After a divisive referendum campaign, and three and a half years of seemingly endless political twists and turns, the first phase of Brexit is finally coming to an end. The UK will be leaving the European Union at the end of January, although there will be a transition period until at least the end of 2020. But the Brexit story is far from over, and there are plenty of challenges ahead.
Data protection didn’t really feature in the 2016 referendum campaign. Perhaps that isn’t surprising, as ‘technical’ issues were generally overshadowed by more emotional appeals. In the talks between the UK and the EU since the referendum, however, data protection has played a much bigger role, featuring in the text of both the withdrawal agreement and the political declaration. That’s because personal data is a key part of the global economy, and it’s crucial for all sides that the free flow of data continues uninterrupted.
One of the most important provisions in European data protection law is the prohibition on sending personal data outside the EU, unless there is an adequate level of protection. After all, what is the point of having very strict rules on processing personal data within the EU, if all these protections immediately fall away once data is exported? Once out of the EU, the UK will be subject to this prohibition, potentially affecting data flows between the EU and the UK.
One way of overcoming the prohibition is for the European Commission to adopt an ‘adequacy’ decision in respect of the UK. This is the stated goal of both sides, and there is clearly the political will to do so. But problems lie ahead. The EU is a legal order, and any decisions made by the Commission are subject to challenge through the courts. And there are number of cases currently in front of the European Court of Justice which could have a major impact on the future relationship between the UK and the EU.
In December, Advocate General Henrik Saugmandsgaard Øe issued an opinion in the latest round of legal battles between privacy campaigner Max Schrems and Facebook. This case relates to the use of standard contractual clauses approved by the Commission, another potential method of overcoming the export prohibition.
Data exporters across the EU and the UK were relieved that the Advocate General supported the continuing use of standard clauses, but with significant caveats. He argued that it was for EU-based organisations to monitor compliance with the standard clauses and to stop sending data where local law prevented personal data from being adequately protected.
This particular case concerned personal data exported to the US. The opinion looked in detail at the EU-US Privacy Shield, a partial adequacy decision for some organisations in the US, and concluded that there were serious problems with it. In particular, the bulk collection of personal data by US security services, which it found likely to undermine the protection of personal data.
Then, in January, Advocate General Manuel Campos Sánchez-Bordona issued an opinion in a series of linked cases brought by privacy groups against various European governments’ own policies of collection of communications data for national security purposes.
The Advocate General stated that EU law applies to data collection for national security, and therefore governments and private companies must comply with those EU law requirements. The opinion went on to say that the current arrangements in the UK and elsewhere do not comply with existing EU rules on data retention.
This isn’t the first time that the UK’s data retention rules have been subject to challenge through the EU’s courts. Of course, these EU rules will cease to apply to the UK at the end of the transition period, but an adverse decision from the Court is likely to impede the UK’s case for a quick adequacy decision.
Neither of these opinions is binding, although the Court agrees with the Advocate General in the majority of cases. If the Court does so in these cases, it leaves some very uncomfortable questions for the UK as we leave the EU.
How can the Commission possibly grant the UK an adequacy decision when its highest court believes that the UK’s use of personal data for national security is not compatible with EU law? How can EU-based organisations have confidence in any adequacy decision that may be vulnerable to future judicial challenges?
Data protection law has always had an international dimension. The UK’s first data protection law was passed more than 35 years ago by the Thatcher government in response to an international agreement, amid fears that the UK would lose out on international trade if it did not adequately protect personal data. Since then, the movement in data has become increasingly global, and rules governing data have significantly strengthened. The EU has been leading the way, with the UK playing a key role. Recent changes in data protection law in Japan and California, for instance, have been heavily influenced by the GDPR.
These latest cases show that, in data protection terms at least, the UK is likely to continue looking towards Europe for some time to come.
By Jon Belcher, Senior Associate at Blake Morgan
About the author
Jon has wide experience of drafting commercial agreements, with a specific focus on data sharing and processing agreements. He has advised on the data protection implications of large commercial transactions, including major public sector procurements, complex data export arrangements and direct marketing campaigns.
Most recently, Jon has been advising clients on preparing for the General Data Protection Regulation and implementing compliance programmes. Prior to 25 May 2018, Jon spent time on secondment with two clients, in the financial services and data analytics sectors, assisting them to develop their GDPR programmes. He also acted as lead advisor to clients in the media and utilities sectors in respect of GDPR compliance, and is regularly instructed by public sector bodies and charities in Wales and England on data protection matters.
Jon has significant experience advising public sector clients on their compliance with the Freedom of Information Act and the Environmental Information Regulations.
The post #Privacy: Data protection in a post-Brexit world: adequacy challenges ahead appeared first on PrivSec Report.