Will Theresa May be able to deliver her ambitious plans for data protection after Brexit?
by Conor Brennan on 16 Mar 2018
Prime Minister Theresa May put data protection at the heart of the UK’s post-Brexit relationship with the EU when she delivered her latest set piece Brexit speech on 2 March. She stated that data protection rules should be one of the five foundations that underpin a new trading relationship with the EU.
For data to be placed on such a high pedestal as an issue that will “underpin” a future agreement with the EU is an intriguing declaration from the Prime Minister. Why data protection especially? Is it because data is so ubiquitous; because the data economy is crucial to the UK; or is it seen as low hanging fruit, considering the adequacy provisions available to the UK?
This blog explores the UK’s position on future arrangements with the EU for the regulation of data protection, highlights the challenges that lie ahead for achieving the Prime Minister’s ambition, and the need for businesses to ensure that their views are heard by the UK Government and EU.
The UK wants more than adequacy after Brexit
During her speech May announced that her negotiating team will be “seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office (ICO)”, the UK information rights regulator.
Under the much talked about General Data Protection Regulation (GDPR) there is a provision for a third country (i.e. one that it outside of the EU Single Market) to gain an “adequacy” assessment that would allow for organisations in that country to freely transfer data with organisations in the EU. The UK Government already announced that it would fully implement the regulation for the 25 May 2018 deadline and keep the UK aligned beyond March 2019 when the country leaves the EU.
So it stands to reason the UK would seek to achieve adequacy with the EU under the GDPR. Starting with an already fully aligned data protection regime is, of course, the optimum starting point for achieving this, however the process for securing adequacy must follow procedure.
For instance, the European Commission will investigate not only the application of GDPR, but also how data is retained for national security and law enforcement purposes, and seek guidance from advisory bodies in Brussels when reaching a verdict. Indeed, just the day before May’s speech the lead negotiator for the EU, Michel Barnier, reminded the UK that the adequacy decision “is an autonomous EU decision” and not a foregone conclusion.
There remains uncertainty over the implementation of GDPR
To facilitate the implementation of the GDPR, the Department for Digital, Culture, Media and Sport (DCMS) has tabled the new Data Protection Bill in Parliament. As a current member of the EU, the Government is entitled to explore the various derogations available to Members States as part of the GDPR. These include derogations in the lower age limit for processing children’s data, freedom of expression in the media, or rules surrounding religious organisations, for example.
One such exemption which the Government has included in the Bill, is instances where the Home Office deems certain data protection rights could prejudice “effective immigration control”. Digital civil rights group, the Open Rights Group (ORG), and, an organisation advocating for the rights of EU citizens living in the UK, the3million, have announced they are launching formal legal action over the inclusion of this particular clause. They argue the clause is incompatible with the GDPR.
There has also been debate about the UK’s interception of communications, the Investigatory Powers Act, which explicitly authorised bulk data collection and interrogation by UK security services, something which goes much further than laws in other EU countries. As a member of the EU these laws were essentially exempt from GDPR rules under national security provisions, but as a third country they will be a significant factor in an assessment of adequacy.
That differing groups continue to argue over the interpretation of certain elements of the GDPR is not new. Businesses across the UK, and Europe, are scrambling to ready themselves for when the rules come into force on the 25 May 2018. Many are still interpreting some of the legal options for processing data, while they await final guidance from EU Article 29 Working Party (the collective body of EU data protection authorities) and the UK’s Information Commissioner’s Office (ICO).
Although the UK may argue it is ahead of most European countries in the implementation of GDPR (only a handful of member states have passed legislation to facilitate for GDPR), this uncertain environment will inevitably lead to legal challenges (as per the ORG and the3million example above) on differing interpretations. In the short-term, it is clearly not ideal for the UK’s campaign for securing adequacy that elements of GDPR remain in flux and open to interpretation.
‘Adequacy Plus’ – can the UK have an enhanced role from outside the EU?
What is clear from May’s speech however is that mere “adequacy” is not adequate. By leaving the EU, the UK will lose its ‘seat at the table’ when it comes to the ongoing application and interpretation of the EU’s data protection rules. One way to mitigate this diminishing influence would be for the ICO to seek a continued role at the key EU data protection body, the Article 29 Working Party (WP29). However, the best it may hope for is likely to be some form of ‘observer status’ – for instance, Norway as an EEA member participates in the WP29.
Such observer status may allow the UK a say in technical regulatory guidance and advise in the ongoing application of implemented regulation. It will not however allow the UK a role in new policy development as the UK will not have MEPs, Commissioners and or Council representation. Furthermore, the EU’s current draft guidelines on the long-term relationship state that the UK’s current position “excludes participation… as a third-country to EU Institutions, agencies or bodies”.
Adequacy will also require the European Commission to regularly review the UK’s data protection regime and review whether the relationship will be maintained or challenged. One only has to look at the European Court of Justice’s 2015 pronouncement that the EU/US Safe Harbour agreement was invalid and the ongoing instability of the subsequent Privacy Shield arrangement to see how a non-EU country may find itself in a precarious position when complying with EU law.
Increasing divergence in global data regulation
The UK will also aim for a deal on data with the EU which does not hinder its ambitions to secure trade agreements with other countries across the globe which will, no doubt, include regulation of data flows. For the UK to pursue separate trade deals, the EU must feel assured that the standards of GDPR are upheld in how data that originating in the EU is protected when transferred to non-EU countries.
Against this backdrop, it will be interesting to see where the UK positions itself in the current trends in global data regulation. Latest developments in the US certainly point to the regulatory gap between the EU and the US widening, not narrowing.
For instance, in April 2017 President Trump signed a Republican-backed bill to repeal the Federal Communications Commission’s regulations which were championed by the Obama administration before they could take effect. Since this repeal Republicans have proposed their own data protection measures for online services in the BROWSER (Balancing the Rights of Webs Surfers Equally and Responsibly) Act. The Bill does not cover many of the aspects covered by GDPR and is illustrative of considerable differences between perspectives on data protection in the U.S. and Europe and demonstrate why the EU appears to be targeting multinational tech companies for greater regulation.
Diverging global trends in the data economy raise dilemmas for an UK economy that will sit outside the EU and aims to forge greater relations with other countries. When the Information Commissioner, Elizabeth Denham, states that she is “engaging in global enforcement work beyond Europe, which involves building bridges with other regulators around the world” – to what extent this is achievable, alongside the UK’s ambition to secure ‘Adequacy Plus’ and the binding commitments it may involve, is not clear.
How can companies influence the UK Government position?
Having a clear agreement on data flows between a post-Brexit UK and the EU is vital to almost all UK businesses, but especially those in the tech sector. While both sides profess to want to reach a deal there remain significant political hurdles. There is a short window in which to influence both the UK Government and the EU in how they approach negotiations on data protection and data flows.
The UK Government and specifically DCMS are now seeking industry input into their strategy for securing the best possible deal with the EU, in particular, they are interested to hear about examples where flows of data across Europe are crucial to business growth. If you would like to discuss how you can engage on these issues and the future of the data regulatory environment between the UK and Europe please get in touch with Conor Brennan, firstname.lastname@example.org.
Written by Conor Brennan
Conor is an experienced consultant who advises clients in the data economy, insur-tech, and energy sectors.