Twice now — first at a speech focused on security, in Munich, then this past Friday in her so-called "Five Tests" speech detailing her goals for Brexit — U.K. Prime Minister Theresa May has outlined her desire for a data protection agreement with the EU. To quote from her fourth test in Friday's speech:
[T]he free flow of data is also critical for both sides in any modern trading relationship too. The U.K. has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and U.K. individuals and businesses to achieve our aims in maintaining and developing the U.K.'s strong trading and economic links with the EU.
That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK's Information Commissioner's Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.
The emphasis is mine. While some in the privacy field have openly wondered whether the U.K. can even get adequacy, given the Snooper's Charter and other surveillance considerations, May is unequivocal in wanting more than that, including a role for the ICO in the so-called one-stop-shop enforcement regimen of the EU General Data Protection Regulation, which would seem to indicate a desire for the ICO to be able to serve as lead authority and as a member of the to-be-created European Data Protection Board when the GDPR comes into force.
Given the chilly reception the European Commission has given to May's "three baskets" strategy, is there any chance the ICO actually does retain such a role post-Brexit?
Well ... maybe?
"The U.K. Government's adequacy-plus aim is certainly bold and ambitious," admitted Hogan Lovells Partner Eduardo Ustaran, CIPP/E. "But this is not entirely ill-founded: Today the U.K. is regarded as a safe jurisdiction for personal data. If it retains the EU’s legal framework irrespective of Brexit – which the U.K. is clearly doing – why should the outcome change?"
Further, said Richard Thomas, former U.K. ICO and now strategy adviser with the Centre for Information Policy Leadership, "Mrs. May seems to recognize that the conventional adequacy procedure would be a lengthy process, with delay causing massive problems for everyone on both sides of the English Channel and further afield.
"My personal view is that some sort of 'deemed' adequacy recognition should be included in the Treaty, which will set out the arrangements for the U.K.’s departure from the EU. This would then be a matter of international law overriding both EU and U.K. law. Whether and how this is done will be more political than technical. But it should not be a problem given that the GDPR will have had direct effect in the U.K. from May 2018 and that the new Data Protection Bill will effectively extend this indefinitely."
In fact, just about everyone I talked to over the course of the last six weeks in Europe is relatively confident that adequacy for the U.K. is very likely. Sure, there's the Snooper's Charter, but many countries in the EU have surveillance operations of a similar nature, and "Part 4 of the [U.K.'s proposed Data Protection] Bill introduces a special data protection regime for these three services and this may be sufficient to address such concerns," argued Thomas.
So, the second question there is whether Thomas is right that adequacy will be granted right out of the gate as part of the separation treaty or whether there will have to be some kind of formal review period by the Commission. The general consensus is that it doesn't matter much. Most people feel there will be a 20-month implementation period following the March 2019 Brexit separation and that, as the Data Protection Bill will be in place as an approximation of the GDPR, cross-border transfers will be allowed during that period, and that gives the Commission plenty of time to get adequacy sorted, even if it winds up being some kind of "U.K.-EU Privacy Shield."
So, in short, for those putting together risk registers: Consider no adequacy a "low" risk, though not entirely impossible. It may be there is a massive rush to BCRs, or some not-yet-invented certification scheme, in late 2019, for sure.
But what about "adequacy-plus"? Could it really be possible for the ICO to, say, be a member of the EDPB and actually serve as a lead authority?
"The issue here is that the EDPB is only meant to comprise members from the supervisory authorities of EU Member States, not third countries," noted Ustaran. "However, if the will existed and politics didn't get in the way, it would be in everyone's interests for the ICO to be actively involved alongside her EU colleagues. Ultimately, European data protection is a team effort and you need all of the best players on the team."
Thomas agreed: "ICO is the largest authority in Europe and does much of the heavy lifting for the Article 29 Working Party. It would be in no one’s interests to exclude the ICO from the Board.”
This would, however, be a unique situation, indeed. Currently, the data protection authorities of Liechtenstein, Iceland, and Norway, which are all in the European Economic Area, but not in the EU, are not voting members of the Article 29 Working Party and cannot serve as lead authorities under the GDPR. What would their opinion of the U.K. getting full voting rights in the EDPB post-Brexit be?
Further, in her "Five Tests" speech, May said, "the jurisdiction of the [European Court of Justice] in the U.K. must end." How could the ICO participate in enforcement actions if it wasn't subject to EU law, which would be the final arbiter of the enforcement action should it be challenged?
May has some thoughts on that. "For a start, the ECJ determines whether agreements the EU has struck are legal under the EU’s own law – as the US found when the ECJ declared the Safe Harbor Framework for data sharing invalid. When we leave the EU, the Withdrawal Bill will bring EU law into UK law. That means cases will be determined in our courts. But, where appropriate, our courts will continue to look at the ECJ’s judgments, as they do for the appropriate jurisprudence of other countries’ courts. And if, as part of our future partnership, Parliament passes an identical law to an EU law, it may make sense for our courts to look at the appropriate ECJ judgments so that we both interpret those laws consistently. As I said in Munich, if we agree that the U.K. should continue to participate in an EU agency the U.K. would have to respect the remit of the ECJ in that regard."
So, if the ICO were to participate in the EDPB, theoretically the "U.K. would have to respect the remit of the ECJ in that regard."
May reiterated that point in an interview with BBC's Marr show in Sunday, noted John Bowman, senior principal at Promontory and formerly head of the U.K. delegation to the DAPIX Working Group at the Council of the European Union when negotiating the GDPR. "Although ending ECJ jurisdiction is one of the U.K. government’s ‘red lines,'" he said, "the Prime Minister alluded to the decision, without naming it, to invalidate the Safe Harbour as being an example of where the court can affect an overall agreement with the EU. Therefore, if the U.K. was to achieve adequacy or some other agreement with the EU, the ECJ could still have a part to play with respect to the effect that agreement has on people living in the EU. The U.K. may still need to live with some ECJ involvement in data protection going forward, even if it does not specifically affect people in the U.K.”
So it would seem that it's not impossible that the negotiators find a way to creatively come up with an agreement that keeps the ICO involved beyond some kind of observer status. As virtually everyone I've spoken with has commented, this is much less a matter of law than a matter of political will. No, there isn't precedent for the kind of adequacy-plus May is talking about, but neither is there precedent for Brexit. This is quite literally uncharted legal territory.
Perhaps the greatest thing arguing for adequacy-plus is that data protection is the rare area where there's not much disagreement among the parties. Both the U.K. and the EU have long been in favor of strong data protection and the ICO's office is pretty clearly the most active of EU enforcement agencies.
Perhaps the greatest thing arguing against adequacy-plus is the leverage the EU holds here. Were the U.K. not to have adequacy at all, it would clearly be a massive disruption of business for the U.K. It may be a situation where the EU says, "here, you get adequacy, and you should be happy to have it. Let's talk about something else." And the U.K., depending on where negotiations stand, might just be happy to take that and move on.
Regardless, the central role that data protection looks to be playing in the negotiations underscores just how important the issue is to the future of both the EU and U.K. economies. We will likely see much more on this to come.
Photo credit: The Prime Minister's Office Prime Minister Theresa May attended the Munich Security Conference. via photopin (license)
If you want to comment on this post, you need to login.