Post-Brexit data protection law: another cliff edge?
Brexit is commonly described as one of the biggest political upheavals in a generation. The implementation of the General Data Protection Regulation (GDPR) is, in the words of the UK Information Commissioner, “the biggest change to data protection law for a generation”. With these two events coinciding, change is inevitable. With that in mind and with the recent publication of The House of Lords European Union Committee report ‘Brexit: The EU Data Protection Package’ on 13 July 2017, this is an opportune time to consider the impact of Brexit on UK data protection law, looking at how said impact may range from significant changes to those with a lower potential for upheaval.
Significant Impact post Brexit
The biggest potential impact Brexit may have on UK data protection law is that the UK will no longer automatically maintain unhindered and uninterrupted data flows with the EU and its Member States. One of the core tenets of (both current EU data protection law and) the GDPR, is the control of extra-EU cross border data flows. The idea is that whilst cross border data flows within the EU should be unrestricted (as part of the harmonisation of the single market), any third country outside the EU should be subject to legal controls to prevent EU law being circumvented by data being transferred to a place with less stringent data protection standards. Post Brexit, the UK will be a third country and, as such, subject to such legal controls. The controls can roughly be split between EU/Member State level controls and data controller level controls. In the case of EU/Member State level controls, the European Commission (or potentially a Member State) may certify a third country as providing an adequate level of data protection (in other words, ‘white-list’ them or, to use the preferred terminology, issue them with an adequacy decision.) Once white listed, data may flow between the EU and such country as if it were a member of the EU. In the case of data controller level controls, where a country is not white-listed, individual data controllers (i.e. businesses and other organisations that control personal data) may put in place their own legal mechanisms to legitimise a transfer. Some of these mechanisms are more straightforward than others, but invariably they all cost some time and money. The UK Government has, unsurprisingly, said that it is committed to maintaining the stability of data transfers between the EU Member States and the UK post-Brexit. This may not however be as straightforward a task as the Government hopes. The House of Lords European Union Committee in its recent report ‘Brexit: The EU Data Protection Package (dated 13 July 2017)’ noted “we support this objective, but were struck by the lack of detail on how the Government plans to deliver this outcome.” The most comprehensive way the UK could achieve said outcome would be for the UK to obtain an adequacy decision. However, as the House of Lords report further notes “such decisions are only taken in respect of third countries and follow a set procedure”, which may require some additional work (and willing) on both sides of the EU/UK bargaining table to ensure an adequacy decision is in place by the time the Brexit-exit actually takes place. If a decision isn’t in place, individual data controllers may be left scrambling around to put their own legal mechanisms in place.
Potential Significant Impact post Brexit
A further potential consequence of Brexit – closely related to the first – is that, assuming the UK does achieve an adequacy decision (either immediately or at some point after Brexit), given that such decisions are at the political discretion of the European Commission, there is a risk that any such decision could be lost in the future. On a preliminary examination this risk may seem remote, especially given that to date no third country has lost an adequacy decision after having one awarded (note: that the EU/US Safe Harbour – which was invalidated and had to be replaced by Privacy Shield – was not an adequacy decision, but a derogation from the ordinary rules). However, there has been recent focus on the issue in relation to Canada. Chantal Bernier, the former Assistant and Interim Privacy Commissioner of Canada has warned that Canada is at risk of losing its adequacy decision, a claim she bases on discussions she has had with European regulators and Canadian government officials. She claims that there is concern at EU level with proposed Canadian laws permitting greater access to individuals’ personal data by Canadian public authorities. Even on a superficial analysis, comparisons can be drawn between these proposed Canadian laws and the UK’s Investigatory Powers Act 2016, which permits targeted and bulk interception of communications data (potentially including personal data) by public authorities. Given that the GDPR includes a mechanism in Article 45 “for a periodic review [of adequacy decisions], at least every four years, which shall take into account all relevant developments in the third country”, Canada’s situation is a reminder that an adequacy decision is not a lifetime guarantee of unrestricted data flows.
Lower Impact post Brexit
Aside from the issue of data flows, Brexit will clearly impact UK data protection law in a number of other ways. A stark reminder of this came in the Queen’s Speech 2017, in which a new Data Protection Bill was announced to “ensure that the United Kingdom retains its world-class regime protecting personal data” along with “proposals for a new Digital Charter…to ensure that the United Kingdom is the safest place to be online”.
Whilst we await further details, the Data Protection Bill doesn’t appear to introduce anything over and above the GDPR, so perhaps this is just a nod to the fact that post-the Great Repeal Bill, the GDPR will no longer have direct effect requiring the implementation of a national law replacement (the GDPR by another name?) However, the new digital charter appears to show a wider commitment to a digital strategy, which may have other implications for data protection law, once the UK regains greater legislative freedom in this area.
The takeaway point here is that preparations for GDPR compliance are unlikely to be in vain, but there may be potential for some flexibility in a post-Brexit UK. Some may find this concerning, as there is the potential for a UK government to renege on its commitment to European-style privacy standards, notwithstanding its current rhetoric. Others may welcome such a development. One can envisage certain businesses taking this as an opportunity to lobby for a more pragmatic ‘business-friendly’ approach to data protection law (think proposals for reinstating a token fee for responding to data subject access requests, as an area where not everyone is convinced that the GDPR is an improvement on the existing regime).
The list of other potential Brexit implications is open-ended. The position of the Information Commissioner’s Office or ICO (i.e. the UK privacy regulator) is another area of uncertainty. For example, will businesses that have selected the ICO as their main establishment under the GDPR’s ‘one-stop-shop’ mechanism have to engage with another EU-based supervisory authority post-Brexit, potentially reducing the ICO’s influence? Moreover, if presumably the ICO loses its seat on the European Data Protection Board (the newly created pan-EU entity comprising the heads of the EU Member State supervisory authorities, which has a role in enforcing EU data protection law), what influence will the ICO retain over the Board (if any) and vice versa?
The potential for Brexit to cause friction between the EU and UK is apparent from almost any photograph that features David Davis in the same room as Michel Barnier. However, given that unhindered flows of data across the EU and the UK are important to so many EU businesses and other organisations, it is in the interests of everyone across Europe that this friction does not extend to data protection law.
With that in mind, it is likely that Brexit data flows (and other issues) will be resolved at some stage and businesses should not panic about the impact of Brexit on data protection law. However, in amongst all the GDPR compliance preparation, this remains an area to watch.
This article was written by Jonathan McDonald.
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Charles Russell Speechlys advises Appital Ltd on £2.5m Investment led by Frontline Ventures
Appital is an Equity Capital Marketplace which aims to bring innovation to Equity Capital Markets.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Charles Russell Speechlys advises Metier on US$39m investment into Africa Mobile Networks
AMN builds, owns, operates and maintains mobile network infrastructure in Africa.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
The regulation of big tech: a changing tide?
Sonia takes a look at the two main areas where the UK is increasing the regulation of Big Tech in 2021
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
Top 7 Data Protection Tips for Employers
Here are our top 7 data protection tips for employers.
There has been an increase in online phising attacks over the past year - but why?