Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The U.K.'s Data Protection Bill reflects the government’s desire to maintain international data flows with the European Union post-Brexit, but its confidence that U.K. surveillance laws won’t pose an obstacle to continuing data flows will only become apparent when the Brexit negotiations turn to data protection issues, the author writes.
By Rohan Massey
Rohan Massey is a partner at Ropes & Gray LLP in London and leads the firm’s privacy and cybersecurity practice in Europe.
By Rohan Massey
The U.K. government has produced a response to the House of Lords’ European Union Committee’s Brexit: EU Data Protection Package Report which was published on July 18, 2017. The Department for Digital, Culture Media & Sport’s position may be seen as generic rather than detailed in addressing some of the conditions raised by the Lords and in supporting the assurances as to the U.K. government’s commitment to continued alignment with the EU on data protection issues and maintaining a strong influence on international data protection standards.
The government, of course, acknowledges the importance of sharing personal data for commercial purposes and wider cooperation, with the prospect of any friction around data transfers presenting not only a threat to security but, in the committee’s words, “a non-tariff barrier to trade, particularly in services, putting companies operating out of the U.K. at a competitive disadvantage.” In his response letter to the committee of Oct. 26, 2017, Digital & Culture Secretary Matt Hancock stated that the U.K. will continue to align its own database protection framework with that of the EU, “to enable us to forge a strong future partnership…in the interests of the both the U.K. and the EU.” As to how that might be achieved, besides taking forward in the Data Protection Bill the new EU stance for data protection in the GDPR, he refers to the government’s proposal that the U.K. and EU agree a model for protecting and exchanging personal data. The letter refers to the parliamentary discussions around the need for an “enhanced mechanism” that builds on the existing model of adequacy provided for third countries. It is a model that the government would like to see to maintain the free flow of data across the Channel along with continued regulatory cooperation whilst respecting U.K. sovereignty and not imposing unnecessary additional costs to business.
Even with the U.K.’s data protection rules aligned with those of the EU, the committee’s further concern is that if, as is likely, the EU continues to amend or update its rules, the U.K. must continue to align its data protection rules with EU rules that it no longer participates in setting. Again, the U.K. government’s answer is that it is seeking to establish a new partnership with the EU that provides for ongoing regulatory cooperation on data protection issues, that the Data Protection Act 1998 is seen as the gold standard which the government is committed to maintaining, and that the Data Protection Bill will ensure that organisations that handle personal data do so in accordance with the same set of rules as those organisations in the EU. A convincing answer to the committee’s concerns, however, is unlikely to emerge until the prospect of a new partnership with the EU, upon which regulatory cooperation is based, becomes a reality.
Another concern for the committee is that the U.K., post-Brexit, could find itself held to a higher standard by the EU as a third country than it has been as a member state. This is because it will no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the U.K.’s data protection and surveillance regime is tested before the EU Court of Justice. In his letter, Hancock merely says that the U.K. is confident that its national security legislation should not present a significant obstacle to data protection negotiations. The activities of U.K. security and intelligence agencies, he argues, are governed by one of the world’s most robust legal frameworks and oversight arrangements. This will “ensure U.K. intelligence activity adheres to strict principles of necessity and proportionality.” The letter does not refer to specific legislation, such as the Investigatory Powers Act, but again the committee’s concerns in this respect are unlikely to be allayed until “data protection negotiations” begin in earnest and yield the answers. We expect this to be in 2018.
Turning its attention to the U.S., the committee asked for assurances that the U.K. government is seriously thinking about how it can demonstrate to the EU that it has put in place arrangements with the U.S. that afford the same level of protection as the EU-U.S. Privacy Shield. The government’s assurance on this point is merely to confirm that it wants to ensure that data flow between the U.K. and third countries with EU adequacy decisions, such as the U.S., can continue on the same basis and that it will continue to work closely with the EU and other international partners to ensure the necessary safeguards for citizens’ rights are in place. There is no reference to any tangible progress in this regard which may suggest that so far little has been made, so again this may be an issue for 2018.
As to the long term, the committee discussed the prospect that an international treaty on data protection could emerge as a result of better coordination between data protection authorities in the world’s largest markets. Perhaps concerned that the U.K. will lose influence in shaping such developments by ceding its position in one of those largest markets, namely the EU, the committee urges the U.K. government to work in partnership with the EU to maintain that influence. In response, the U.K. government refers to its ambition for the U.K. to remain a global leader on data protection by promoting both the flow of data internationally and appropriate high standards. Not surprisingly, however, it acknowledges that it must continue to work closely with the EU to achieve those objectives.
From a policy perspective, the publication of a Data Protection Bill that seeks to align U.K. standards with the new EU regime and indeed run seamlessly alongside that regime when it takes effect in May 2018 reflects the U.K. government’s desire to protect international data flow. However, this position does not deal with significant concerns over the U.K.’s prospects of being granted adequacy status by the EU in a sense that such status is operable from the very day of Brexit.
The extent to which the U.K.’s national security rules impact on the privacy rights of individuals is potentially a key focus of any data protection negotiations surrounding adequacy on Brexit. Whether the U.K. government’s confidence that this will not be a significant obstacle is justified will only become apparent once negotiations have begun in earnest, as will the longer term prospects of the U.K. maintaining or regaining influence over the interpretation and continued development of international data protection standards.
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)