Open Britain Background Briefing: The Government’s position paper on “The exchange and protection of personal data”

Overview

Today, the Government published its Brexit negotiating position paper on rules governing data exchange and data protection, titled “The exchange and protection of personal data”. The paper can be found here. In the document, the Government attempts to outline its approach to future UK-EU data-sharing arrangements. The EU27 have yet to publish a negotiating paper specifically on this issue, although their position paper on “Police & judicial procedures” contains a section on data transfer. 

Open Britain’s assessment of today’s position paper identifies four key issues which the Government needs to address: 

  1. The Government is essentially proposing to keep existing EU rules for data flows in place, but without any say on how these rules are formed. This hardly amounts to “taking back control” and turns the UK from a rule-maker into a rule-taker.
  2. Being outside existing Single Market frameworks for data exchange will require EU institutional decisions as to whether the UK would adequately meet EU data rules. This means the ECJ and European Commission would continue to have a say on UK-EU data flows, which does not tally with the Government’s policy of ending the jurisdiction of the ECJ in the UK.       
  3. This being the case, it raises the question as to why the Government would want to take the UK out of the Single Market and potentially damage the British economy, when it will be unable to regain any meaningful level of judicial sovereignty.  
  4. The Government have themselves conceded that the alternatives to existing Single Market rules on data flows with the EU are less advantageous that what the UK currently enjoys due to its membership of the Single Market.  

Open Britain’s Position: 

While today’s position paper provides slightly more detail than some of the other negotiating papers which the Government have published in the last fortnight, it essentially amounts to keeping existing EU rules in place, which would not end the role of the European Commission or the ECJ in deciding future UK-EU arrangements and hardly amounts to taking back control. If the ECJ is going to continue to play a role in future UK arrangements whether the UK is in the Single Market or not, there is no rationale at all for leaving the Single Market.      

In Detail

“Data flows are important for the UK and the EU economies and for wider cooperation, including on law enforcement matters…”

“After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU.

  • Open Britain welcomes the Government’s commitment to maintaining data flows between the UK and the EU.
  • However, the best way to ensure continuity and security of data for Britain is to stay within the Single Market. This would maintain the highest degree of integration when it comes to data flows.

“The Commission has highlighted the value of the EU data economy, which was estimated to be worth €272 billion in 2015, or around two per cent of EU GDP. It has grown rapidly in recent years. External estimates suggest that its value could rise to €643 billion by 2020, more than three per cent of GDP, as long as policy and legal frameworks for the data economy are put in place…Estimates suggest that around 43 per cent of all large EU digital companies are started in the UK, and that 75 per cent of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries, and has an economy dominated by service sectors in which data and data flows are increasingly vital. The UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population, but the value of data flows to the whole economy and the whole of society are greater still.”

“Any disruption in cross-border data flows would therefore be economically costly to both the UK and the EU. Taking EU-US data flows as a comparator, external estimates suggest that if cross-border data flows between the EU and the US were seriously disrupted, the EU’s GDP could reduce by between 0.8 and 1.3 per cent. Therefore, placing restrictions on cross-border data flows could harm both the economies of the countries implementing these policies, as well as others in the global economy.” 

“Sharing personal data is also essential for wider cooperation that helps in the fight against serious crime and terrorism. The sharing of personal data is crucial to the EU’s ongoing work across the continent to protect citizens, in which the UK plays an integral role. For example, between October 2014 and September 2015, the UK Financial Intelligence Unit (UKFIU) received 1,566 requests from international partners for financial intelligence. Of these, at least 800 came from EU Member States. In the same period, the UKFIU proactively disseminated 571 pieces of financial intelligence to international financial intelligence units, 200 of which went to Europol…“

  • Open Britain welcomes the fact that the Government has acknowledged the vital importance of data flows to both the UK’s economy and security.
  • However, the Government’s commitment to taking the UK out of the Single Market, and its lack of detail on police and judicial co-operation, puts the smoothness of these flows at risk.

“The 1995 Directive allows the Commission to formally recognise that a third country provides an ‘adequate’ level of data protection under EU law. Third countries do not formally agree or sign up to these decisions, although they are generally informed by prior discussions between the Commission and the third country regarding their domestic data protection law. Any areas where the Commission requires reassurance will require negotiation between the parties on how best to address the issues.” 

“In making its assessment of a third country’s data protection rules, the Commission will scrutinise that country’s domestic legislation and practice, as well as compliance with relevant international standards, in order to ascertain whether the data protection standards in the third country are ‘essentially equivalent’ to those applied in the EU (a test set by the CJEU in Schrems).” 

“There is no set timeframe for the adequacy decision process. Once proposed, the decision needs to be confirmed by a panel of representatives from EU Member States, and the Commission can revoke the adequacy decision in the future. Adequacy decisions may also be invalidated by the CJEU.”

  • The Government admits here that its proposed model for maintaining future data flows between the UK and the EU would rely on the judgements of EU institutions, including the European Commission and the European Court of Justice (CJEU), deciding on whether the UK would meet existing EU rules on ‘adequate’ levels of protection.
  • In reality, if the Government wants to achieve its stated objective of a ‘deep and special partnership with the European Union’, EU institutions will continue to exercise considerable power over UK Government policies on data. 
  • This being the case, the Government should reconsider its decision to withdraw the UK from the Single Market. If the Government are de facto accepting oversight from EU institutions in any case, why would they want to trade in membership of the Single Market for an inferior economic arrangement?

“The EU has recently updated its existing data protection framework (the 1995 Directive), in the form of a new General Data Protection Regulation (GDPR). This covers general processing of personal data within the scope of EU law, and a separate Data Protection Directive (DPD) relating to personal data being processed for law enforcement purposes. The UK played a full and active part in negotiations for the new GDPR and DPD, and the final text reflects a number of key UK priorities...”

“The UK’s data protection law fully implements the EU framework, and this will remain the case at the point of our exit from the EU…”

“Given that the UK will be compliant with EU data protection law and wider global data protection standards on exit, and given the important role of continued regulatory cooperation as part of a future economic relationship, the UK believes that a UK-EU model for exchanging and protecting personal data could provide for regulatory cooperation and ongoing certainty for businesses and public authorities. This could build on the existing adequacy model.”

“The UK’s data protection law will fully implement the most up-to-date EU framework, and this will remain the case at the point of the UK’s withdrawal from the EU. On this basis, the Government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and UK from the point of exit until such time as new and more permanent arrangements come into force.”

  • The Government here acknowledges the importance of EU data protection regulations, as well as the UK’s vital role in shaping those regulations as an EU member state.
  • However, the Government’s chosen Brexit path would turn the UK into a ‘rule-taker’, rather than a ‘rule-maker’. The idea of ‘taking back control’ looks increasingly distant. 

“In light of the existing alignment of our data protection frameworks, the UK also believes that a UK-EU model for exchanging and protecting personal data could provide an opportunity to give greater ongoing certainty to business and citizens in both the UK and the EU as to the rules governing future data flows, reducing the risks for business that the basis for data flows is unexpectedly changed.”

“When the UK leaves the EU, it is essential that we avoid regulatory uncertainty for businesses and public authorities in the UK, EEA, and EU adequate countries who currently enjoy an ability to transfer data freely…Ensuring certainty at the point of exit will avoid unnecessary disruption for businesses, public authorities and individuals in the UK and EU.“

  • Open Britain welcomes the Government’s desire to avoid regulatory uncertainty for business and consumers. However, the Government then need to explain why it is increasing uncertainty by firstly continuing to threaten to leave the EU with no deal at all, and secondly ruling out membership of the Single Market and the Customs Union even for a transitional period.  

“Underpinning this, as the UK and the EU build a new, deep and special partnership, it is essential that we agree a UK-EU model for exchanging and protecting personal data, that: maintains the free flow of personal data between the UK and the EU;  offers sufficient stability and confidence for businesses, public authorities and individuals; provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection; continues to protect the privacy of individuals; respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection; does not impose unnecessary additional costs to business; and is based on objective consideration of evidence. This could build on the existing adequacy model.” 

  • Open Britain welcomes the fact that the Government have here put forward a real proposal, in contrast with some of the more vacuous position papers they have released recently.
  • Open Britain would nevertheless wish to see more in depth analysis by the Government on this issue before a fuller assessment can be made.  

“After the UK’s withdrawal, regulatory cooperation between the UK and the EU on a range of issues will be essential, including data protection – not least because the GDPR will continue to apply to UK businesses offering goods or services to individuals in the EEA. A new relationship could therefore enable an ongoing role for the UK’s ICO in EU regulatory fora, preserving existing, valuable regulatory cooperation and building a productive partnership to tackle future challenges.” 

“...The UK would be open to exploring a model which allows the ICO to be fully involved in future EU regulatory dialogue. An ongoing role for the ICO would allow the ICO to continue to share its resources and expertise with the network of EU Data Protection Authorities, and provide a practical contribution at EU level which will benefit citizens and organisations in both the UK and the EU. Indeed, this responds to the Commission’s call to develop international co-operation mechanisms to facilitate effective cooperation and enforcement of data laws by data supervisory authorities. The UK Government will continue to have responsibility for the content and direction of data protection policy and legislation within the United Kingdom.”

  • Open Britain welcomes the fact that the Government is seeking to preserve strong links on data exchange, but queries how the Government intends to keep the ICO fully involved in EU regulatory dialogue if the UK is a no longer an EU member state, or at the very least a member of the Single Market.  

“As well as ensuring that data flows between the UK and the EU can continue freely, the UK also wants to make sure that flows of data between the UK and third countries with existing EU adequacy decisions can continue on the same basis after the UK’s withdrawal, given such transfers could conceivably include EU data.”

  • Open Britain welcomes the Government’s wish to maintain existing data flows with third countries which meet EU adequacy standards.
  • If the Government is keen to keep these kind of data flows alive, specifically on the premise that they meet existing EU rules, it seems bizarre that the UK would be looking to uphold EU standards in its own future data-flows. The question becomes where this really amounts to taking back control? 

“Without an adequacy decision or new model in place, it is still possible for personal data to be transferred to third countries in some circumstances. In addition to various limited derogations from the general requirements, both the GDPR and the DPD set out alternative methods of transfer, which companies and public authorities may use to transfer data to third countries in the absence of an adequacy decision…However, none of these alternatives are as wide ranging as an adequacy decision or an agreed new relationship. They can also be costly and onerous for businesses, especially for small and medium sized enterprises (SMEs). Companies may need to pay for legal advice on what alternatives would be most appropriate. Many companies may need their own customised contractual clauses drafted. These can be expensive and must be submitted for approval by EU regulators, which may take some time. Standard Contractual Clauses, as drafted by the Commission, do not require any approval but are inflexible and may not suit a particular company’s processing situation. Alternatively, businesses in the EEA wishing to transfer personal data to a UK branch could set up a Binding Corporate Rule. These also need approval by EU regulators and leading legal firms have indicated that on average they cost around £250,000 to set up. Codes of conduct and certification mechanisms are insufficient by themselves: they must be accompanied by binding and enforcing commitments, which will entail legal costs, and must be approved by the European Data Protection Board. 

“Under the DPD, transfers to a third country or international organisation for law enforcement purposes are permitted in the absence of an adequacy decision. However, unless a derogation applies, this only applies where appropriate safeguards have been provided in a legally binding instrument, for instance, for a legally binding bilateral agreement between countries. Transfers can also occur in the absence of an adequacy decision where the controller has assessed all the circumstances and considers that appropriate safeguards exist.“

“Derogations for transfers in specific situations are also provided for in the DPD, but these are limited, for example, to protect the vital interests of the data subject or another person, or for the prevention of an immediate and serious threat to public security of a Member State or a third country. However, the ability to use these alternatives and derogations is more limited than adequacy.” 

  • While the Government have highlighted alternatives to existing EU adequacy-rule models for data transfer, in the Government’s own words, all of these models would be harder to implement and more costly.