On Feb. 4, Baroness Neville-Rolfe, the U.K. minister responsible for data protection, issued a 181-word statement on the General Data Protection Regulation that appeared on the U.K. Parliament’s web site. It said that the government has decided not to opt in to Article 43a of the General Data Protection Regulation, the so-called “anti-FISA clause.” The U.K. has therefore effectively opted out of the provisions of this article “as a result of concerns relating to the integrity of the U.K. legal system.”
Despite the terseness of this statement, its implications are significant and wide-ranging. The U.K.’s opting out of Article 43a fragments the cross-border application of the GDPR—and comes in addition to the last-minute compromise allowing individual member states to set the age threshold (between 13 and 16 years) at which children can consent to have their data being processed without their parents’ authorization.
This statement could spur other member states to seek their own GDPR carve-outs in areas such as public security and restrictions on data subjects’ rights. What a series of exemptions would mean for regulators attempting to implement an EU-wide data protection regulatory framework—in two years’ time, under the new one-stop shop and consistency mechanism—remains to be seen. But it will not make their job easier.
The U.K.’s opt-out from Article 43a emerged from an obscure EU treaty protocol. Article 16 of the Treaty on the Functioning of the European Union refers to the right to the protection of personal data and provides that the European Parliament and Council shall lay down rules relating to this right. TFEU’s Article 16 thus forms the basis from which the GDPR and new law enforcement directive have emerged. However, TFEU also contains a protocol (No. 21) on the position of the U.K. and Ireland in respect to freedom, security, and justice. The U.K. has declared that the wording of the GDPR’s Article 43a triggers the U.K.’s ability to opt in to it under protocol 21 but the U.K. has determined that it does not consider itself bound by this article.
The U.K.’s position has emerged in the context of the renegotiation of its relationship with the EU and the in-out referendum that Prime Minister David Cameron announced will be held on June 23. Indeed, the published draft decision concerning a new EU-U.K. settlement refers to maintaining protocol 21 and indicates an intention by the U.K. government to preserve its national competence in certain policy areas, including those that touch upon data protection law.
What is not clear, though, is whether the European Commission will accept that the U.K. can opt out of Article 43a, particularly if the commission takes the view that the data protection rights of U.K. residents would then be compromised compared to residents of the other EU member states. But the politics of the U.K.’s renegotiation, and its vast significance to the future of the EU, may mean that any arguments over such fine details will be left until after the referendum.
Regardless of the U.K.’s specific position on Article 43a, the story behind the introduction of this measure into the GDPR is interesting and predates the Snowden disclosures, which eventually prompted the article’s inclusion in the compromise text.
Article 43a originally appeared as Article 42 in the GDPR draft leaked in December 2011. Article 42 prompted serious and immediate concern from regulators across the U.S. government, because they understood that this article jeopardized hundreds of memorandums of understanding between the U.S. and EU on the regulation of financial services, health care, consumer protection, competition, and other areas of vital human activity.
MOUs increasingly serve as the backbone for intergovernmental information sharing because they enable regulators to expediently memorialize commitments. Although their utility cannot be understated, the U.S. government does not consider most of these MOUs to be “international agreements.” This interpretation is consistent with public international law. MOUs generally fall under the category of “soft law,” which, although influential, is not considered binding.
Given that U.S./EU regulatory information sharing relies on MOUs that do not fall under the scope of the “international agreements” contemplated in Article 42, the U.S. government coordinated several positions on this article amongst its regulatory and law enforcement agencies. The European Commission removed Article 42 from its official draft of the GDPR in 2012; but in October 2013, the European Parliament’s LIBE Committee voted to include Article 42, as Article 43a, in the GDPR. The EU Parliament’s position on this article then led to its inclusion in the final version of the GDPR.
The effects of the inclusion of Article 43a will be felt not only by global regulators, whose public policy objectives will be frustrated, but by businesses facing requests for information from regulators. Global regulators—including the majority of EU regulators that have MOUs in place with their U.S. counterparts—will likely continue to request information from regulated entities, and some of that information may be shared with U.S. counterparts during the course of investigations. Companies will therefore face difficult compliance decisions when responding to such requests.
The U.K.’s opting out of Article 43a will recalibrate how cross-border data transfers will be handled in instances where third-country (non-EU) courts or authorities request the personal data of EU residents. Could U.K.-based data controllers circumvent the general prohibition on such transfers that Article 43a introduces and therefore avoid the conflict-of-law situation that made the article so controversial? Alternatively, could such controllers find it difficult to resist orders with which they do not want to comply because they cannot rely on Article 43a’s prohibition in the U.K.?
The situation remains unclear, as no further clarifying statement has been issued by the U.K. government. Businesses are therefore advised to monitor developments on this point and in member states beyond the U.K. The U.K.’s 181 words may well signal the start of a scramble by member states to shape the GDPR to their own way of thinking, before it even goes live in 2018.
If you want to comment on this post, you need to login.