On June 23, the U.K. voted to leave the EU; formal notification of its intent to leave is now awaited. If that notice is given, then the U.K. will have two years to negotiate the terms of its departure. There is a good argument to be made that those “ … asking 'what about the GDPR for the U.K '… are missing the bigger picture quite painfully.” But personal data is one of the areas where the consequences of the U.K.’s vote may become apparent most quickly. Two events in the coming month may illustrate what the position of the U.K. will be if it should decide to invoke Article 50 TEU, give notice and leave.
The first event will be the issue of Advocate-General Saugmandsgaard Øe’s opinion in Davis, due July 19 next year. In Davis, the English Courts asked that the Court of Justice of the European Union to consider whether the previous decision of the CJEU in Digital Rights Ireland laid “ … down mandatory requirements of EU law applicable to a Member State's domestic regime governing access to data retained in accordance with national legislation …” In essence, the English Court is asking what the scope of EU data protection law should be and whether EU data protection law applies to data surveillance operations that are carried out entirely within the borders of an EU Member State. Obviously if the U.K. does serve a notice of intent to leave the EU pursuant to Article 50 TEU, then the answer to this question will be irrelevant to the UK. But the answer will still be highly relevant to the EU’s remaining 27 members. Fortunately Davis is linked to a Swedish case, Tele 2, so the opinion of Advocate General Saugmandsgaard Øe will continue to be relevant. The judgment of the CJEU itself will follow the opinion of its Advocate General, probably before the end of the year.
The second event is the revision of the Privacy Shield Agreement between the EU Commission and U.S. government, which is now expected to be finalized early in July. If the U.K. does leave the EU then personal data transfers from the EU to the U.K. will be subject to EU law and the jurisdiction of the CJEU. The EU may then be asked to decide whether the U.K. should be granted a similar Privacy Shield.
These two events cannot be considered in isolation. Like some other EU Member States, the U.K. conducts significant surveillance of data processing within its borders. In Digital Rights Ireland, the CJEU held that EU data protection law applied to state surveillance of personal data between EU Member States. However the view has been taken that EU data protection law does not apply to the surveillance of personal data within Member States themselves. In Davis, the CJEU is being asked whether that view is correct.
In Schrems, the CJEU held that EU data protection law applied to the generalized surveillance of EU personal data by U.S. state agencies within the borders of the U.S.. This led to the striking down of Safe Harbor and the negotiation of the Privacy Shield agreements. The standard applied by the CJEU to the USA is a higher standard than applies to EU Member States themselves. But this is the standard that will apply to EU transfers of data to the U.K., if the U.K. leaves the EU
Of course it is not known what the status of the U.K. will be, if and when it leaves the EU. It is possible that the U.K. would retain membership of the European Economic Area, which would mean that it would be subject to the General Data Protection Regulation 2016/679. Alternatively, the U.K. may enter into some other relationship with the EU. What this relationship would be remains to be seen; it might take many forms. It is possible that Brexit will lead to the “… abandonment of EU privacy rules and other regulations for data …” And the U.K. may launch itself towards “…' the Anglosphere,' that solar system of English-speaking planets which revolves around the United States.” But transfers of EU personal data to the U.K. would still be subject to the principles set out in Schrems. And if the U.K. wants to retain membership of or easy access to the EU’s single market, then it would have to effectively accept the application of the GDPR. It may be that the U.K. would find itself in the position of being subject to both the GDPR and Schrems. This would be a much stricter regime than applies to EU Member States at present (subject to the judgment of the CJEU in Davis). And so the U.K. might leave the EU, but find itself subject to data protection laws stricter than those that currently apply to EU Member States.
If you want to comment on this post, you need to login.