There have been a couple of developments this week which may help shed some light on the approach that the Government plans to take in relation to data protection law in the UK following Brexit, and how this will impact on the General Data Protection Regulation (GDPR), which comes into force in May 2018.
Providing equivalence to the GDPR
Yesterday, the Government published its white paper on Brexit. Sections 8.38 to 8.40 deal with data protection, but do not reveal much other than the Government’s intention to “seek to maintain the stability of data transfer between EU member states and the UK.”
The white paper notes that:
[t]he European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely
The Government would presumably seek to achieve this through a finding of adequacy by the Commission in respect of the UK data protection regime.
In terms of future UK data protection law itself, the white paper goes on to say that the Great Repeal Bill will preserve “all EU laws which are directly applicable in the UK (such as EU regulations)”. That would include the GDPR, which will come into force prior to Brexit occurring.
The Government’s position in the white paper was trailed earlier in the week when Matt Hancock MP, Minister of State for Digital and Culture, Department for Culture, Media and Sport, appeared before the EU Home Affairs Sub Committee. The Minister said that legislation to mirror the GDPR will be brought forward in the next parliamentary session.
However, even if the GDPR is mirrored into UK domestic law, a finding of adequacy may not be automatic.
In particular, UK legislation such as the Investigatory Powers Act is likely to be subject to close scrutiny. The point here is that whilst the challenge to the IP Act’s predecessor (the Data Retention and Regulatory Powers Act) did not inhibit the free movement of data between the UK and other parts of the EEA, post-Brexit such transfers will be dependent upon a finding of adequacy in respect of the UK. In determining whether or not to make that finding, the European Commission will look at the broader regulatory regime dealing with access to and use of personal data (including surveillance powers).
This is not a hypothetical observation – the ruling declaring the EU/US Safe Harbor scheme unlawful centred on the surveillance powers of US law enforcement agencies, and led to several months of chaos and uncertainty caused by the sudden removal of the legal basis for thousands of EU/US data transfers.
The white paper goes on to say that “the preserved law should continue to be interpreted in the same way as it is at the moment”.
How this will work in practice is unclear. The GDPR will delegate certain acts to the European Commission and will be supplemented by guidance from the European Data Protection Board (EDPB) (the successor to the current Article 29 Working Party).
The Information Commissioner’s Office has already acknowledged that upon Brexit the ICO will cease to be a member of the EDPB, and therefore the ICO will cease to have formal influence over the development of that guidance.
Will the UK simply adopt the Commission’s delegated acts and EDPB guidance or will it develop is own guidance?
If the latter then the desire for friction-free data transfers may be frustrated as data controllers juggle differing rules and guidance in the UK compared to that which applies in the rest of the EEA.
It is also unclear whether and how the UK might continue to benefit from the international data transfer arrangements that the EU has in place with countries outside the EEA (for example, the Privacy Shield arrangement with the USA). Would the UK have to put in place its own Privacy Shield style arrangement, or can it piggyback on the existing arrangements?
Data controllers will welcome early answers on all of these questions. Meantime, they should continue to prepare for the GDPR coming into force in May 2018.