UK membership of Council of Europe has implications for data protection after Brexit
Maybe Brits don't need GDPR
Comment There are whispers circulating in the aether that if PrivacyShield is deemed adequate for transfers of personal data from the European Union(EU) to the USA, then in a post-Brexit Britain, something akin to PrivacyShield can allow for adequate transfers of personal data to the UK.
Such an “adequacy” determination would mean that the UK would not need to implement the General Data Protection Regulation (GDPR).
Indeed, if PrivacyShield is deemed adequate, why can’t the UK also replace the current Data Protection Act 1988 (DPA) with something as “flexible” as PrivacyShield; after all the DPA is based on a European Data Protection Directive 95/46/EC which will no longer apply in a post-Brexit Britain.
In other words, at one end of the “Brexit means Brexit” spectrum of meaning, there is a vision of a UK free of data protection law (just like the USA). This blog shows that this view, if adopted by a Brexit Government, presents major risks to the free flow of personal data into the UK irrespective of any ‘PrivacyShield’ type agreement that might cover the UK.
Indeed, to the contrary, being a Member of the Council of Europe is likely to require the UK amend the DPA closer to the GDPR.
Importance of the Council of Europe
Any step towards a UK without a data protection law would require the UK to withdraw from the Council of Europe and its European Convention of Human Rights (ECHR), something that Mrs. May has categorically stated will not happen under her watch as Prime Minister.
Being a Member State of the Council of Europe means that the “Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Convention 108) applies to the UK. The Convention was drafted in 1981 to ensure that all processing of personal data was consistent with Article 8 of the ECHR (which concerns respect for private and family life etc).
Unlike the GDPR, the Convention applies to all data controllers, although there are some provisions that provide for exemptions that are linked to Article 8(2) of the ECHR (e.g. necessary and proportionate exemptions with respect to data controllers involved in policing, state security etc).
The universality of the Convention is specified in Article 3 which requires Member States of the Council of Europe to “undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors” (my emphasis). In other words, the UK is required to enact general data protection legislation based on the Convention’s provisions.
Thus, if the UK adopted a PrivacyShield option (i.e. repealed the Data Protection Act 1998 and did not implement a replacement law), then the UK would be in breach of the Convention.
Article 12(2) of the Convention then states: “A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation, transborder flows of personal data going to the territory of another Party” (i.e. if a Member State has enacted a data protection law that meets the Convention’s requirement, then transfers of personal data between signatories to the Convention cannot be halted on data protection grounds).
So if a future UK government were to decide to leave the Council or Europe (or were to repeal the DPA without replacement), then transborder flows of personal data from a Member State that has signed the Convention can be prohibited on the grounds specified in Article 12(2). Notice that such a prohibition has nothing to do with the concept of adequacy in the GDPR or Directive 95/46/EC or even the content of any putative PrivacyShield type agreement.
Those steeped in the history of data protection will remember that it was to counter the threat of European States that had signed up to the Convention, imposing a blanket transfer prohibition on the UK, which pushed Mrs. Thatcher’s government into introducing the Data Protection Act 1984.
Mrs. T. enacted a minimalist Act in order to prevent those “Johnny Foreigners” from using the Convention to stop the flows of personal data to the City of London – something which, in my view, will become a major risk if the UK pussyfoots around with the current data protection regime or fails to move the current DPA towards the requirements of GDPR.
In addition, many forget that Directive 95/46/EC was agreed to give effect to the Convention; this is made clear by Recital 11 to the Directive:
“(11) Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data”.
As stated previously, the European Commission has been threatening infraction proceedings as it considers the UK’s DPA a deficient implementation of the Directive; the UK Government has refused since 2005 to publish details (or inform Parliament) as to what these deficiencies are because their release would prejudice international relations (Not a joke! See comments about FS50577377 below).
It follows that if the Europeans see the DPA as not meeting the requirements of Directive 95/46/EC, it cannot be viewed as adequate in relation to the GDPR (see references). It also follows that the UK has arguably not enacted a data protection law that “gives substance” to the Convention, although this point has not been tested.
Could the DPA remain in some form?
Article 3 of the GDPR does not apply to a Controller established outside the EU if the processing activities do not involve:
- “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union”.
So, for example, the vast majority of public sector bodies in a post-Brexit UK would not offer goods and services to data subjects on the Continent, and many small private sector companies do not have a website whereby goods and services are offered to Europeans. For these types of data controllers, it appears that the current DPA could remain instead of the GDPR.
However, the Council of Europe Convention is being modernised from the text formalised in 1981. Given that most Member States of the Convention have also agreed the GDPR, it does not take a rocket scientist to see that any proposed change to the Convention text is likely to be in the direction of the GDPR text.
Thus, in the short-term the current DPA could apply to data controllers that do not provide services into the European Union but in the longer term, any change to the Convention will require the UK to modify the current DPA so it is closer to the GDPR. By contrast, all controllers who do see the European Union as a marketplace, the GDPR will have to be implemented.
In summary, the Council of Europe Convention provides another reason for saying that the GDPR or something very similar is likely to be implemented in the UK for all controllers.
It also follows that those who delay any preparatory work to plan for implementation of the GDPR are merely procrastinating unnecessarily.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Becoming a Pragmatic Security Leader