Data protection lawyers and specialists have long been used to their area of expertise being treated as a rather mould-infested and irritating area of the law, like champerty but with more Schedules. Amongst other things, Brexit seems to have caused a bit of an upsurge in interest in how cross-border data flows are going to be managed in the brave new world. (Panopticon has seen articles in the last few months mentioning the GDPR and data protection after Brexit in the LRB and Private Eye, which is a bit like unexpectedly finding your girlfriend on page 3 of the Sun and the New Left Review on the same day.) HM Government have also recognised the importance of the issue, and have today published their position paper entitled ‘The exchange and protection of personal data’.It is fair to say that the 15 pages that you print off are not ram-packed (to use Mr Corbyn’s famed train-based term) with unexpected surprises, or indeed a huge amount of detail. There will doubtless be complaints about this, but to be fair, what the UK would like from the EU in the data protection is hardly rocket science. It spends a good deal of space explaining the importance of ensuring good levels of data protection, and enabling cross-border data flows, whilst also making quite an effort to emphasise how keen the UK has been, and still is, on being at the forefront of data protection. It even suggests that the DPA 1998 implemented the Directive beyond the minimum required; perfectly fairly it points out that the DPA didn’t have to cover law enforcement data processing but chose to do so, and surely our European friends will not be so impolite as to note, for example, the need for the Court of Appeal to strike down bits of the DPA as not properly implementing the Directive in Vidal-Hall…
What, then, does HMG say it wants? Well, as indicated above, nothing very unexpected. After a bit of faffing, it is clear that it wants a formal adequacy decision from the Commission (at least on a transitional basis for a specified length of time) to allow cross-border data transfers out of the EU into the UK without the need to rely on the fiddly and complicated alternatives. That this ought to be simple is justified on the, not unreasonable, grounds that the UK will have implemented the GDPR by the time of Brexit and so the UK will be in a position where it is already providing EU-standards of protection. Very generously, the UK offers to recognise the EU as providing adequate levels of protection in return. Doubtless the Commission will wish to see what the Data Protection Bill looks like when it is published before it commits to anything, but no-one is expecting an early resolution of any Brexit issue.
The UK would also like confirmation that it can rely on the existing adequacy decisions of the Commission in relation to (other) third states. That is more unusual, but one can see in principle the logic of, providing that the UK is applying the standards expected of its regulator and courts outlined in Schrems whereby complaints about adequacy have to actually be examined.
Finally, although it is put first, the UK would also like to agree an arrangement whereby the Information Commissioner retains some sort of seat within the new European Data Protection Board (not a term the paper uses) to ensure ICO involvement in future EU regulatory dialogue. How open the EU is to this remains to be seen, and it probably depends on what sort of participation is sought. No doubt the EU may baulk at allowing the UK a full seat at the club table when it has left the club, but it is a reasonable question to ask and there are obvious regulatory advantages from not locking the door and making the ICO sit outside and meow through window. Perhaps one of those placatory ministerial posts where they officially ‘attend Cabinet’ but aren’t actually a Cabinet member would be a useful analogy.
How likely is all of this? Who knows. The EU Commission has not yet published an equivalent paper, although they have been admirably transparent so far and so doubtless one will come before long. We may then sense how far apart the positions are.
Clearly the adequacy decision will be the most important issue. The EU’s big card – apart from the obvious one that we need a decision from them – is that adequacy decisions normally take time, and the UK can’t afford a data protection cliff edge; that is why the UK is pitching in the first instance for a transitional deal based on us having EU law already in place at the point of exit. There are certain obvious presentational points in the UK’s favour in this respect; while the UK is currently far from perfect on all elements of data protection (and the Bill will be imperfect too, because life is imperfect), the Commission has awarded adequacy decisions to countries and territories with a far greater degree of data protection divergence than the UK will have. Are issues posed by the Investigatory Powers Act 2016 and the Watson/Tele2 judgment really insoluable? The best analogy will be the adequacy decisions for Jersey, Guernsey and the Isle of Man: not EU Member States but where legal regimes have been implemented which are basically transplants of the DPA. If it was good enough for them, why not the UK? What about respecting the rulings of the CJEU in the future? Well, what about it? The Commission has not required that countries like Argentina, New Zealand and Israel comply with every CJEU judgment on personal data in order to obtain an adequacy decision, for the obvious reason that no third country would agree to bind itself to the rulings of a court it has nothing to do with in respect of a legal regime it has not implemented. The adequacy regime is precisely that: it looks for a level of adequacy; it does not (and could not) impose global uniformity.
But the Brexit negotiations are not about law, or even logic. They are about politics and have more layers than a very old tree. Nothing will be easy. We are in new territory and while everyone agrees that sorting out data protection post-Brexit is important, how that is done and what is prioritised will be determined by more things than are dreamt of in your philosophy.
Christopher Knight