Legal & Government Affairs Update Issue 8 - 2017
UK and EU prepare for Brexit data protection showdown
With Brexit negotiations back in full swing and the UK’s deadline for from the EU looming ever closer, both the UK and European Commission have published position papers outlining their negotiating positions on the future cross-channel data protection relationship.
Getting a good deal here will be of particular importance to many businesses across the EU, where the data economy was estimated to be worth €272 billion in 2015. The continued ability of UK and EU entities to use data processed in the other jurisdiction will be key to many firms’ operations, as will the ability to freely transfer data between the UK and EU. Those affected will want to watch the progress of these talks keenly and, while there is substantial room for agreement between the two sides, there are key differences that will need to be resolved.
The UK’s paper was issued first, on 24 August 2017, by the Department for Exiting the European Union (DEXEU). In this paper, DEXEU seeks to emphasise the UK’s position as a world-leader in data protection and sets out the aim to establish a system of mutual recognition on data protection between the UK and EU.
The proposed future relationship is to come to an early agreement on how to extend current provisions, perhaps with the UK maintaining the EU data protection regime that it will have in place on withdrawal, with an agreed negotiating timeline for establishing longer-term arrangements. This would imply that the UK intends to be able to diverge somewhat from the EU’s data protection regime in the future, but, in the short term at least, this position may address the concerns of both businesses and individuals who are looking for certainty and continuity.
The EU’s paper, published on 8 September 2017, sets out a somewhat different set of priorities. While the UK stresses the importance of continued co-operation and avoiding negative economic consequences, the EU’s position is that protecting the integrity of EU data after Brexit comes first. Where the EU sits on the UK’s access to data post-Brexit is clear:
“Access to networks, information systems and databases established by Union law is, as a general rule, terminated on the date of withdrawal.”
However, if the UK or entities operating from the UK want to keep and continue to use EU data received or processed in the UK before the withdrawal date, the EU says they will be allowed to do so if they satisfy certain conditions.
Firstly, the EU states that applicable EU law on the withdrawal date must continue to apply to the protection of personal data processed in the UK before withdrawal. This would include the General Data Protection Regulation (GDPR). Secondly, the EU wants to ensure the protection of classified information exchanged in the interest of the EU. Finally, the paper also outlines several other restrictions on the use and access to data and information obtained before the UK’s withdrawal. If these conditions are not met, any data or information must be erased or destroyed.
In principle, this could be accommodated by the UK’s position with relative ease. The UK had a hand in drafting many of the provisions in the GDPR. The UK paper is quick to point out that its data protection framework will fully implement the EU framework at the point of Brexit and it is seeking to establish a short term agreement based on this.
However, as with any negotiation, there are several potential sticking points on the horizon. Particularly with regard to the UK’s desire to reach a long-term agreement that would seemingly allow it to forge its own path on data protection while still be recognised by the EU. Will the EU accept such an agreement? And on what terms? If the UK’s is insistent that a post-Brexit “settlement” contain these talks, the whole process of getting a deal done in the first place could be held up.
There are also issues around what safeguards both sides will want to see in place after the UK leaves, to ensure that the data of their citizens is held properly. The EU has made its goal of protecting EU data central to these negotiations so it could be hard for the UK’s data protection regime to distance itself for that of the EU without some objections. The jurisdiction of the ECJ will also be contentious. One of Theresa May’s bright red lines means we know that the British Government will not want the ECJ to have jurisdiction over questions of law raised under the GDPR.
As always, the devil is in the detail. Just how close together the two sides really are on these issues will become clear over the coming months, as the future data sharing relationship that so many businesses will come to rely on is thrashed out.
For those readers interested, a copy of the EU’s paper can be viewed here:
And the UK’s, here:
Case Law Updates
ECJ to rule on legality of the UK’s mass digital surveillance powers
The Investigatory Powers Tribunal (IPT) has ruled that a referral should be made to the ECJ concerning the legality of the UK’s mass digital surveillance powers. This ruling comes as a result of a challenge brought by Privacy International, a campaign group, questioning the legality of the UK’s bulk collection of communications data, tracking individuals’ use of the internet, as well as their email, texts and calls by Government organisations like GCHQ, in light of the Watson ruling in December 2016.
The Watson case was brought to the ECJ jointly by David Davis MP and Tom Watson MP back in 2014. In its decision, the ECJ clearly ruled that the data collection powers outlined in the Data Protection and Investigatory Powers Act 2014 (DRIPA) were incompatible with the privacy protections of the EU Charter of Fundamental Rights. In particular “general and indiscriminate retention” of data by governments was not considered lawful under EU law.
But the IPT’s ruling also bolstered the Government’s position, stating that the bulk collection communications data was “essential to the protection of the national security of the United Kingdom”. So the question of whether such data gathering could, in fact, be justified in the face of a clear national security objective will be sent to the ECJ. This will certainly be an issue of fundamental political importance.
Unfortunately, it is likely to take several years before a final ruling is reached as the IPT refused to expedite the case to the ECJ. So it is unlikely to be settled before Brexit, leaving the legal status of any future ruling by the ECJ on the case in doubt.
Annual review of the Privacy Shield agreement underway
On 21 September 2017, the European Commission and the US government’s department of commerce concluded their review of the Privacy Shield agreement. Privacy Shield is the framework which allows companies to move European data to the US with (relative) ease, replacing the Safe Harbour arrangement that was dismantled by the ECJ in 2015.
It passed the review. In a joint statement from the US Secretary of Commerce Ross and Commissioner Jourová, it was declared that “the United States and the European Union share an interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”
However, Privacy Shield has drawn criticism for its lack of clarity and untested compliance mechanisms, perhaps due to its speedy negotiation and implementation following the end of the Safe Harbour arrangement. But will it survive further pressure as positions on either side of the Atlantic drift apart?
The European Data Protection Supervisor, Giovanni Buttarelli has previously stated in an interview that Privacy Shield was “an interim instrument for the short-term. Something more robust needs to be conceived.” Issues raised by the EU’s Article 29 Working Party (WP29) during Privacy Shield’s negotiation include the US’s “massive and indiscriminate collection of personal data originating from the EU” (although this data is only strictly accessible for the purposes of national security and law enforcement) and the independence and powers of the ombudsperson responsible for overseeing the agreement in the US. WP29 has stated that it may present a separate public report and an updated assessment of the Privacy Shield.
There may also be some worrying signs that the Trump administration is not fully committed to EU data protection standards. The US has yet to set up a permanent ombudsperson to which EU citizens can complain about rights violations. Jourová said the EU commission would not “wait forever” for this to be settled. The nomination of Adam Klein, who has previously come out in support of warrantless mass-surveillance in the US, as the new chair of the US government’s Privacy and Civil Liberties Oversight Board will also do little to address EU concerns about bulk data collection.
Privacy Shield has numerous issues that still need to be addressed, and has not yet come under the scrutiny of the ECJ. The EU’s highest court has demonstrated that it is prepared to rule in favour of individual privacy protections, such as in the above mentioned Watson ruling.
This round of negotiations needed to whip Privacy Shield into shape, or risk a transatlantic business crisis. Although another breakdown in US-EU data transfer has been avoided, the question remains whether enough has been done to avoid a collapse in future.