Brexit, British Government, Data transfers

Data protection and #Brexit

Written on July 19th

gdpr-euroWriting about Brexit in the Observer last Sunday, 16 July, Gus O’Donnell, a former cabinet secretary and head of the UK civil service, said:

…we need to start being honest about the complexity of the challenge. We keep being told by our politicians that Brexit can be delivered easily. This isn’t correct. Believe me, we are embarking on a massive venture. There is no way all these changes will happen smoothly and absolutely no chance that all the details will be hammered out in 20 months… We will need a long transition phase, and the time needed does not diminish by pretending that this phase is just about “implementing” agreed policies as they will not all be agreed.

This is as accurate as it gets about the realities of Brexit. O’Donnell’s warning comes a day after the Financial Times published a piece which noted that:

UK industry leaders have ratcheted up the pressure on the UK government by warning that a breakdown of Brexit negotiations resulting in no deal would be “catastrophic” with “massive disruption” leading to a sharp contraction in output.

Industries as diverse as road haulage and orchestras are sounding the alarm and warning that threats of walking away without a deal raise the prospect of an extremely difficult outcome for Britain in March 2019.

We are used to seeing trucks backed up on the M20 if traffic from Dover to Calais is disrupted for whatever reason. If the UK crashes out of the EU in March 2019 it is something we will see on a daily basis as customs checks are reintroduced and the 16,000 trucks that cross the channel every day take 20-30 minutes each to process, as opposed to seconds today.

What you won’t see is the personal data transfers from the EU to the UK that are blocked on the far side of the channel because it will be illegal to export such data to the UK.

In May, 2018, the General Data Protection Regulation (GDPR), which updates the 1995 Data Protection Directive comes into force across the European Economic Area (EEA = EU + Norway, Lichtenstein and Iceland). A Regulation, as opposed to a Directive, does not need to be transposed into national law but applies to all EEA countries from the date it comes into force, though some tweaks to national law may be required.

When the GDPR comes into force, the UK will still be part of the EU, so the Regulation will apply to the UK and will be brought into UK domestic law through the so-called Withdrawal Bill. Because of this some have assumed that because UK data protection law will be exactly the same as EU data protection law there should be no problems with data flows, even in the event that the UK leaves the EU with no deal.

This is simply not the case.

Crashing out of the EU without a deal means the UK becomes what the EU regards as “third country” and the personal data of EU citizens can only be transferred to third countries if the European Commission certifies that their data protections rules are “adequate”. In the jargon, the Commission issues an “adequacy decision.”

According to the Commission’s website (here)

The Council and the European Parliament have given the Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The adoption of a (comitology) Commission decision based on Article 25.6 of the Directive involves:

• a proposal from the Commission;
• an opinion by Member States’ data protection authorities and the EDPS (European Data Protection Supervisor), in the framework of the Article 29 Working Party ;
• an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;
• the adoption of the decision by the College of Commissioners;
• at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

The Commission has so far recognized Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.

An adequacy decision, therefore, is not something that can be granted overnight or by a stroke of the pen by the Commission. A complex and detailed procedure is involved.

If the Withdrawal Bill does incorporate the GDPR into UK law that will mean that UK data protection legislation is the same as EU data protection legislation. But that may not be sufficient for the EU to grant an adequacy decision.

In 2015 the Court of Justice of the European Union (CJEU) struck down what was known as the “Safe Harbour” agreement between the EU and the US, one of the procedures that allowed for the transfer of personal data from the EU to the US. This judgement immediately impacted some 4,000 companies who used the procedure. The reason for the judgement was the finding by the court that the US’s National Security Agency (NSA) had too easy access to the data of European citizens transferred to the US.

A replacement agreement was negotiated between the two sides, the Privacy Shield, but that is now also under legal challenge. Last January, President trump signed an Executive Order Section 14 of which reads:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Many in the EU governance system fear that the ability of the UK intelligence agencies to access citizens’ data is even greater than that of the US agencies. As Jan Philipp Albrecht, a German MEP who was the European Parliament’s point man on the GDPR, has long since questioned the possibility of UK rules being deemed adequate by the European Commission. “Due to GCHQ blanket surveillance [programmes] and less safeguards for intelligence services than in the US I doubt it,” he said in a 2016 tweet. As long as the UK remains in the EU, or the Single Market, there is nothng that the EU can do about GCHQ. Outside both it is a different matter.

There are other ways of transferring date to third countries such as “binding corporate rules” and “model contracts”. But even these are under threat, with the Irish Data Protection Commissioner having referred a case involving binding corporate rules to the CJEU. Nevertheless, it would be worth exploring with legal advisers whether binding corporate rules or model contracts could help avoid a “cliff edge” on data transfers in March 2019.

So, as of today, absence a deal between the EU and the UK over the terms of Brexit, personal data flows from the EU to the UK could hit the buffers on March 29, 2019. If Gus O’Donnell is right, and I believe he is, prepare for computer screens to go blank if you have not put contingency plans in place.