No Privacy Shield, No Parachute?: The Brexit Cliff Edge and Data Regulation

Recent weeks have seen turmoil for Theresa May and her government. International Development Secretary Priti Patel and Defense Secretary Michael Fallon both resigned, and First Secretary of State Damian Green is under investigation for allegations of inappropriate sexual behavior.

Furthermore, May’s leadership of the Conservative Party is being challenged by a potential confidence vote, supported by 40 members of parliament.

And then there’s Brexit, which is to say the perceived breakdown in Brexecution negotiations with the EU. Planned negotiations have slowed and the European Union continues a protracted fight with the U.K. over the amount of money that the United Kingdom owes the EU upon departure (the so-called “divorce bill”). May has recently offered the EU £40 billion in an attempt to move negotiations along, but talks have so deteriorated that some in May’s government—and the EU Chief Negotiator Michel Barnier—doubt that negotiations will progress into a second phase by December 2017.

There appear to be two separate baskets of reasons for the faltering Brexit negotiations. The first basket involves certain urgent topics such as the divorce bill, the Great Repeal Bill, and the worrisome delay of trade negotiations. The second basket involves negotiating items that seem less urgent but nonetheless very important to one party or the other. These include the future of data transfers between the U.K. and third party countries. While the House of Commons handles the Great Repeal Bill—the domestic law that repeals the European Communities Act of 1972, thus rendering EU law inapplicable to the U.K. and transposing chosen and amended portions of EU law into U.K. law—this latter topic is being debated in the House of Lords.

On Sept. 13, 2017, Member of Parliament Thomas Ashton introduced HL Bill 66, or the Data Protection Bill 2017–2019 (DPB), in the House of Lords. The first act regulating the processing of personal data since the Data Protection Act 1998, the DPB is not only significant in its codification of updated provisions about the processing of information relating to individuals; it is also significant in its incorporation of the EU’s new data regulations into U.K. law. To wit, the bill incorporates the General Data Protection Regulation (GDPR) and the Police and Criminal Justice Directive (PCJ Directive). Discussed in more detail in an accompanying Lawfare post, the contents of the DPB and its relationship to the GDPR are particularly important as Brexit looms ever closer, because without harmonization of EU and U.K. data protection law, the U.K. would become a problem child to the EU, much as the United States already is, with respect to data transfers involving the data of EU nationals.

The Functions and Volume of Data Transmission from the U.K.

Cross-border data flows between the EU and the U.K. are integral to international commerce and security. According to a 2017 Frontier Economics report commissioned by techUK, 75 percent of U.K. cross-border data flows are with the EU. Moreover, the report highlights that the U.K. is responsible for 12 percent of global cross-border data flows in 2015. Finally, the report notes that cross-border data flows for the U.K. increased 28-fold between 2005 and 2015, and are anticipated to grow another five-fold by the end of 2021. The importance of a smooth channel through which data can be transferred is essential to comprehensive multilateral cooperation.

Apart from the volume of data shared, according to the U.K. government, sharing personal data is “crucial to the EU’s ongoing work across the continent to protect citizens, in which the UK plays an integral role.” As stated in the National Crime Agency’s Suspicious Activity Reports (SARs) Annual Report 2017, between October 2015 and March 2017, the U.K. Financial Intelligence Unit (UKFIU) received 2,096 requests from international partners for financial intelligence. At least 635 of these requests were from EU member states or financial intelligence units in the EU. During that same time period, the UKFIU proactively disseminated 500 pieces of financial intelligence to international financial intelligence units, 174 of which went to Europol. With U.K. data sharing being so important to domestic and transnational commerce and security, new regulations such as the GDPR could create waves in the U.K.’s data sharing framework if the government does not carefully prepare for its effects now.

Coming into effect on May 25, 2018, the GDPR restricts the flow of personal data outside the EU by allowing transfers to third countries or international organizations only when the relevant controller (the entity that determines the purposes, conditions or means of data processing) or processor is in full compliance with the conditions laid down in the provisions of the GDPR. As the GDPR will enter into effect prior to the U.K.’s exit from the EU, the GDPR’s initial effects on the U.K. will be no different from its effects on any other EU member state. In the time between May 25 and implementation of the Great Repeal Bill, the GDPR will operate in tandem with the DPB. However, as soon as the U.K. leaves the EU, there is, as Member of Parliament Michael Jay has expressed, “a fly in this particular ointment.” Although GDPR Articles 44 and 45 include adequacy decisions for third countries—whereby the European Commission (EC) can deem another nation’s data protection policy “adequate” for the purposes of sharing data to and from the EU—the GDPR does not automatically provide such decisions for countries exiting the EU. As adequacy decisions can take time—the EC has adopted twelve such decisions thus far—“the chances of having an adequacy decision in place by March 2019 [Brexit day] are small.” Thus, many have called the the potential that the U.K. could not yet have a data sharing agreement in place by Brexit day a “cliff edge.” With the help of key derogations from the GDPR and possible transitional arrangements, Prime Minister May has said that “[t]he same rules and laws will apply on the day after exit as on the day before.”

There’s just one problem: it’s not that simple.

EU Legal Framework

The principal piece of EU data protection law is the 1995 Data Protection Directive (DPD). Providing for the protection of individuals in the processing of personal data, the 1995 Directive is supplemented by the 2002 e-Privacy Directive, which governs electronic communications. The principles contained within these two reference texts are emblematic of the EU’s values surrounding privacy—as a fundamental right. Further entrenching this value, Article 8 of the 2009 EU Charter of Fundamental Rights states, “Everyone has the right to the protection of personal data concerning him or her.” Despite the EU Charter of Fundamental Rights’ central role in EU data protection law, Section 5.4 of the U.K. Great Repeal Bill disavows it: “The Charter of Fundamental Rights is not part of domestic law on or after exit day.”

In 2012, the EC proposed reform of existing data protection legislation to both make it more relevant to current technology and to create data protection rights across Europe. To better understand how this reform effort, in concert with changing EU perspectives on data privacy, catalyzed the creations of the GDPR and the PCJ Directive, it is important to understand several recent cases in the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU).

A brief summary. In 2008 in K.U. v. Finland, the ECHR interpreted Article 8 of the EU Charter of Fundamental Rights to apply to data privacy. In 2015, in Maximillian Schrems v. Data Protection Commissioner, the CJEU determined that “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” This case not only invalidated the U.S.-EU Safe Harbor Agreement, but it also established the EU’s right to review a third state’s data security policies. The following year, in Tele2Sverige and Watson and Others, the CJEU held that indiscriminate data retention laws are impermissible under EU privacy legislation. (Andrew Keane Woods summarized the implications of the Tele2Sverige and Watson and Others judgment Lawfare last December.) This judgment was directed at two cases: one brought in 2014 concerning the U.K.’s Data Protection and Investigatory Powers Act of 2014 (DRIPA), and the other concerning a challenge to a Swedish order mandating that a company retain user-related data. The challenges asked the court to reconsider the scope of its previous judgment in Digital Rights Ireland which stated that DRIPA “exceeds the limit of what is strictly necessary and cannot be considered to be justified within a democratic society,” it did not preclude an EU member state from “adopting legislation permitting, as a preventative measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited ... to what is strictly necessary.” (If you want more of the framework for EU data protection, the EC provides a more thorough list.)

U.K. Legal Framework

As an EU member state, the U.K. incorporates, in most cases, EU law into its domestic legal framework under the authority of the European Communities Act of 1972. The U.K. incorporated the EU’s data protection law, the DPD, through its Data Protection Act of 1998 (DPA), which the proposed DPB will repeal. Similarly, the U.K. implemented the EU’s e-Privacy Directive by way of the Privacy and Electronic Communications Regulations (PECR). The DPA and PECR work alongside each other to regulate data processing and protect people’s privacy, with the DPA applying to the processing of personal data and the PECR setting out additional rules and granting specific privacy rights in relation to electronic communications. As the arm of the U.K. government charged with upholding information rights in the public interest, the Information Commissioner's Office (ICO) oversees the implementation of a number of legislative acts—including both the DPA and PECR. The ICO is therefore the office with which data controllers must register in order to process individuals’ data.

A final piece of law coloring the U.K.’s current data protection landscape is the Investigatory Powers Act of 2016 (IPA). Granted royal assent on Nov. 29, 2016, the IPA consolidates the power of law enforcement, security and intelligence agencies to aggregate communications; creates an investigatory powers commissioner to oversee how surveillance powers are used; creates a “double-lock” for interception warrants whereby both the secretary of state and a judge must authorize a warrant before it comes into force; enables the government to use a range of surveillance tools domestically; and allows law enforcement to retain internet connection records. Notably, the IPA is DRIPA’s successor. The IPA has been met with much resistance; in particular, U.K. civil liberties and human rights organization, Liberty, launched a legal challenge asking for judicial review of the IPA’s bulk surveillance powers. For the government’s part, Minister of State for Digital and Culture, Matthew Hancock, has said that the government is “confident that the Investigatory Powers Act is consistent with the GDPR.”

It is within this framework that the DPB is currently being debated.

As mentioned above, the DPB introduces a number of provisions designed to update the U.K.’s domestic data policy and prepare the country for the implementation of the GDPR and the PCJ directive. Specifically, it examines general data processing, law enforcement data processing, data processing for intelligence purposes and regulatory issues. Several proposed additions to U.K. canon include the right to be forgotten, a right to data portability, and a right to know when ones data has been hacked. For more information on the DPB, see Hayley's separate summary.

The U.K. and EU frameworks are not immediately compatible. With the Great Repeal Bill on the horizon, the GDPR will be transposed into U.K. law but “anglicised...with other modifications that are dependent on the future negotiations with the EU,” as the government has stated. There is no built-in bridge between the domestic version of the GDPR and the EU GDPR enforcement mechanisms; for example, instead of preemptively designing a collaborative process for enforcement, the U.K. government plans to rely on the GDPR’s extraterritoriality provisions to force the appointment of a U.K. data representative. But what of the dependence on future negotiations? There are a number of legal relationships that must be rebuilt or reconciled between the U.K. and the EU before the GDPR will tolerate data exchanges with the U.K. The IPA, as controversial domestic policy, is just one example of the principled differences that may preclude an adequacy decision for the U.K.

Current U.K. Policy Position

The principle sources outlining the U.K. Government’s formal positioning on a data sharing post-Brexit are found in the Aug. 24 position paper entitled “The exchange and protection of personal data: A Future Partnership Paper” and an Oct. 10 House of Commons Library briefing paper entitled “Brexit and data protection.”

The Future Partnership Paper (FPP) describes the government’s vision for a future partnership with the EU—one that is “new, deep and special.” In order to govern the continued free flow of personal data between the U.K. and the EU, the paper speaks of “build[ing] on the existing adequacy model” in two key respects: regulatory cooperation and certainty and stability. For regulatory cooperation, the FPP suggests that the U.K.’s ICO could maintain an ongoing role in EU regulatory fora, allowing the ICO to “support cross-border business and activity between the U.K. and the EU by promoting a common understanding of the regulatory challenges and issues faced by businesses, the public sector and individuals.”

Regarding certainty and stability, the FPP suggests that the U.K. and the EU “agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK” Notably, the U.K. wants to ensure that “flows of data between the UK and third countries with existing EU adequacy decisions can continue on the same basis after the U.K.’s withdrawal, given such transfers could conceivably include EU data” (emphasis added). It is unclear whether the EU will be amenable to such a proposition, as it appears to be a potential workaround to obtaining some EU data notwithstanding the existence—or nonexistence—of an adequacy determination.

For its part, the EU appears to stand firm on its desire for the GDPR and other EU data standards to apply (without modification) in U.K. after Brexit. EC President Jean-Claude Juncker reviewed the August Brexit policy papers—including the FPP—and found them insufficient. Martin Selmayr, Juncker’s chief of staff, has tweeted that EU data protection standards should be retained in full by the U.K. after Brexit in order to preserve data-flows.

U.K. and U.S. Data Sharing: Privacy Shield and the Umbrella Agreement

Shifting our focus away from the continent: what will Brexit mean for the flow of data between the U.K. and the U.S.? For better or for worse, the U.K.’s “divorce” from the EU will make it a third party for the purposes of the agreements currently facilitating data transfers between the EU and the U.S., namely Privacy Shield and the Data Protection and Privacy Agreement (Umbrella Agreement). Likewise, the U.S. will be a third party for the purposes of U.K. law. Without a plan in place, the U.K. and the U.S. risk burdening the commercial and law enforcement data transfer processes to the detriment of both countries. But not much has been proposed in the way of feasible legal solutions.

The EU-U.S. Privacy Shield is an agreement regulating the terms of transatlantic data transfers; the 2016 Umbrella Agreement does the same but applies to data transfers in the service of law enforcement cooperation. Within Privacy Shield and the Umbrella Agreement itself, there is no ready mechanism through which the U.K. might be grandfathered in. The U.K. has a few options to mitigate a situation in which data transfers between the U.K. and the U.S. are abruptly stymied on Brexit day: developing a new Privacy Shield and Umbrella agreement with the U.S.; including data protection principles in a new U.S.-U.K. free trade agreement; or relying on the market to develop and enforce SCCs and BCRs. In each of these new arrangements, the U.K. will have to keep in mind obligations it has made, or intends to make, to maintain its data sharing relationship with the EU. In essence, GDPR standards may flow through to any U.S.-U.K. arrangement if the U.K. wants to receive and maintain an EC adequacy determination.

Negotiating a new deal with the U.S. may seem like an effective way to prevent a fall off of the proverbial Brexit cliff edge. U.K. Minister for Digital Matthew Hancock has been optimistic, exclaiming his confidence in a potential agreement with the U.S. to maintain the “same unhindered flow of data.” But, as with all of the options requiring the negotiation of an international agreement, the U.K. may not have the authority to negotiate a new treaty on its own; until Mar. 2019, the EU retains exclusive competence in policy affecting trade in goods and services and shared competence in the areas of social policy, consumer protection and security trade and service.

Notwithstanding that uncertainty, the Swiss-U.S. Privacy Shield framework may be a good model for a future U.K.-U.S. agreement. The Swiss-U.S. Privacy Shield is aligned with the EU-U.S. Privacy Shield, save for a few exceptions: The Swiss don’t allow companies a grace period during which they can revise controller agreements to mandate assurances that third-party controllers are complying with the Swiss Privacy Shield, which means that assurances need to happen before certification; “sensitive data” is defined differently in the Swiss agreement; and the Swiss provide a binding arbitration agreement for dispute resolution. What this means is that it would be possible for the U.K. to negotiate a new agreement with the U.S. that is largely, but not strictly, in compliance with the EU-U.S. Privacy Shield agreement, thus mitigating the potential to run afoul of EU regulations.

While seemingly efficient, the option to incorporate data transfer policies into a new free trade agreement (FTA) may backfire. Trade agreements take a long time to finalize—consider that the U.S.-Korea FTA took a total of five years to go into effect, including a year to negotiate and another four years to achieve ratification by both U.S. and South Korean legislative bodies—and one is unlikely to materialize before Brexit day for the competence reasons referenced above. Thus, the period before the finalization of an FTA will be rife with the same problems as a not having a deal in place at all.

The final possibility is that the U.K. and the U.S. rely on SCCs and BCRs as described above. For the same reasons the House of Lords has pushed back on the reliance on SCCs and BCRs in the U.K.-EU context, this is a less-than-ideal solution here. Efficiency is lost without a broader adequacy decision and piecemeal determinations open the door to inconsistency and complication. Furthermore, relying on this remedy alone will not patch the holes created in the law enforcement cooperation realm, opening the U.K. up to slow personal data sharing in, among other important realms, terrorism investigations.

As things stand, the DPB provides some infrastructure that would buoy the status-quo in the absence of Privacy Shield and the Umbrella agreement. General data transfers are discussed in Part 2, Chapter 2 (Section 17-18) of the DPB and data transfers for law enforcement purposes are discussed in Part 3, Chapter 5 (Sections 71-76) of the DPB. These provisions allow for potentially helpful derogations from the GDPR that enable the processing of data when specific justifications exist. These justifications are broad, largely hinging on “important reasons of public interest.” The resulting policies may alleviate some concern about the U.S. being a third party to U.K. regulators. For example, among other authority described above, Section 17 of the DPB gives the U.K. secretary of state the authority to regulate transfers that fall under the GDPR including the power to invoke derogations for public interest and to restrict transfers that are not authorized by a GDPR adequacy decision. In Sections 70-76, the DPB requires that the transfers to a third party for law enforcement purposes are authorized under an EU adequacy decision, or in the absence of that, the presence of appropriate safeguards or special circumstances meriting the transfer. This includes situations requiring the protection of the “vital interests” of the data subject or another, the legitimate interests of the data subject, the prevention of a serious threat to public security, or for any law enforcement or legal purposes in individual cases. This means is that the U.K., for law enforcement purposes, may transfer data to the U.S. as long as the U.S. is party to Privacy Shield (an adequacy decision) or the other requirements are met.

The DPB is far from a panacea for anticipated post-Brexit complications and the bill’s primary function will be to shore-up U.K. data policy for GDPR implementation. Ultimately, what is most striking about the potential Brexit disruption to the U.K.-U.S. data transfer relationship is the uncertainty that persists almost eight months after the invocation of Article 50.