Written August 9th 2017
The new legislation will become effective in May 2018, when the GDPR comes into force across Europe. The potential penalties for breaching the new data law are severe: up to 4% of global turnover or €20m, whichever is the greater. The EU recently hit Google with a fine of €2.4 billion over alleged market dominance abuse, so national data regulators won’t be shy of imposing big fines on companies that break the new laws.
Unfortunately, the documents published by the UK government with the announcement of the new Bill has precious little to say about Brexit and data flows. The only real reference reads:
“Unhindered flow of data, therefore, is essential to the UK forging its own path as an ambitious trading partner. That is why the government will be seeking to ensure that data flows between the UK and the EU, and also appropriately between the UK and third countries and international organisations, remain uninterrupted after the UK’s exit from the EU. Cooperation with the UK’s law enforcement and security partners, both in Europe and beyond, will also remain a priority.”
The government’s press release also quotes Julian David, CEO of techUK, as saying:
The UK has always been a world leader in data protection and data-driven innovation. Key to realising the full opportunities of data is building a culture of trust and confidence.
This statement of intent is an important and welcome first step in that process. techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.
Both of these statements are statements of hope rather than fact. Simply because the UK, after it leaves the EU, will continue to mirror EU data protections laws does not guarantee that the EU will consider it as a country to which it is safe to transfer EU citizens’ personal data. “But we have the same data laws as you” on its own won’t cut it.
Why? The GDPR will allow EU member states to freely circulate personal data among themselves, as does the exiting 20 year old Directive. It also allows members states certain derogations from the strict data protection principles of the Regulations in cases of national security. But the same national security derogations do not apply to “third countries”, as countries outside the bloc are known.
Given current government policy, after Brexit the UK will be such a “third country”, standing in a similar position to the EU and the US does today. To transfer data from the EU to the US many US companies make use of the “Privacy Shield”, an agreement negotiated between the EU and the US when the older “Safe Harbour” agreement was struck down by the Court of Justice of the European Union (CJEU). The CJEU struck down “Safe Harbour” because it concluded that it did not provide sufficient protection for EU citizens’ personal data from being picked over by US security agencies once such data arrived in the US. The “Privacy Shield” is now under legal challenge for the same reasons.
The other ways of legally transferring personal data from the EU to the US, binding corporate rules and standard data protection clauses, are also under legal scrutiny.
The most legally secure way of transferring data from the EU to a “third country” is for the European Commission to issue an “adequacy decision”, a decision which says that the data protection regime in the third country is sufficiently robust that it is safe to transfer EU citizens’ personal data there. However, the Commission has only ever issued a handful of such decisions. Canada and Switzerland are on the list. The US is not.
Back to why we said that the two statements quoted at the top of this note are statement of hope rather than fact. There are many people within the EU’s governance system who regard the access that the UK’s security services have to personal data as more intrusive that that of the US. They point to the Investigatory Powers Act 2016, widely known as the “Snoopers’ Charter” to underscore their argument.
While the UK remains a member of the EU the Investigatory Powers Act 2016 is protected by the national security derogation. But once the UK becomes a “third country” all bets
are off. Given the extent of the surveillance authorised by the 2016 Act, the EU Commission will find it extremely difficult to issue an “adequacy decision”. Even if it does, it will take some considerable time to do so.
Now it is possible that the issue of data flows may be resolved in negotiations between the EU and the UK as regards the future relationship between the two. But don’t bet the farm on it. The gap across all the issues in play between the two sides is enormous and the time to bridge that gap gets shorter by the day. The politics are poisonous. March 2019 could quickly arrive with no deal in place. If that happens, the data shutters come down, overnight.
One of the main drivers of the Brexit referendum result in the UK was a desire to limit the “free movement of people”, aka immigration from the EU. The “free movement of data”, which is probably more important to the UK economy than the free move of people, may well turn out to be collateral damage.