How 'flexible' can the UK actually be on EU data protection law?
It's certainly going to try to be a little bendy
If EU member states can, by law, exercise legislative “flexibility” when implementing 50+ Articles of the General Data Protection Regulation (GDPR), how can the regulation ever become harmonised across European Union?
Pose this important question another way: given that the UK government intends to use legislative flexibility to the maximum in favour of the interests of controllers, how do we know that the UK will not enact something that could be described as “GDPR lite”?
The answer to these questions depends on the GDPR’s harmonisation process that presumes that the UK’s Data Protection Authority (and/or the European Data Protection Board) is fully prepared to exercise its independence following the Schrems judgement. Such a presumption could reign in any excessive application of “flexibility” by a member state.
The following is why I have come to this conclusion.
The range of member state flexibility
Given the objective is harmonisation of data protection, the range of Member State flexibility is breath-taking. Provisions that allow Member States law to modify the GDPR provision can be found in the following Articles: 4(7), 4(9), 6(2), 6(3)(b), 6(4), 8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4), 10, 14(5)(b), 14(5)(c), 14(5)(d), 17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b), 23(1)(e), 26(1), 28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4), 29, 32(4), 35(10), 36(5), 37(4), 38(5), 49(1)(g), 49(4), 49(5), 53(1), 53(3), 54(1), 54(2), 58(1)(f), 58(2), 58(3), 58(4), 58(5), 59, 61(4)(b), 62(3), 80, 83(5)(d), 83(7), 83(8), 85, 86, 87, 88, 89, 90.
Of course, some of the flexibility above has minor impact. However, the application of Member State flexibility in the context of exemptions from rights (eg, access, profiling), flexibility in the areas of transparency and the processing of “sensitive personal data”, and Member State based rules relating to personal data processed for human resources or research purposes has the potential to be very controversial.
The UK government has already signalled that it is prepared to go its own way on “flexibility” in a way that is detrimental to the interests of data subjects. It has, without explanation, opted out of Article 48 (“Transfers or disclosures not authorised by Union law”) as presumably the UK wants to transfer personal data (e.g. to the USA) without specific safeguards such as a treaty or an international agreement concerning the transfer.
So a reasonable starting proposition for the rest of the blog is: let us assume that the UK’s GDPR implementation “flexibly” legislates for something that is significantly out of step with the rest of Europe.
Harmonisation: can a Supervisory Authority challenge Member State law?
The Schrems ECJ judgement is all-important; it concerned whether the Irish Data Protection Commissioner could use her powers to investigate a transfer of personal data to a controller in Safe Harbor, if the European Commission had determined that Safe Harbor offered an adequate level of protection? Before this issue was tested in Schrems, the answer to the question was “No. The Irish Commissioner was powerless to do anything regarding the transfer”.
Most of the commentary on Schrems has been on the unlawfulness of Safe-Harbor. However, the enduring feature this judgement is the independence of the Data Protection Authorities. A key part of the judgement in paragraph 66 states:
The fact that the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority … from examining the claim of a person … that the law and practices in force in the third country do not ensure an adequate level of protection.
Now apply the above to an errant use of Member State “flexibility”. I would argue that Schrems allows a Supervisory Authority to assess, for instance, the lawfulness of the processing by a Member State. To paraphrase the judgement: “…the fact that a Member State enacts a law does not prevent a supervisory authority from examining the law in force in a Member State to ensure the processing is lawful...”.
In other words, I am convinced that the Information Commissioner can assess whether the UK’s “flexible” approach to the GDPR results in lawful processing, and take enforcement action if it does not.
Of course, the UK supervisory authority might decide to do nothing. Perhaps it issues guidance that complies with an element of the UK’s data protection law that is inconsistent with the rest of European approach to the GDPR. Decisions based on that Guidance can be challenged by another concerned supervisory authority and if there is such a challenge, the matter can go to the European Data Protection Board (EDPB).
Well as far as I can see, the EDPB can make a determination that is binding on the UK Supervisory Authority (Article 65 of the GDPR); this means that any guidance the Information Commissioner produces could be eventually overturned and/or the EDPB (which has the responsibility for harmonisation). The EDPB is also empowered to take legal action (e.g. against the UK Government by asking the Court of Justice of the European Union to assess the lawfulness of the UK Government’s approach).
So, there we have it: a Supervisory Authority or EDPB can challenge excessive use of Member State “flexibility” through the Courts.
A “margin of manoeuvre”
In practice, Recital 10 of the GDPR shows that the use of Member State flexibility to legislate should be limited. It states that:
- “Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation”;
- “Member States have several sector-specific laws in areas that need more specific provisions”;
- “The Regulation also provides a margin of manoeuvre for Member States to specify its rules” (for the processing of personal data)
- “The Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful”.
In other words, if the UK government heeds the Recitals (see references), it will understand that its flexibility is limited.
In summary, I think the “margin of manoeuvre” will not be too dissimilar to the “margin of appreciation” as applied in the context of Article 8 of the ECHR (see references). For example, several Articles in the GDPR that describe the flexibility available in any Member State law to be constrained in terms of a law that is a “necessary and proportionate measure in a democratic society” or “an objective of public interest and be proportionate to the legitimate aim pursued”.
In other words, the grounds for application of Member State flexibility should be narrowly construed, as an interference that can be justified by a “pressing social need” and “proportionate” processing etc.
So what is the protection for data subjects if a Member State goes “super flexible”? The answer is a Supervisory Authority (or EDPB) that is prepared to take action in the Courts that the Member State law permits, for example, the processing of personal data is not necessary for the functions of a public body, or not necessary for a legal obligation etc etc.
In general, it is a requirement that a Supervisory Authority is prepared to assess “lawful processing of personal data” in the context of Article 8 of the ECHR (at last, I hasten to add).
Whether the next Commissioner (Elizabeth Denham) steps up to the plate on this, only time will tell. However, if the UK government’s approach to implementation of the GDPR is “super flexible”, her response to this will become an early test of her mettle.
- Report of meeting with Minister re GDPR in January
- Independence of DP Authorities following Schrems
- Importance of the Recitals:
- Council of Europe report on “margin of appreciation” (including A.8 ECHR (PDF):
- Parliamentary statement on the UK Opt-out of Article 48
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Customer Identity and Access Management