October 24, 2016

So Facebook has signed up to the Privacy Shield and the General Data Protection Regulation will apply from 25 May 2018 . But what of Brexit and its implications for all this eurobabble? As I explained to The Brief – The Times’ daily legal update, the GDPR will survive this bloody severance of the UK from the EU. If not, and DPA standards dip in the UK, we’ll need our own version of the much maligned “Privacy Shield”.

Full analysis below:

It was reported last weekend that Facebook has signed up to the EU “Privacy Shield” – a new framework for the lawful transfer of personal data from the EU to the US. It’s of interest of course, because it was Austrian lawyer Max Shrems’ privacy case against Facebook which led to the collapse of the previous framework: the 15-year old safe harbour agreement between the EU Commission and US was struck down by the ECJ in October 2015. Why was it struck down?

The Data Protection Directive (Directive 95/46/EC) says that personal data on EU citizens can only be transferred out of the EU to countries that have “adequate protections” for the rights of data subjects. The Snowden revelations raised concerns about US surveillance on its people, or as DPA practitioners call them, “data subjects”. Given the apparently systemic problems of state surveillance in the US, the ECJ said it wasn’t sure the US did give data subjects “adequate protections” as required by the Directive.

How do you get around that political bombshell? After much to-ing and fro-ing, during which companies on this side of the Atlantic were tearing their hair out on whether they could or couldn’t, for instance, use servers located in the US to hold data on EU citizens, the US and EU Commission agreed a fix – a “Privacy Shield” in July this year. It’s by all accounts deficient. The Article 29 Working Party – the independent advisory body set up to opine on these matters –  isn’t impressed. The “Privacy Shield” comes off the back of a nice letter from the US promising “that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.” US companies self-certify annually that they meet the “Privacy Shield” requirements to protect Europeans’ personal data. It remains to be seen whether the Privacy Shield will satisfy the likes of Shrems. There have been hints of a legal challenge.

But what of Brexit and its implications for all this eurobabble? A new General Data Protection Regulation (GDPR) came into force in May this year. After a period of bedding in, it will apply from 25 May 2018. Regulations, as we all remember from our EU Law modules, are directly effective in member states. Contrast that to directives which must be implemented by national legislation. Directive 95/46/EC was implemented by the Data Protection Act 1998. It’s now 20 years old. The GDPR promises to bring data protection legislation up to date and beef up protection for Europeans. But do we care?

Theresa May has threatened/promised (depending on your allegiances) a “Great Repeal Act” to end the authority of EU law in the UK. It will be achieved by revoking the European Communities Act 1972 which gives legal effect to EU law in the UK. What does a Great Repeal Act mean for the future of data protection in the UK? Practitioners are ad idem –  not much. The GDPR will survive this bloody severance of the UK from the EU

There are four reasons, some more technical than others:

• The first is easy – timing. The GDPR will apply in full from 25 May 2018. Brexit-proper won’t happen until March 2019. The Great Repeal Act, despite its name, will enshrine all existing EU law into UK law – the GDPR included – to be amended or revoked at leisure. Will the GDPR be revoked? Probably not. Implementing Brexit is a mammoth task. Parliamentary time is limited. Overhauling the GDPR is unlikely to be a top priority for Parliament.

• The second reason brings us back to Facebook, Shrems and the Privacy Shield. EU data can only be transferred outside the EU to countries that have “adequate” protections for the right of data subjects. Any dilution of the rights of a data subjects in the UK threatens its “adequacy” status. That in turn threatens EU/UK data sharing. If the UK slips behind the EU in the adequacy of the protections it give personal data, it will need its own version of the Privacy Shield to comfort EU businesses that they can safely transfer their citizens’ personal data to the UK.

• The third is that any business offering goods or services into the EU will need to comply with the GDPR. It has, in that sense, extraterritorial effect.

• Finally, the concept of citizens of the EU being afforded privacy rights over their data has caught on. Will UK citizens be willing to give up those rights?

The GDPR is here to stay, much like vast swathes of EU law woven into the fabric of UK legislation over the last 40 years.