This article was written on Nov 4th, 2017
Meanwhile, the most important Brexit consequence of the week may turn out to be an obscure clause in the Second Schedule of the Data Protection Bill, (lines 39 – 45 on page 125) which is currently being examined line-by-line in the House of Lords.
In an article in politics.co.uk last Friday, November 3, Martha Spurrier director of Liberty, an organisation which campaigns for civil liberties and human rights in the UK, drew attention to a little noticed provision in the Bill, Schedule 2, Part 1, Section 4.1 – Immigration, which reads:
The listed GDPR provisions do not apply to personal data processed for any of the following purposes—
(a) the maintenance of effective immigration control, or
(b) the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
While, as Spurrier notes, the intent of the Bill is as the government puts to “empower people to take control of their data” she says that “it will strip millions of their rights.”
As Spurrier writes, contrary to the stated intentions of the legislation, the real impact of Schedule 2.4 means that:
…any government agency processing data for immigration purposes will be free of those pesky data protection obligations we’ve developed through successive Acts of parliament – and signed up to through the EU’s General Data Protection
In practice, the exemption will create a two-tier data rights regime. When an agency relies on the exemption, individuals will lose their right to know what information is held about them, who is processing it and why.
They will not be able to correct or erase information held about them – which doesn’t bode well considering how much of the data held on us is out of date or just plain wrong.
She goes on to note that the lack of a definition of effective immigration control or activities that would interfere with it “makes it practically impossible to draw up a list of all those who could be caught up”. “The exemption could also be used to facilitate the sharing of personal data between public services and the Home Office if it’s decided checking everyone’s entitlement to access healthcare, education or social housing is necessary for effective immigration control.”
She concludes that the idea “that personal data collected for one purpose can’t be used for another without the individual’s informed consent is the cardinal principle of data protection. This exemption makes a mockery of it and sets a damaging precedent for the privacy rights of all of us.”
What has this got to do with Brexit?
Simply, it is one more potential barrier, and a significant one at that, to the free flow of personal data from the EU to the UK after Brexit.
That public authorities could have such unfettered rights to citizens’ personal data without citizens been aware of what data is being held, could make it extremely difficult for the European Commission to issue an “adequacy decision” on the UK’s data protection regime. Such a decision is vital if personal data is to flow freely from the EU to the UK, without individual businesses having to go through complex procedures to put in place binding corporate rules or avail of standard contractual clauses which are, in any event, been called into question by privacy campaigners as failing to offer sufficient protect for data transferred to the US.
But “data adequacy decisions” are not easy come by and can take years. Only a handful have ever been issued. See here for details.
The EU Parliament is also likely to have a good deal to say on the matter. And what it has to say will not be kind to the UK.
The data economy in the EU was estimated to be worth €272 billion in 2015, or around 2% of the EU-28 GDP. And that figure is expected to rise to €643 billion by 2020, according to the UK’s Department for Exiting the European Union. 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with the EU Member States. Over 70 per cent of the UK’s trade in services is supported by personal data flows as the government noted in a position paper last August: “Data flows between the UK and the EU are crucial for our shared economic prosperity and for wider cooperation, including on law enforcement.”
The UK government believe that it is taking the necessary steps to ensure it is aligned with the requirements of EU regulations and to comply with European legislation, post-Brexit.
Further, to consolidate the relationship, it is proposing “a UK-EU model for exchanging and protecting personal data, […]providing sufficient stability for businesses, public authorities and individuals.” This would ‘build on the existing adequacy model’, and would see continued engagement of the UK Information Commissioner’s Office with other EU regulators. In other words, it wants the UK’s data commissioner to still have a seat at the table.
However, as we have previously noted in these BEERG Brexit Briefings, there is a major obstacle in the way of the EU issuing a “data adequacy decision” as regards the UK, post-Brexit. The Investigatory Powers Act, which came into force at the end of last year, allows the U.K. government to monitor large batches of data, collect people’s browsing records and hack citizens’ phones and computers for security purposes.
The Act was initiated by Prime Minister Theresa May when she was still at the Home Office. Critics, such as the German Green MEP, Jan Philipp Albrecht, have suggested that the Act gives the UK security services more far-reaching powers that the US counterparts. It was concerns over the extent of the access by the US security services to the personal data of EU citizens which had been transferred to the US that led to the collapse of the old Safe Harbour Agreement, and its replacement by the Privacy Shield arrangement.
EU law provides for exemptions from general data protection principles in matters of:
• national security and defence;
• the prevention, investigation, detection and prosecution of criminal offences;
• the protection of data subjects and the rights and freedom of others.
But these exemptions only apply to EU and EEA member states. They do not apply to “third countries”, EU terminology for countries that are completely outside the EU/EEA framework. After Brexit, as it has been defined by the UK government, the UK will be a such a “third country”, and so the security exemption will no longer apply. The problems created by the Investigatory Powers Act is securing an “adequacy decision” from the EU will be further exacerbated by Schedule 2.4, as discussed above.
There will be many in the UK who will argue that, even in the absence of an overarching Brexit agreement, the EU will cut “mini-deals” with the UK, including one on data flows. But then again, maybe not. As Sir Ivor Richards said in his comment to a House of Commons committee a week back:
What is going to happen? In the absence of a deal, have the French, Belgians or Dutch any incentive to sort that problem (customs blockages), or do they have an incentive to keep us stewing? In the area of data protection, do they have an incentive ultimately to cobble together some agreement at the last minute in order to keep data flows, or do they have an incentive to maximise the flow of UK business that has to shift to the continent?
The Investigatory Powers Act is already on the statute books. Schedule 2.4 of the Data Protection Bill is not.
Spurrier makes her own arguments as to why the provision should be opposed.
We simply seek to draw attention to the fact that it places another enormous brick in the wall as regards future data flows between the EU and the UK when Brexit bites.