As the UK edges closer to a decision on how it will leave the European Union, so all institutions in the UK are examining what the departure might mean for their practices and business models. The Information Commissioner’s Office, responsible for personal data protection, has begun an information campaign addressing business and third sector bodies about the steps which they must take before the EU’s general data protection regulation becomes effective in May 2018 (which may not be that long before the UK actually leaves the EU). Maintaining the regulation standards in the UK after departure from the EU will be important to ensuring that businesses in the UK can continue to exchange personal data with their counterparts in the EU. The perils of having a personal data protection system which is not compatible with EU rules has been exemplified by the Court of Justice’s decision in Schrems where the Commission decision that US personal data protection mechanisms were sufficiently robust to permit EU companies to exchange personal data under the Safe Harbour Agreement was struck down. The US system was patently inadequate according to the Court so personal data could not flow across the Atlantic on the basis of the regime.
Less attention has been paid, however, to the sister EU measure to the general regulation, the directive on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (repealing the framework Decision which had been in place since 2008 on the subject). This lack of interest is not surprising as the UK exercised its opt out in criminal justice to remain outside the scope of the directive. The result is that law enforcement bodies in the UK are not bound by the Directive and their entitlement to collect, use, store, exchange and transfer onwards personal data is not hampered by the directive’s provision. Yet, this does not mean that UK law enforcement bodies are likely to be untouched by the directive and its application after it has been implemented in all Member States by the end of the transitional period, 6 May 2018. The directive states in its preamble that it is based on the EU Charter of Fundamental Rights (the right to data protection) and the Treaty on the Functioning of the EU (Article 16 the right to data protection). Thus it gives effect to the right to data protection which might be interpreted as providing specificity only to an already existing right. The directive applies to all natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data (preamble 17). It does not apply to the processing of personal data by intelligence services as their activities are outside the scope of EU law.
The objective of the directive is to protect the data subject in accordance with fundamental rights. Therefore, as a starting place, all collection and processing of personal data must be lawful, fair and transparent in relation to the individual and only take place for purposes specified in law. People are entitled to be made aware of their risks, rules, safeguards and rights at the time of collection. Personal data collected for a specified, explicit and legitimate purpose must not be processed for purposes incompatible with the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. There is a wide range of obligations regarding accuracy, correction and deletion of personal data to protect the data subject. Any transmission of personal data to the private sector (for instance for processing) results in the private sector body being covered by the general data protection regulation as regards that data (the regulation is substantially more restrictive than the directive). Further, processing must be necessary, a test which must always take into account the protection of the vital interests of the data subject. Further transmission of personal data is prohibited subject to limited derogations which are clearly set out. Included are also various access rights for data subjects and any refusal or restriction of access rights must comply with the Charter and the ECHR. This duty comes with substantial responsibilities and liabilities on the data controller in the event of failure. Special provision is made for vulnerable persons in light of the severity of the risk which they may suffer as a result of inadequate data protection.
When the UK becomes a third country for the purposes of the EU (after BREXIT) it will come within Chapter V of the directive – transfers of personal data to third countries or international organisations (Articles 35 et seq). This transfer outside the EU to a third country (such as the UK will be) is an exception and is treated as such by the directive. Transfer of personal data may only take place if necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including the safeguarding against and the prevention of threats to public security, and that the data controller in the third country fulfils the requirements under the directive of a controller. The Commission is charged with carrying out an investigation to ensure that the third country provides an adequate level of data protection, where appropriate safeguards have been provided, or where derogations for specific situations apply. The objective is to ensure that should personal data be transferred to data controllers in a third country the level of protection of natural persons provided for in the EU is not undermined. This includes as regards the risk of onward transfer within the state but also the risk of onward transfer to another third country.
It will be the task of the Commission to decide for the Member States whether certain third countries offer an adequate level of data protection which will ensure legal certainty and uniformity throughout the EU regarding which third countries have adequate safeguards in place. The Commission is directed by the directive to carry out this assessment in line with the fundamental values on which the EU is founded, in particular human rights. The assessment must include:
- Respect for rule of law;
- Access to justice;
- Compliance with international human rights norms and standards in general and sectoral law including in relation to public security, defence and national security;
- Objective criteria including specific processing activities and the scope of applicable legal standards;
- Effective independent data protection supervision;
- Cooperation mechanisms with Member States’ data protection authorities;
- Effective and enforceable rights for data subjects;
- Effective administrative and judicial redress.
The Commission must monitor the functioning of decisions on the level of protection in a third country (eg the UK) and carry out a periodic review in consultation with the third country including relevant developments there. It must be open to the Commission to decide that the third country no longer ensures adequate data protection thus ending all personal data transfers except in the very limited and specific cases permitted outside of a positive Commission adequacy assessment.
The directive acknowledges that when personal data crosses borders there is an increased risk that the persons to whom it belongs will not be able to exercise data protection rights to protect themselves from unlawful use or disclosure of the data. Similarly, supervisory authorities may find themselves unable to pursue complaints or conduct investigations where the complaint relates to activities outside their borders. Further, supervisory authorities may be unable to work with their homologues in the third country on account of insufficient preventative or remedial powers and inconsistent legal regimes. In order to assist in the determination of the necessary powers for supervisory authorities, the directive states that those of the Member States must have the following attributes:
- Investigative, corrective and advisory powers;
- The power to bring infringements to the attention of judicial authorities;
- The power to engage in legal proceedings.
Presumably similar powers must be incorporated into the legislation on supervisory authorities of a third state as well if it is to be adequate for personal data transfers. Individuals affected by the use of their personal data must have the right to an effective judicial remedy before a competent national court including against the decision of a supervisory authority. That judicial procedure must produce legal effects both on fact and law, for the individual. Where there is a breach of the directive’s rules damage must be compensated.
Finally, the directive states that it respects fundamental rights and observes the principles recognised in the EU Charter of Fundamental Rights and the TFEU in particular as regards the right to private and family life, protection of personal data, the right to an effective remedy and to a fair trial.
What this means for the UK after BREXIT is that in order for the British police and criminal justice authorities to enjoy access to personal data available in other Member States, it will need to ensure that the data protection regime applicable to that data if transferred to the UK, will fulfil the requirements of the directive. It will need to seek an adequacy assessment from the Commission to assure Member States that its data protection house is in order and arrange with the Commission for periodic reviews of the UK’s relevant data protection scheme. If this is not desirable or possible then the British police and criminal justice authorities will not be able to obtain personal data from Member States except in the very limited circumstances where this is possible outside the adequacy assessment scheme. Further, the UK will be prohibited from onward transmission of personal data obtained from an EU Member State without going through all the authorisation procedures of the directive. Efforts in some quarters to ensure that British police and criminal justice authorities have access to and continue to participate in the EU criminal justice structures such as EUROPOL and EUROJUST even if successful will not be able to unlock access for British police and criminal justice authorities to personal data held by such EU institutions except on the basis of a Commission assessment on the adequacy of British data protection regimes.