Unless there is a political earthquake (some would say a miracle) Brexit will happen on 29 March 2019. Many fear a hard Brexit. Some are hoping for a hard Brexit. A majority appear to want a soft Brexit. And many others would strongly prefer that Brexit wasn’t happening at all. But whatever its flavour, upon Brexit the UK will cease to be an EU Member State and become a so-called 'third country'. As a result, UK-based organisations, which in the context of transfers of personal data to countries outside the EU have always been exporters, will become importers of data originating from the EU.
This is a serious concern because transfers of personal data from the EU to third countries are severely restricted. So a key UK Government objective from day one has been to ensure that the UK is regarded as an adequate jurisdiction, which would allow unconstrained transfers of personal data from the EU. But will it be?
Achieving adequacy status is not easy. Since the adequacy concept was introduced in the 1995 Data Protection Directive, only 11 jurisdictions in the world have been declared adequate. The reason for that is that the procedure followed by the European Commission before granting this status is extremely thorough, and the conditions required to meet the adequacy test are exceedingly high. However, the standards are well publicised, and the European data protection authorities – which are tasked with guiding the Commission through the process – have always been clear about their expectations. These are succinctly spelled out in their Adequacy Referential document, which was updated as recently as February 2018. In a nutshell, according to the referential, providing an adequate level of data protection comes down to four factors: the robustness of the legal framework, the regulatory oversight and enforcement capabilities, the existence and effectiveness of individuals' rights and redress mechanisms, and the legal limits on the state's interference with people's privacy.
For most countries around the world, the first factor is already an impossibly difficult one. The EU measures other jurisdictions' data protection frameworks by reference to its own. It essentially seeks a system of laws that contains concepts, principles, rights and obligations resembling those established by European data protection law as closely as possible. That is a very tall order given the level of sophistication and long history of this area of law in the EU. But for the UK, this should be an easy tick in the box. The fact that the UK Data Protection Act 2018 implements into domestic legislation the EU's very own GDPR says it all. The Act mentions the GDPR 758 times, indicating just how prevalent EU data protection law will be in a post-Brexit UK. Similarly, the powers and intense level of regulatory activity of the Information Commissioner, as well as the degree of independence with which the Information Commissioner's Office ('ICO') operates, make it unquestionable that the UK has a strong regulator with the right capabilities. Another clear tick.
As a jurisdiction that has implemented the GDPR in full and will continue to do so, it is also patently obvious that individuals can pursue legal remedies to enforce their rights. Needless to say, one of the primary functions of the ICO is to promote public awareness of data protection rights and to handle complaints. In addition, the UK courts have already upheld the rights of individuals under data protection law proving that this test is also met. This leaves the final and more politically charged condition to be examined: the existence of guarantees intended to limit any interference with the individuals' fundamental rights to privacy and data protection by the state. It was the European Commission's lack of assessment of this point that brought down Safe Harbor, so it is conceivable that much of its attention going forward will be placed here. How strong the UK's credentials are on this issue is the subject of debate.
No one can deny that the UK Government has been transparent and open about this thorny issue. A very public and intensely scrutinised process led to the adoption of the Investigatory Powers Act, which according to the UK Government strengthens safeguards and introduces world-leading oversight arrangements. But yet, this law has also been described as the most intrusive mass surveillance regime ever introduced in a democracy. Somewhere in between those two views was a decision of the High Court which in April 2018 concluded that the Act was in part incompatible with fundamental rights in EU law and needed to be amended. So based on that evidence, the European Commission will soon need to take an objective view on where the UK stands in the adequacy universe. Will an acrimonious Brexit determine the fate of this decision? Or will the Commission exercise the degree of pragmatism exhibited with the EU-U.S. Privacy Shield? Let us hope that logic and sense will prevail for everyone's benefit. For the UK – as for any democracy – guaranteeing fundamental rights will always be work in progress, but at this moment in history, evidencing that work is essential if it is to secure a solid adequacy finding.
This article was first published in Data Protection Leader in August 2018.