing an adequate level of data protection (in other words, ‘white-list’ them or, to use the preferred terminology, issue them with an adequacy decision.)  Once white listed, data may flow between the EU and such country as if it were a member of the EU.  In the case of data controller level controls, where a country is not white-listed, individual data controllers (i.e. businesses and other organisations that control personal data) may put in place their own legal mechanisms to legitimise a transfer. Some of these mechanisms are more straightforward than others, but invariably they all cost some time and money. The UK Government has, unsurprisingly, said that it is committed to maintaining the stability of data transfers between the EU Member States and the UK post-Brexit.  This may not however be as straightforward a task as the Government hopes.  The House of Lords European Union Committee in its recent report ‘Brexit: The EU Data Protection Package (dated 13 July 2017)’ noted “we support this objective, but were struck by the lack of detail on how the Government plans to deliver this outcome.” The most comprehensive way the UK could achieve said outcome would be for the UK to obtain an adequacy decision.  However, as the House of Lords report further notes “such decisions are only taken in respect of third countries and follow a set procedure”, which may require some additional work (and willing) on both sides of the EU/UK bargaining table to ensure an adequacy decision is in place by the time the Brexit-exit actually takes place. If a decision isn’t in place, individual data controllers may be left scrambling around to put their own legal mechanisms in place.

Potential Significant Impact post Brexit

A further potential consequence of Brexit –  closely related to the first – is that, assuming the UK does achieve an adequacy decision (either immediately or at some point after Brexit), given that such decisions are at the political discretion of the European Commission, there is a risk that any such decision could be lost in the future. On a preliminary examination this risk may seem remote, especially given that to date no third country has lost an adequacy decision after having one awarded (note: that the EU/US Safe Harbour – which was invalidated and had to be replaced by Privacy Shield – was not an adequacy decision, but a derogation from the ordinary rules). However, there has been recent focus on the issue in relation to Canada. Chantal Bernier, the former Assistant and Interim Privacy Commissioner of Canada has warned that Canada is at risk of losing its adequacy decision, a claim she bases on discussions she has had with European regulators and Canadian government officials. She claims that there is concern at EU level with proposed Canadian laws permitting greater access to individuals’ personal data by Canadian public authorities.  Even on a superficial analysis, comparisons can be drawn between these proposed Canadian laws and the UK’s Investigatory Powers Act 2016, which permits targeted and bulk interception of communications data (potentially including personal data) by public authorities. Given that the GDPR includes a mechanism in Article 45 “for a periodic review [of adequacy decisions], at least every four years, which shall take into account all relevant developments in the third country”, Canada’s situation is a reminder that an adequacy decision is not a lifetime guarantee of unrestricted data flows.

Lower Impact post Brexit

Aside from the issue of data flows, Brexit will clearly impact UK data protection law in a number of other ways. A stark reminder of this came in the Queen’s Speech 2017, in which a new Data Protection Bill was announced to “ensure that the United Kingdom retains its world-class regime protecting personal data” along with “proposals for a new Digital Charter…to ensure that the United Kingdom is the safest place to be online”.

Whilst we await further details, the Data Protection Bill doesn’t appear to introduce anything over and above the GDPR, so perhaps this is just a nod to the fact that post-the Great Repeal Bill, the GDPR will no longer have direct effect requiring the implementation of a national law replacement (the GDPR by another name?) However, the new digital charter appears to show a wider commitment to a digital strategy, which may have other implications for data protection law, once the UK regains greater legislative freedom in this area.

The takeaway point here is that preparations for GDPR compliance are unlikely to be in vain, but there may be potential for some flexibility in a post-Brexit UK. Some may find this concerning, as there is the potential for a UK government to renege on its commitment to European-style privacy standards, notwithstanding its current rhetoric. Others may welcome such a development. One can envisage certain businesses taking this as an opportunity to lobby for a more pragmatic ‘business-friendly’ approach to data protection law (think proposals for reinstating a token fee for responding to data subject access requests, as an area where not everyone is convinced that the GDPR is an improvement on the existing regime).

The list of other potential Brexit implications is open-ended. The position of the Information Commissioner’s Office or ICO (i.e. the UK privacy regulator) is another area of uncertainty. For example, will businesses that have selected the ICO as their main establishment under the GDPR’s ‘one-stop-shop’ mechanism have to engage with another EU-based supervisory authority post-Brexit, potentially reducing the ICO’s influence? Moreover, if presumably the ICO loses its seat on the European Data Protection Board (the newly created pan-EU entity comprising the heads of the EU Member State supervisory authorities, which has a role in enforcing EU data protection law), what influence will the ICO retain over the Board (if any) and vice versa?

Conclusion

The potential for Brexit to cause friction between the EU and UK is apparent from almost any photograph that features David Davis in the same room as Michel Barnier. However, given that unhindered flows of data across the EU and the UK are important to so many EU businesses and other organisations, it is in the interests of everyone across Europe that this friction does not extend to data protection law.

With that in mind, it is likely that Brexit data flows (and other issues) will be resolved at some stage and businesses should not panic about the impact of Brexit on data protection law. However, in amongst all the GDPR compliance preparation, this remains an area to watch.

This article was written by Jonathan McDonald.