As the UK exits from the EU, there is much to sort out. But one of the most overlooked issues is that of data flows between the UK and EU post-Brexit. In August last year, the UK government set out its proposals to ensure that “personal data would continue to move back and forth between the UK and the EU in the future in a safe, properly regulated way.”

It is perhaps the intricate legal technicalities which have made the issue of data flows a less exciting one than customs union arrangements or single market access. But it remains an important issue nevertheless. The UK is home to a plethora of innovative tech startups of whom will be vital to the future strength of the UK economy. Being able to maintain data flows post-Brexit is thus of the upmost importance.

Central to the question of continuing data flows post-Brexit is the EU’s General Data Protection Regulation (GDPR). This Regulation make provision for the protection of personal data being processed by businesses and others. The new rules managed to attain an interesting fame in the run-up to it coming into force in May: many witnessed their inboxes being clogged with emails indicating changes the privacy policy of various companies and organisations.

But the GDPR’s strict provisions and extra-territorial reach, of which is quickly making the EU the gold-standard when it comes to data protection, has triggered frantic changes in how businesses handle personal data. It is thus a significant upgrade of the old regulatory framework in this area, and will very much dictate the fate of data flows between the UK and EU post-Brexit.

Permission to Flow

Article 45 GDPR stipulates that the EU Commission may decide whether data can be transferred to third countries (non-Member States). Such a decision will be made in consideration of a number of criteria so as to ensure that the third country to which data are transferred provides an “adequate level of protection” for that data. Essentially, the Commission will assess whether the third country in question has in place a data protection regime that is of the same standard of the EU as outlined by the GDPR.

In making such a decision, the Commission will take into account a number of factors, such as the country’s human rights protections and its national security regime. Although, it was pointed out in the Schrems judgment that the third country in question does not have to replicate all the aspects EU rules regulating data processing. Rather, the Commission should assess whether “the foreign system concerned as a whole delivers the required high level of protection”, paying particular attention to “the substance of privacy rights and their effective implementation, enforceability and supervision.” An adequacy decision will also involve an opinion submitted by the European Data Protection Board (EDPB) as well as approval of representatives from each of the Member States.

So far, the likes of Canada, New Zealand and even Argentina have obtained adequacy decisions from the Commission. But even where a country has obtained such a decision, it is subject to review by the Commission every four years meaning those third countries must continue to uphold the required data protection standards to maintain the flow of data from the EU.

It seems that, on the face of it, the UK should be able to obtain an adequacy decision under Article 45 so as to maintain the flow of data to and from the EU post-Brexit. As a current Member of the EU, the UK has already undertaken the legislative work to give the provisions under the GDPR full legal effect in the UK. This is made evident by the recent passage of the Data Protection Act 2018. While the GDPR itself is directly applicable (meaning that it does not require Member States to pass legislation to give effect to its substantive provisions) it does leave Member States with further legislative work to do be done to fill in the white spaces. Thus, the 2018 Act makes provision for the duties, functions and powers conferred to the Information Commissioners’ Office (ICO), the UK’s supervisory authority, by the GDPR. The Act even goes beyond the requirements of the Regulation by subjecting the intelligence service to certain provisions based on the Council of Europe Data Protection Convention 108 as well as the Regulation itself.¹

Another factor favouring the UK’s case for an adequacy decision by the Commission is its strong supervisory authority, the ICO. Article 45 does state that the Commission should consider whether the third country seeking a decision has “effective administrative and judicial redress for the data subjects whose personal data are being transferred.”

The role of the ICO is to “uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” It has been able to respond to many instances of data breaches, including that which took place at TalkTalk in 2015 which led the Office to impose a record fine on the company for its inadequacies in data protection. It is also currently investigating the potential illegalities at Cambridge Analytica and has also started investigations into the data breach that took place recently at Dixons Carphone.

The ICO has thus proven that it is capable of dealing with breaches of data protection rules and has not shied away from using the powers at its disposal. Thus, the EU Commission should be able to recognise the strength and competence of the UK’s supervisory authority when making an adequacy decision under Article 45.

Even so, there are two potential problems the UK may face in achieving adequacy post-Brexit. The first is that there may be a significant hole in the UK’s legal fabric post-Brexit. The right that is conferred to individuals under EU law that is the focus of the GDPR is Article 8 of the EU Charter of Fundamental Rights. This provides the right to the protection of personal data. The GDPR itself does not confer the right to data protection but rather provides a framework to follow in order to give effect and properly protect the right already conferred by Article 8. It is stated under Article 1 that the Regulation “lays down the rules relating to the protection of natural persons with regard to the processing of personal data” and protects “their right to the protection of personal data.” Thus, Article 8 stipulates a duty for the Member States to protect a particular right and the GDPR mandates how that right should be recognised and protected.

The EU (Withdrawal) Bill, commonly known as the ‘Great Repeal Bill’, is the piece of legislation that is supposed to achieve legal continuity for the UK post-Brexit. As such, the Bill, when passed, will “repeal the European Communities Act 1972 and make other provision in connection with the withdrawal of the United Kingdom from the EU.” The role of the Bill then is to, in a sense, ‘copy’ all the EU law which is currently effective in UK law and ‘paste’ it into UK law itself. Notably, however, the UK government does not intend to incorporate the EU Charter into domestic law. Hence, the Bill, as it was first introduced, states under Clause 5 that “[t]he Charter of Fundamental Rights is not part of domestic law on or after exit day.”²

As such, one can spot the significant gap that could potentially materialise if such a provision under Clause 5 were to stand. While the Data Protection Act 2018 reiterates the GDPR, the Act would be protecting a right which would not actually exist in UK law. This would be the case unless that same right could be found elsewhere in UK law. However, since the UK has been a Member of the EU and thus has been able to rely the Charter as conferring certain rights by virtue of that membership, it may very well be the case that no such right to data protection was ever codified. The Charter would have not necessitated the need to do so. Furthermore, the 2018 Act itself would probably not be enough to make up for the omission of the right, as has been argued by Andrew Murray of the London School of Economics:

A domestic UK Data Protection Act cannot adequately replace the fundamental right to data protection found in the EU Charter. Such an Act, which is always subject to Parliamentary repeal, will only replicate the framework of data protection as found in the subordinate EU Legislation (the GDPR). Only if the UK Government were to adopt a right to data protection in some form in the proposed British Bill of Rights would there be true equivalence for Article 8 in domestic law.³

Therefore, UK law, if the Great Repeal Bill were to pass in its current form, would be protecting a right which did not actually exist. Such a loophole could be potentially detrimental to the UK achieving adequacy post-Brexit. If the UK does not incorporate the Charter, or otherwise replicate Article 8 in domestic law to the EU Commission’s satisfaction, then obtaining adequacy may be put into question.

The other problem the UK may face relates to its current mass surveillance regime. A number of significant steps have been taken since the Snowden revelations in 2013 to make the work of the UK’s intelligence agencies more lawful and transparent. The provisions under the 2018 Act relating to the intelligence service is an example of such. But the passage of the Investigatory Powers Act 2016 is the most significant: it is a comprehensive piece of legislation that imposes stronger legal safeguards and protections against state surveillance than those that existed beforehand.

However, there remains some snags which may become relevant when assessing the UK against the criteria of Article 45. Those shortcomings were identified in a recent High Court judgment in April in which it was held that some of the provisions in Part 4 did not meet certain requirements of EU law. In addition, the Investigatory Powers Tribunal (IPT) has asked the European Court of Justice (ECJ) whether the requirements in Watson, which relate to the retention of data, applies in a national security context. If the ECJ holds that it does and the IPT subsequently holds that the Act fails to meet those requirements, then further amendments would need to be made in response to such a ruling as well as the High Court judgment in April.

Thus, as well as addressing the problems relating to the Charter, the government will have to make a number of changes to its mass surveillance regime in order to improve its chances of achieving adequacy.

More Please

The UK’s ambitions go beyond achieving mere adequacy though. Its preference is thus to achieve an agreement with the EU which not only allows for the flow of data between the two, but also includes other aspects that would be advantageous to the UK and the EU. Such an intention has been made quite clear by the Prime Minister in two important speeches this year. In her first one, the Munich speech that was made in February, Mrs. May emphasised the importance of maintaining data-driven law enforcement and co-operation with EU agencies so that “people across Europe are safer.” In her second speech, the so-called Mansion House speech made in March, the Prime Minister said:

“…we will be seeking an adequacy arrangement and ongoing regulatory cooperation through an appropriate ongoing role for the UK's Information Commissioner's Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.”

The EU Commission has acknowledged that such data treaties can be negotiated with third countries, although separately so from a trade agreement. This is due to the fact that the EU sees the right to data protection as a fundamental right of which could never be subject to negotiation. As such, if the UK seeks an agreement on data flows with the EU, then it would have to be agreed and arranged independently of a treaty on trade.

Judging by the speeches made by the Prime Minister and the documentation which the government has released publicly so far, there are two main things that the UK would want to include in a potential data treaty. The first is an ongoing role for the ICO, presumably meaning that it should have some involvement in the work of the EDPB. The second is participation in the ‘one-stop-shop’. This is in reference to an arrangement for designating a lead supervisory authority for complaints to be made to when there is an alleged breach of data protection rules. So where controllers or processors carry out processing activities through establishments in several Member States, the supervisory authority in the jurisdiction of their “main establishment” will take the role of lead supervisory authority.⁴

The UK, in seeking a possible treaty on data transfers, has emphasised the advantages of such for both UK and EU businesses. It has pointed out that data flows contribute $2.8 trillion to the world economy. Specific to UK-EU relations though, “EU exports to the UK of data reliant services were worth approximately €36 billion in 2016”, of which includes “a diverse range of sectors such as finance, telecoms and entertainment.” The UK has therefore been clear: achieving a treaty on data is in the economic interest of both negotiating parties.

If the UK is to successfully negotiate and conclude such an agreement though, it is quite clear that mere adequacy is an essential starting point. Unless this is so, the EU Commission is very unlikely to even begin discussions on the additional provisions the UK may want to seek. Even the ECJ has been insistent that such a starting point is essential for any data treaty. The Court has held that such a treaty can only be done where the third country seeking such an arrangement “ensures a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed with the European Union.”⁵ This is underpinned by the ECJ’s stipulations in Kadi, in which it held that the EU could not act in a way that contravenes EU law or the Charter.⁶

Thus, for any data treaty, the UK will need to meet the criteria under the GDPR as a bare minimum. In such a case, any treaty negotiations would be subject to the same problems the UK would need to address when achieving mere adequacy. Thus, until those problems are addressed, any data treaty would be seemingly out of the question.

Yet, even if the UK were to resolve such issues, the EU itself has not shown much enthusiasm for a data treaty so far. Michel Barnier, the chief Brexit negotiator for the EU Commission, has said that the EU will not give up its decision-making autonomy granted under Article 45 which would be the natural consequence of any treaty concluded with the UK. In a recent speech, Barnier insisted that the EU “cannot, and will not, share [its] decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as [the EU].” If this sentiment holds, then even if the UK were to eradicate its shortcomings in achieving adequacy, it seems as though the EU Commission will view such as good enough for a decision under Article 45 and nothing more. This would seem to be the case even where a potential data treaty could be, as argued by the UK, in the economic interest of both parties, as Barnier also definitively stated in his speech that “Brexit is not, and never will be, in the interest of EU businesses.”

Conclusion

The fate of data flows between the EU and the UK hangs in the balance. For the latter, domestic legal flaws pose the most serious threat. Nevertheless, the EU should also be concerned, considering the rising clout of data in the workings of the modern economy. It is thus in the interest of both the UK and the EU to reconcile their differences. Failing a treaty or even an adequacy decision would mean businesses relying on binding corporate rules (Article 47) or standard clauses to be able to transfer data from the EU to the UK, an exercise which could be particularly cumbersome for small firms. Businesses would much rather have a treaty in place as this would provide greater certainty than an adequacy decision which would be subject to review. Yet, even a treaty could face the same struggles as the EU-US Privacy Shield and be challenged in the courts. In the context of Brexit though, such uncertainty is, unfortunately, very much the norm.

Sources:

[1] These are contained in Part 4 of the Act from sections 82 through to 113.

[2] While the House of Lords proposed an amendment to Clause 5 to incorporate the Charter into UK law post-Brexit (except for the preamble and the provisions under Chapter V), the House of Commons voted against this for the reason that “none of the Charter of Fundamental Rights should be part of domestic law on or after exit day.”

[3] A Murray, ‘Data Transfers Between the EU and UK Post Brexit?’ (2017) 7 International Data Privacy Law 149, 151

[4] See ‘Guidelines for identifying a controller or processor’s lead supervisory authority’ adopted by the Article 29 Data Protection Working Party’s in April 2017.

[5] Opinion 1/15 of the ECJ (Grand Chamber) ECLI:EU:C:2017:592, [para. 214]

[6] Case C–402/05 P and C–415/05, Kadi and Al Barakaat International Foundation v Council and Commission [2008] ECR I–6351