I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us.

On Adequacy after Brexit
Tagged on:                     

One thought on “On Adequacy after Brexit

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.