Brexit: catching up on data

27/12/2019

All of a sudden, in the media no-man's land between Christmas and the New Year, the "elephant in the room" of data protection has reared its head, finding its way onto the front page of The Times with the legend: "Brussels threat to block City trade unless UK agrees to Europe's rules".

According to this source, the EU is about to threaten "to block the City of London's access to European markets" in what the paper calls "an opening salvo of post-Brexit trade talks in the new year". "EU chiefs", the paper says, are also "warning Downing Street that they could put up barriers to data flows vital to British commerce", putting at risk UK financial services that account for seven percent of Britain's output.

As it stands, the UK has already implemented the EU's general data protection regulation (GDPR) into British law, but there are concerns about the processing of personal data for law enforcement purposes in the UK, in particular about how British intelligence agencies handle personal data collected in the EU, and whether the UK would comply with EU rules on surveillance.

The main potential problem here is the UK's Investigatory Powers Act 2016, which allows for broad interception, interference and communications acquisition powers. This Act may contravene the human rights element which the GDPR is based upon risking the ability of a fast adequacy decision.

Once the UK leaves the EU, the position could deteriorate further, if the UK abandons the EU's regulation altogether, or if changes to the UK's data protection laws in the transition period require the European Commission to reset or review parts of its assessment, increasing the time it takes to grant adequacy.

So far, the UK has asked for special arrangements to keep data flowing between the EU after Brexit, stating that it does not want to be subject to a regime which could be struck down by the Commission or EU judges. Commission officials have dismissed British demands which, under the Johnson regime, could prove a further stumbling block.

But this is hardly a new issue and, for all the Times's assertions, it is not directly related to the coming trade talks. As we pointed out in August and many times before that, this is about the EU deciding whether the UK's post-Brexit rules on data protection are "adequate" in terms of protection of personal data, and "equivalent" in effect to EU rules when it comes to controlling financial services.

To be fair, the trade organisation TechUK has been explaining that a deal is critical for scores of businesses, especially in the tech, health and insurance sectors, which regularly transfer data - including bank details and other personal information - to and from the continent for analysis or processing.

TechUK is now being featured in a report in the Financial Times, informing us that more than three-quarters of UK data transfers are with EU countries, underlining the importance of the issue.

But the key element of the FT story is that the UK is at the "end of the queue", when it comes to negotiating these data deals. Wojciech Wiewiorowski, the EU’s new data protection supervisor, warns that we're 13th in line, with the transition window "tight".

By the end of the period, when EU regulations cease to have effect, we will need both adequacy and equivalency decisions in place yet, as TechUK points out, the shortest time an adequacy decision has been completed was in 18 months, and that was with Argentina.

Says the FT, officials in Brussels have warned several times that assessing the UK's data adequacy will be a lengthy process and that the issue may fall down the list of priorities in the wider negotiations. Wiewiorowski's predecessor, Giovanni Buttarelli, also warned that reaching a deal "could take years".

That warning was conveyed in the Financial Times last February when Buttarelli said that the process could drag on for years as EU authorities would have to scrutinise how British spying agencies and the government handled the personal data of citizens and whether the UK met Europe's robust standards on surveillance.

"Adequacy could take years. We will have to assess law enforcement bodies", he said. "Adequacy findings take a lot of work even if [the UK] is fully compliant with the GDPR", adding that, "A divorce is a divorce, so you need time before re-establishing certain relationships. Once you are out, it is all more complicated".

Wiewiorowski, however, does not say that decisions are not realistic within the transition period. It is still possible, he concedes, but it will be "hard". "Talking about deadlines is not an easy thing", he says.

According to The Times, which has access to a restricted document, internal talks with the UK will begin in two weeks' time. But the paper casts them in confrontational terms, claiming that EU negotiators will use the threat of unilaterally restricting or limiting access as "leverage" to force the UK to align with European regulations.

It cites one of those anonymous senior European diplomatic sources, who obligingly says: "These are both big levers for the EU. Both data adequacy and equivalence are decisions under our direct control, decisions that can be reversed at any time and that will be linked to progress in the wider negotiations".

In fact, these decisions are supposed to be based on technical assessments which are not open to negotiation as such.

If the European Commission decides, on the basis of its evaluation, that national legislation is in place which will ensure the transfer of data in a manner that complies with GDPR rules, the Commission will allow businesses to transfer personal data within the EEA and between the 13 other countries the EU has full or partial adequacy agreements, without having to provide extra reassurances, known as "appropriate safeguards".

The Times, however, argues that the EU has used the decision-making process as an explicitly political lever to threaten Switzerland in trade treaty talks. Relying on its "restricted document", it claims that the EU has been using a strategy that is directly linked to the forthcoming "decisive phase regarding Brexit".

Yet, apart from this unattributed document, there is no evidence that the Commission is acting in this way. What actually has been happening is that Swiss provisions have been recognised by the EU as adequate but that required the revision of Federal law to bring them into line.

For the Commission to act politically, or to impose conditionality not allowed for in the regulation, would presumably breach the provisions of the GDPR, set out in Article 45, opening it up to challenge in the ECJ – an ironic situation for the UK, which wants the European court to be taken out of the picture.

Currently, in addition to Switzerland, the Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. Adequacy talks are ongoing with South Korea.

If the UK wants a favourable decision, it will have to follow the prescribed procedures and ensure that national data protection law complies with the provisions of Article 45. And if that is a matter of law, post-Brexit the UK is free to reject it, but there will be consequences.