Brexit, Data Protection, Data transfers, GDPR, Theresa May

Another Brick in a #Data Wall? #Brexit #EUDataP

This article was written on Nov 4th, 2017

GDPR readyUnder the BEERG law of unintended consequences; the unintended outworking of an action or event is often far more significant or impactful than the intended one. And so, while the UK media obsessed on sex scandals and a cabinet resignation, the Brexit process crawled along with the announcement of another round of EU/UK talks next week and a vote in parliament forcing the government to publish 58 sectoral studies on the economic impact of Brexit.

Meanwhile, the most important Brexit consequence of the week may turn out to be an obscure clause in the Second Schedule of the Data Protection Bill, (lines 39 – 45 on page 125) which is currently being examined line-by-line in the House of Lords.

In an article in last Friday, November 3, Martha Spurrier director of Liberty, an organisation which campaigns for civil liberties and human rights in the UK, drew attention to a little noticed provision in the Bill, Schedule 2, Part 1, Section 4.1 – Immigration, which reads:

The listed GDPR provisions do not apply to personal data processed for any of the following purposes—
    (a) the maintenance of effective immigration control, or
    (b) the investigation or detection of activities that would undermine the maintenance          of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

While, as Spurrier notes, the intent of the Bill is as the government puts to “empower people to take control of their data” she says that “it will strip millions of their rights.”
As Spurrier writes, contrary to the stated intentions of the legislation, the real impact of Schedule 2.4 means that:

…any government agency processing data for immigration purposes will be free of those pesky data protection obligations we’ve developed through successive Acts of parliament – and signed up to through the EU’s General Data Protection

In practice, the exemption will create a two-tier data rights regime. When an agency relies on the exemption, individuals will lose their right to know what information is held about them, who is processing it and why.

They will not be able to correct or erase information held about them – which doesn’t bode well considering how much of the data held on us is out of date or just plain wrong.

She goes on to note that the lack of a definition of effective immigration control or activities that would interfere with it “makes it practically impossible to draw up a list of all those who could be caught up”. “The exemption could also be used to facilitate the sharing of personal data between public services and the Home Office if it’s decided checking everyone’s entitlement to access healthcare, education or social housing is necessary for effective immigration control.”

She concludes that the idea “that personal data collected for one purpose can’t be used for another without the individual’s informed consent is the cardinal principle of data protection. This exemption makes a mockery of it and sets a damaging precedent for the privacy rights of all of us.”

What has this got to do with Brexit?

Simply, it is one more potential barrier, and a significant one at that, to the free flow of personal data from the EU to the UK after Brexit.

That public authorities could have such unfettered rights to citizens’ personal data without citizens been aware of what data is being held, could make it extremely difficult for the European Commission to issue an “adequacy decision” on the UK’s data protection regime. Such a decision is vital if personal data is to flow freely from the EU to the UK, without individual businesses having to go through complex procedures to put in place binding corporate rules or avail of standard contractual clauses which are, in any event, been called into question by privacy campaigners as failing to offer sufficient protect for data transferred to the US.

But “data adequacy decisions” are not easy come by and can take years. Only a handful have ever been issued. See here for details.

The EU Parliament is also likely to have a good deal to say on the matter. And what it has to say will not be kind to the UK.

The data economy in the EU was estimated to be worth €272 billion in 2015, or around 2% of the EU-28 GDP. And that figure is expected to rise to €643 billion by 2020, according to the UK’s Department for Exiting the European Union. 43% of EU tech companies are based in the UK and 75% of the UK’s data transfers are with the EU Member States. Over 70 per cent of the UK’s trade in services is supported by personal data flows as the government noted in a position paper last August: “Data flows between the UK and the EU are crucial for our shared economic prosperity and for wider cooperation, including on law enforcement.”

The UK government believe that it is taking the necessary steps to ensure it is aligned with the requirements of EU regulations and to comply with European legislation, post-Brexit.

Further, to consolidate the relationship, it is proposing “a UK-EU model for exchanging and protecting personal data, […]providing sufficient stability for businesses, public authorities and individuals.” This would ‘build on the existing adequacy model’, and would see continued engagement of the UK Information Commissioner’s Office with other EU regulators. In other words, it wants the UK’s data commissioner to still have a seat at the table.

However, as we have previously noted in these BEERG Brexit Briefings, there is a major obstacle in the way of the EU issuing a “data adequacy decision” as regards the UK, post-Brexit. The Investigatory Powers Act, which came into force at the end of last year, allows the U.K. government to monitor large batches of data, collect people’s browsing records and hack citizens’ phones and computers for security purposes.

The Act was initiated by Prime Minister Theresa May when she was still at the Home Office. Critics, such as the German Green MEP, Jan Philipp Albrecht, have suggested that the Act gives the UK security services more far-reaching powers that the US counterparts. It was concerns over the extent of the access by the US security services to the personal data of EU citizens which had been transferred to the US that led to the collapse of the old Safe Harbour Agreement, and its replacement by the Privacy Shield arrangement.

EU law provides for exemptions from general data protection principles in matters of:
•  national security and defence;
•  the prevention, investigation, detection and prosecution of criminal offences;
•  the protection of data subjects and the rights and freedom of others.

But these exemptions only apply to EU and EEA member states. They do not apply to “third countries”, EU terminology for countries that are completely outside the EU/EEA framework. After Brexit, as it has been defined by the UK government, the UK will be a such a “third country”, and so the security exemption will no longer apply. The problems created by the Investigatory Powers Act is securing an “adequacy decision” from the EU will be further exacerbated by Schedule 2.4, as discussed above.

There will be many in the UK who will argue that, even in the absence of an overarching Brexit agreement, the EU will cut “mini-deals” with the UK, including one on data flows. But then again, maybe not. As Sir Ivor Richards said in his comment to a House of Commons committee a week back:

What is going to happen? In the absence of a deal, have the French, Belgians or Dutch any incentive to sort that problem (customs blockages), or do they have an incentive to keep us stewing? In the area of data protection, do they have an incentive ultimately to cobble together some agreement at the last minute in order to keep data flows, or do they have an incentive to maximise the flow of UK business that has to shift to the continent?

The Investigatory Powers Act is already on the statute books. Schedule 2.4 of the Data Protection Bill is not.

Spurrier makes her own arguments as to why the provision should be opposed.

We simply seek to draw attention to the fact that it places another enormous brick in the wall as regards future data flows between the EU and the UK when Brexit bites.



Brexit, British Government, Data transfers

The UK, Data Protection and Brexit

Written August 9th 2017

gdpr-euroThis week, the UK government published details of its Data Protection Bill which will enshrine the EU’s General Data Protection Regulations (GDPR) into UK law (here).

The new legislation will become effective in May 2018, when the GDPR comes into force across Europe. The potential penalties for breaching the new data law are severe: up to 4% of global turnover or €20m, whichever is the greater. The EU recently hit Google with a fine of €2.4 billion over alleged market dominance abuse, so national data regulators won’t be shy of imposing big fines on companies that break the new laws.

Unfortunately, the documents published by the UK government with the announcement of the new Bill has precious little to say about Brexit and data flows. The only real reference reads:

“Unhindered flow of data, therefore, is essential to the UK forging its own path as an ambitious trading partner. That is why the government will be seeking to ensure that data flows between the UK and the EU, and also appropriately between the UK and third countries and international organisations, remain uninterrupted after the UK’s exit from the EU. Cooperation with the UK’s law enforcement and security partners, both in Europe and beyond, will also remain a priority.”

The government’s press release also quotes Julian David, CEO of techUK, as saying:

The UK has always been a world leader in data protection and data-driven innovation. Key to realising the full opportunities of data is building a culture of trust and confidence.

This statement of intent is an important and welcome first step in that process. techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.

Both of these statements are statements of hope rather than fact. Simply because the UK, after it leaves the EU, will continue to mirror EU data protections laws does not guarantee that the EU will consider it as a country to which it is safe to transfer EU citizens’ personal data. “But we have the same data laws as you” on its own won’t cut it.

Why? The GDPR will allow EU member states to freely circulate personal data among themselves, as does the exiting 20 year old Directive. It also allows members states certain derogations from the strict data protection principles of the Regulations in cases of national security. But the same national security derogations do not apply to “third countries”, as countries outside the bloc are known.

Given current government policy, after Brexit the UK will be such a “third country”, standing in a similar position to the EU and the US does today. To transfer data from the EU to the US many US companies make use of the “Privacy Shield”, an agreement negotiated between the EU and the US when the older “Safe Harbour” agreement was struck down by the Court of Justice of the European Union (CJEU). The CJEU struck down “Safe Harbour” because it concluded that it did not provide sufficient protection for EU citizens’ personal data from being picked over by US security agencies once such data arrived in the US. The “Privacy Shield” is now under legal challenge for the same reasons.

The other ways of legally transferring personal data from the EU to the US, binding corporate rules and standard data protection clauses, are also under legal scrutiny.

The most legally secure way of transferring data from the EU to a “third country” is for the European Commission to issue an “adequacy decision”, a decision which says that the data protection regime in the third country is sufficiently robust that it is safe to transfer EU citizens’ personal data there. However, the Commission has only ever issued a handful of such decisions. Canada and Switzerland are on the list. The US is not.

Back to why we said that the two statements quoted at the top of this note are statement of hope rather than fact. There are many people within the EU’s governance system who regard the access that the UK’s security services have to personal data as more intrusive that that of the US. They point to the Investigatory Powers Act 2016, widely known as the “Snoopers’ Charter” to underscore their argument.

While the UK remains a member of the EU the Investigatory Powers Act 2016 is protected by the national security derogation. But once the UK becomes a “third country” all bets
are off. Given the extent of the surveillance authorised by the 2016 Act, the EU Commission will find it extremely difficult to issue an “adequacy decision”. Even if it does, it will take some considerable time to do so.

Now it is possible that the issue of data flows may be resolved in negotiations between the EU and the UK as regards the future relationship between the two. But don’t bet the farm on it. The gap across all the issues in play between the two sides is enormous and the time to bridge that gap gets shorter by the day. The politics are poisonous. March 2019 could quickly arrive with no deal in place. If that happens, the data shutters come down, overnight.

One of the main drivers of the Brexit referendum result in the UK was a desire to limit the “free movement of people”, aka immigration from the EU. The “free movement of data”, which is probably more important to the UK economy than the free move of people, may well turn out to be collateral damage.

Brexit, British Government, Data transfers

Data protection and Brexit

Written on July 19th

gdpr-euroWriting about Brexit in the Observer last Sunday, 16 July, Gus O’Donnell, a former cabinet secretary and head of the UK civil service, said:

…we need to start being honest about the complexity of the challenge. We keep being told by our politicians that Brexit can be delivered easily. This isn’t correct. Believe me, we are embarking on a massive venture. There is no way all these changes will happen smoothly and absolutely no chance that all the details will be hammered out in 20 months… We will need a long transition phase, and the time needed does not diminish by pretending that this phase is just about “implementing” agreed policies as they will not all be agreed.

This is as accurate as it gets about the realities of Brexit. O’Donnell’s warning comes a day after the Financial Times published a piece which noted that:

UK industry leaders have ratcheted up the pressure on the UK government by warning that a breakdown of Brexit negotiations resulting in no deal would be “catastrophic” with “massive disruption” leading to a sharp contraction in output.

Industries as diverse as road haulage and orchestras are sounding the alarm and warning that threats of walking away without a deal raise the prospect of an extremely difficult outcome for Britain in March 2019.

We are used to seeing trucks backed up on the M20 if traffic from Dover to Calais is disrupted for whatever reason. If the UK crashes out of the EU in March 2019 it is something we will see on a daily basis as customs checks are reintroduced and the 16,000 trucks that cross the channel every day take 20-30 minutes each to process, as opposed to seconds today.

What you won’t see is the personal data transfers from the EU to the UK that are blocked on the far side of the channel because it will be illegal to export such data to the UK.

In May, 2018, the General Data Protection Regulation (GDPR), which updates the 1995 Data Protection Directive comes into force across the European Economic Area (EEA = EU + Norway, Lichtenstein and Iceland). A Regulation, as opposed to a Directive, does not need to be transposed into national law but applies to all EEA countries from the date it comes into force, though some tweaks to national law may be required.

When the GDPR comes into force, the UK will still be part of the EU, so the Regulation will apply to the UK and will be brought into UK domestic law through the so-called Withdrawal Bill. Because of this some have assumed that because UK data protection law will be exactly the same as EU data protection law there should be no problems with data flows, even in the event that the UK leaves the EU with no deal.

This is simply not the case.

Crashing out of the EU without a deal means the UK becomes what the EU regards as “third country” and the personal data of EU citizens can only be transferred to third countries if the European Commission certifies that their data protections rules are “adequate”. In the jargon, the Commission issues an “adequacy decision.”

According to the Commission’s website (here)

The Council and the European Parliament have given the Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The adoption of a (comitology) Commission decision based on Article 25.6 of the Directive involves:

• a proposal from the Commission;
• an opinion by Member States’ data protection authorities and the EDPS (European Data Protection Supervisor), in the framework of the Article 29 Working Party ;
• an approval from the “Article 31 Committee”, composed of representatives of Member States, under the comitology “examination procedure”;
• the adoption of the decision by the College of Commissioners;
• at any time, the European Parliament and the Council may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Directive.

The effect of such a decision is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

The Commission has so far recognized Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.

An adequacy decision, therefore, is not something that can be granted overnight or by a stroke of the pen by the Commission. A complex and detailed procedure is involved.

If the Withdrawal Bill does incorporate the GDPR into UK law that will mean that UK data protection legislation is the same as EU data protection legislation. But that may not be sufficient for the EU to grant an adequacy decision.

In 2015 the Court of Justice of the European Union (CJEU) struck down what was known as the “Safe Harbour” agreement between the EU and the US, one of the procedures that allowed for the transfer of personal data from the EU to the US. This judgement immediately impacted some 4,000 companies who used the procedure. The reason for the judgement was the finding by the court that the US’s National Security Agency (NSA) had too easy access to the data of European citizens transferred to the US.

A replacement agreement was negotiated between the two sides, the Privacy Shield, but that is now also under legal challenge. Last January, President trump signed an Executive Order Section 14 of which reads:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Many in the EU governance system fear that the ability of the UK intelligence agencies to access citizens’ data is even greater than that of the US agencies. As Jan Philipp Albrecht, a German MEP who was the European Parliament’s point man on the GDPR, has long since questioned the possibility of UK rules being deemed adequate by the European Commission. “Due to GCHQ blanket surveillance [programmes] and less safeguards for intelligence services than in the US I doubt it,” he said in a 2016 tweet. As long as the UK remains in the EU, or the Single Market, there is nothng that the EU can do about GCHQ. Outside both it is a different matter.

There are other ways of transferring date to third countries such as “binding corporate rules” and “model contracts”. But even these are under threat, with the Irish Data Protection Commissioner having referred a case involving binding corporate rules to the CJEU. Nevertheless, it would be worth exploring with legal advisers whether binding corporate rules or model contracts could help avoid a “cliff edge” on data transfers in March 2019.

So, as of today, absence a deal between the EU and the UK over the terms of Brexit, personal data flows from the EU to the UK could hit the buffers on March 29, 2019. If Gus O’Donnell is right, and I believe he is, prepare for computer screens to go blank if you have not put contingency plans in place.