These slides provide an overview of the personal data relationship between the UK and EU after Brexit. Under the Trade and Cooperation Agreement, the UK will have the closest connection with the EU here outside the European Economic Area and Switzerland. This is especially clear in the area of justice and security where there is very extensive provision for data exchange based on common standards. However, in the general area of data protection the framework only points to mutual adequacy. Even with the evolving formulation of this as “essential equivalence”, significant flexibility is retained and this may ultimately result in more substantive divergence than EU-Switzerland given the UK’s more distinct data protection approach. Common bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar in the medium term and I very tentatively map out what this may could mean for default standards in the UK related to sensitive data and integrity and also specific substantive restrictions to ensure a more graduated approach and reconciliation with other competing rights.
2. Introduction
Personal data framework important part of negotiations.
Trade and Cooperation Agreement (TCA) dual approach:
1. Broad exchange of justice & security data, based on
extensive common safeguards.
2. Mutual adequacy otherwise, with significant discretion on
part of both parties.
Structurally UK may look like Switzerland but different
DP culture & so can expect more divergence.
3. Justice & Security: Broad Exchange
Exchange
DNA*
Fingerprint*
Vehicle
Registration*
Passenger
Name
Record
Europol &
Eurojust
Cooperation
But not Schengen Information System or EURODAC.
* = Prűm data
4. Justice & Security: Strong Safeguards
Common Standards e.g.
Accuracy,
Necessity,
Time-limitation,
Security including data breaches.
Procedural:
National contact point (but emphasis on 24/7 access),
DPA oversight,
Prűm evaluation visit.
Feb 2021: EU Commission propose to add first ever “adequacy”
decision under Law Enforcement Directive 2016/680.
5. General DP: Towards Mutual Adequacy?
UK: Adequacy granted to all EU/EEA countries (as well as all
countries granted adequacy by EU) (DPA 2018, Sch. 21, para. 4)
EU:
FINPROV.10A deems UK not a 3rd country under DP for 4-6 months
(so long as no significant unilateral change to DP law).
But ends whenever Decision to grant UK GDPR Adequacy.
Feb. 2021: EU Commission produces draft Adequacy Decision.
6. GDPR Adequacy is not a UK-EU DP Union
Not fully seamless free flow:
Not necessarily stable (see Schrems I & II re: US partial decisions)
Comes with specific transparency requirements,
Comes with specific documentation requirements,
May be requirement to follow local law (if targeting goods & services).
Not about identity but “essential equivalence”:
Mentions e.g. Israel and New Zealand here (despite doubts present).
GDPR Recital 105 also emphasises CoE DP Convention 108.
“[D]oes not require a point-to-point replication of EU rules. Rather the test
lies in whether, through the substance of privacy rights and the effective
implementation, enforceability and supervision, the foreign system
concerned as a whole delivers the required high level of protection.”
European Commission (COM (2017) 7 Final)
7. The New UK DP Framework
DP, Privacy & E-Communications (Amendments) Regs 2019
preserve GDPR, DPA 2018 & e-Privacy framework apart from:
EU Charter right to DP not retained,
Regulatory consistency and cooperation not continued,
Status of Court of Justice case law (especially future) altered.
Adequacy assessments carried out on that basis.
Brexiteers like Gove and Whittingdale critical of EU approach.
TCA generally preserves wide discretion here:
“The Parties reaffirm their right to regulate within their territories to achieve
legitimate policy objectives, such as … privacy and data protection”
(DIGIT.3, Right to regulate)
8. Discretion within Adequacy Boundary
Degree of change unclear (esp. as big business like consistency).
Lodestar must be mutual adequacy & bona fide implementation
of updated CoE Data Protection Convention 108+.
Comparison between Convention 108+ & EU Framework
provides good indication of what might be possible.
Broadly conforms to A29WP 2017 GDPR Adequacy Referential.
9. Substantive Divergence e.g. on Sensitive Data?
Scope:
Both adopt categorical approach & only minor differences.
But Convention 108+ usually also requires sensitive purpose:
Rules:
GDPR: General prohibition absent waiver or weighty public
interest & safeguards (A. 9)
Convention 108+: Law with appropriate safeguards.
“The processing of: …
- personal data for the information they reveal … shall only be allowed with
appropriate safeguards are enshrined in law.”
10. Integrity Provisions Divergence?
Security
Accountability
Export Control
(DPA Breach)
Rules on:
Processor
Joint Control
Export Rules:
Closed list of
mechanisms
Breach Regime:
- DPA
- Subject
- Public
DP Officer
Documentation
Impact Assess.
Prior Consult
11. Deeper & More Flexible Restrictions?
Restrictions clause of Convention 108+ wider than GDPR.
Arguably this could ground more far-reaching limitation of DP
with focus on “misuse” in areas of low risk.
Swedish Personal DP Act Amendment 2007 one precursor to this:
“[Ordinary substantive data norms] need not be applied when processing
personal data that is not included in order intended to be included in a
collection of personal data which as been structured in order to
evidently facilitate search for or compilation of personal data.
Processing referred to in the first paragraph must not be conducted if it
entails a violation of the privacy/integrity of the data subject.”
12. Conclusions
Post-Brexit UK has the closest personal data relationship
with EU/EEA other than perhaps Switzerland.
Indeed, unlike Switzerland there is a UK-EU PNR Agreement
and plans for LED Adequacy.
But Swiss stance on data protection closer to EU norm.
A number within UK has been more sceptical of EU approach.
May therefore expect some more divergence but imperative
within context of mutual adequacy and Convention 108+.