Data protection, data flows, and a data adequacy agreement

Question:
The issue of data protection and data flows, post-Brexit, is the fundamental question for the digital and tech sectors.

GDPR is one piece of a healthy data flow framework, and the UK is not a healthy country by any measure. Other issues, including other policies on data protection, privacy, adequacy, and data flows, are only beginning to be recognised with a matter of months before the UK, and its digital sector, is taken out of the Digital Single Market.

Relevant policies and issues:

  • GDPR and data protection in general
  • Privacy Shield
  • Data Adequacy
  • Council of Europe convention
  • Data sharing within EU bodies
  • Data flows with non-EU countries

GDPR and data protection in general

  • In October 2016 the UK government confirmed that the UK will implement GDPR.
  • The UK Information Commissioner subsequently set out how the ICO will support implementation over the next two years.
  • In December 2016 the Commons held a surprisingly rich debate on GDPR post-Brexit.
  • In March 2017 the EU Committee of the House of Lords drew attention to post-Brexit GDPR and data flow issues.
  • Also in March, the European Scrutiny Committee of the House of Commons reviewed the issue, and provided yet more background analysis.
  • In spring 2017 UK Gov ran a consultation on the UK’s GDPR implementation, including derogations.
  • On 21 June the Queen’s Speech announced the Data Protection Bill, the legislation intended to act as the bridge between GDPR and any post-European data protection regime.
  • On 7 August UK Gov launched a publicity campaign about the Data Protection Bill, most of which blatantly claimed the changes the UK was receiving anyway under GDPR as the UK’s ideas, and indeed, the work itself as Matt Hancock’s.
  • On 18 August the House of Lords warned of the dangers of hindering data flows after Brexit.
  • On 27 July the House of Commons research service published a useful basic briefing on data protection after Brexit.
  • On 24 August the Department for Exiting the EU released a remarkably flawed white paper on data flow adequacy after Brexit.
  • In her Mansion House speech of 1 March 2018, Theresa May declared:
    Fourth, we will need an arrangement for data protection. I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing tehe UK’s strong trading and economic links with the EU. That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.This revealed several worrying things: first, the audacity of claming the UK’s “exceptionally high standards of data protection” as a domestic achievement when they are in fact European; second, the desire to secure “more than just an adequacy agreement”, a tacit admission that her government knows that there is no way the UK will be granted adequacy based on its own domestic surveillance legislation; third, the desire for an ongoing role for ICO, a suggestion which is impossible under current EUDPB rules; and a discussion of the “one stop shop” mechanism as a non sequitur.In other words, this was the opposite of clarity and assurance.
  • Ahead of its second reading, the House of Commons Library published an excellent summary of progress on the Bill up until March 2018.
  • The Data Protection Act 2018 received royal assent on 23 May 2018.

And so we come to what happens now.

In September 2018 DCMS published its guidance on what would happen to data protection in the event of a “no deal” Brexit. With the arrogance the sector has come to expect from Government, the report boasted that “[i]n recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.” We’re alright Jack. Of course, that’s not the problem.

Information travelling in the other direction – from the EU to the UK – would become the responsibility of every recipient to create a legal structure to hold in lieu of what we took for granted under the single market. The guidance suggests that until an adequacy agreement is hammered out (assuming it ever is), organisations should look at standard contractual clauses, derogations, or the other commercial mechanisms normally associated with larger businesses and fully staffed legal departments. Writing in the Irish Independent, Maria Farrell advises that it costs a UK company about £10,000 to apply its own EU-acceptable contract clauses.

It goes without saying that this would destroy the ability of small UK digital businesses to work with anyone but other British businesses and to serve anyone but British customers – which would certainly suit some Brexiters down to the ground.

The European Commission’s advisory note on data protection and Brexit, published in January 2018, reiterated the paperwork burdens ahead for businesses trading with Europe.

On the same day that the UK’s “no deal” guidance was published, the European Court of Human Rights ruled that the UK’s mass data interception and retention programmes – including TEMPORA, a bulk data store of all internet traffic; KARMA POLICE, a catalogue including a web browsing profile for every visible user on the internet; and BLACK HOLE, a repository of over 1 trillion events including internet histories, email and instant messenger records, search engine queries and social media activity – was unlawful and incompatible with the conditions necessary for a democratic society. This judgement, and the UK’s response to it, will absolutely contribute to the EU’s process of deciding whether it is worthy of a post-Brexit adequacy decision.

Other EU policies and issues related to data protection

Privacy Shield

  • In November 2017 the ESC looked at the review of the Privacy Shield system.
  • In a hearing of the EU Home Affairs Sub-Committee of the House of Commons on 20 December, Matt Hancock was asked whether Government (be it DCMS, DExEU, etc) has carried out a domestic assessment of the US-EU Privacy Shield system, specifically as it affects the UK. He replied that he has seen the Article 29 Working Party review and supports its position. He is confident that the system is a good policy but understands the need to ensure enforcement on the US side. (In other words, there has been no asssessment carried out.)
  • The Committee’s February review of Margot James MP’s responses to their questions on the Privacy Shield assessment make for bleak reading: “As things stand there is no specific arrangement for UK national data protection experts to be involved in any way in relation for the comitology process for making third country adequacy decisions during the transition/implementation period. “

Data Adequacy

In July 2018 the Exiting the EU Committee published a crucial report, The progress of the UK’s negotiations on EU withdrawal: Data, on the UK’s need to secure data adequacy agreements ahead of Brexit.

The report made several recommendations based on the unrealistic chances of the UK securing both post-Brexit adequacy status as well as a seat at the proverbial table.

Despite the thoroughness of the report, the Chequers statement on Brexit, published just three days later, stated that “In keeping with our commitments to uphold international standards, the UK and the EU would also agree to maintain high regulatory standards for the environment, climate change, social and employment, and consumer protection“. It also proposed “regulatory flexibility where it matters most for the UK’s services‐based economy, and where the potential trading opportunities outside of the EU are the largest, recognising that the UK and the EU will not have current levels of access to each other’s markets…”

That statement did not mention aligned regulatory standards on data flows, and their importance to the tech and digital sectors, at all. That was not an accidental omission.

In June 2018 DExEU published a technical note (.pdf) on the benefits of a new data protection agreement, continuing their theme/belief/delusion that the UK can continue to be an equal partner at a table it has left. It even closes with the arrogant call to action on “Why the UK should be treated differently”.

In September 2018 Government published its response to the July report (above). As usual, it provided platitudes and talking points completely devoid of factual context.

In August 2018 the LIBE Committee of the European Parliament published a massive research report (.pdf, 132 pages) on options for a future data adequacy agreement. Among the points to note:

  • Whatever adequacy agreement results, it is not possible to assess whether it is adequate or not until the UK has left the EU. Anything before that is assessing a theory and not practice;
  • The UK is a good potential candidate for a relatively straightforward adequacy agreement, however, the UK’s participation in the Five Eyes surveillance system, and its openly racist stance on immigration matters (Windrush anyone?) may hinder that agreement;
  • a Privacy Shield-type model is not feasible for the scope and volume of data exchanges at play, and a general adequacy finding would be a better option;
  • Also unsuited to the task are BCRs, which are only an option for large and well-resourced companies;
  • As are industry codes of conduct in lieu of a legal arrangement, with the committee noting that 23 years of European data protection practice have yielded one industry code of conduct deemed adequate;
  • Regarding the ICO’s future participation, no member state is a contributor to the European data protection framework outside the EDPB and the jurisdiction of the CJEU;
  • Finally, the committee recommends an 18 month “standstill clause”, where data flows would carry on as before, in order for all parties to work towards an adequacy decision.

Council of Europe convention

For those of you who truly want to fall down the adequacy rabbit hole, consider the ESC’s July 2018 review of the recent modernisation of the 1980 Council of Europe convention on the processing of personal data. Would becoming a party to the Convention after Brexit pave the way for an adequacy decision? The September 2018 ESC follow-up indicates that yes, it could.

Data sharing within EU bodies

In November 2017 the ESC looked at the future of data protection within European institutions, which was a headache-inducing reminder that nobody who advocated for Brexit prepared for these questions at all.

In February 2018 the committee returned to the proposal on data protection and the EU institutions, noting that “as third country citizens, UK citizens might have to submit a greater volume of data to the EU to travel and work in the EU when they no longer have the free movement rights of EU citizens. We should clarify therefore that we and our predecessors were not concerned, as the Minister assumes, about different data protection rules applying to the EU institutions depending on whether the data of third country or EU citizens was being processed.”

The ESC has cleared the proposal on a regulation on data protection rules applicable to EU bodies from further scrutiny.

Data flows with non-EU countries

In May 2018 the European Scrutiny Committee examined the EC’s proposal on exchanging data with non-EU countries, an issue which will take on a new urgency once the UK qualifies as the latter.

As such, the Committee recommended that the document be debated in the House of Commons. Ahead of that debate, which has yet to take place, the Committee asked

a)Regardless of press reports, have these horizontal clauses on data flows in trade agreements been discussed informally or formally in Coreper or the Council yet? If so, what is the view of the UK and other Member States? If not, what is the Commission’s intention in producing the clauses?

b)What does Article B achieve, legally-speaking, in terms of personal data flows? Does it provide for data exchange based on mutual trust and mutual recognition by the EU and the third country in question of each other’s data protection standards? If so, would the clause satisfy the UK’s aspirations for a future data-sharing arrangement based on mutual trust as set out in its Future Partnership Paper?17

For further background some of these specific data flow agreements, see Tech UK’s briefing.

In September 2018 the ESC did a masterful job of using the answers given by Government to its May questions to demand further clarity and specificity on the plans for data flows in general; these questions are worth reading.

Last updated 24 September 2018