Monday 17 August 2020

Data Protection: Where’s the Brexit Privacy Dividend?

One of the Government's core objectives throughout the Brexit negotiations has been to respect data protection rights, slash Brussels' red tape and allow the United Kingdom to be a competitive safe haven for businesses all over the world. With that in mind, how could the Government reduce its ties to the EU's 'data protection level playing field' while continuing to maintain a robust and effective data protection regime? 


If the EU’s ‘level data protection playing field’ means continuing to fully implement all aspects of European data protection law, including all aspects of the two-year-old General Data Protection Regulation (GDPR), then what was the point of Brexit? Is it really necessary for the UK to commit to continue to observe unnecessarily complex rules that so many organisations have struggled with, when so few benefits have been realised? 


The GDPR is meant to be a ‘living instrument’ – so committing to harmonising to GDPR standards would mean adopting European Data Protection Board (EDPB) decisions (over which the UK will have no say) and EU jurisprudence (ditto) going forward. This is a process that would never end.


Some UK organisations will inevitably have to follow all the EU’s data protection rules because they will continue to process the personal data of individuals in the EU. But these organisations are likely to form a small minority of the 738,769 data controllers that registered to pay data protection fees to the Information Commissioner’s Office (ICO) as at 31 March 2020. 


Removing the UK from the decision-making structures of the EDPB and its associated consistency mechanisms should result in the ICO (a) being able to better protect the UK public by reacting much faster to privacy breaches that affect people in the UK as well as those in the EU, and (b) quickly publishing appropriate guidance on matters of public concern. No longer might UK privacy pros feel obliged to wait for the publication of weirdly worded EDPB opinions. 


Removing the UK from the decision-making structures of the EU should also result in the UK Government feeling able to update other privacy legislation, such as the outdated Privacy & Electronic Communications Regulations, without having to delay for years and years until  EU countries managed to reach a political consensus on the way ahead.    


The GDPR has had a profound impact on many organisations. Enormous amounts of money have been spent in a belated acknowledgement of, in many cases, decades of under investment on privacy issues. Whether all this money has been spent wisely by the GDPR implementation programmes is quite another matter.


Money spent on improving information security controls is always appropriate – and such expenditure should have been made, regardless of the GDPR. But organisations have also, for example, been required to create unknown numbers of ‘Records of Processing,’ many of which are totally useless in terms of providing an organisation with information that is actually relevant to its day-to-day business operations. 


Organisations have also spent many hours working out what legal basis each business process should rely on when personal data is processed. Who would have thought it likely that a supervisory authority would so quickly issue a €150k fine for using a privacy statement that referred to the wrong legal basis?  But this has already happened - in Greece. Was such a fine really appropriate?  I’ve never met anyone outside the privacy community who thought that privacy statements should include such details in the first place. It isn't easy to explain the concept that the exercise of a particular information right depends on the precise legal basis the organisation relies upon to process personal data. I’m mystified as to why the GDPR deliberately created such a complex web of rights. 


As Lee Bygrave, Professor of Law, Director of the Norwegian Research Centre for Computers and Law, University of Oslo, recently commented:“EU data protection law has taken a byzantine turn … All up, the EU data protection system has become a huge sprawling structure – a Kafkaesque castle full of semantic mazes, winding procedural alleys, subterranean cross-passages and conceptual echo chambers.”    


Brexit provides the UK with an amazing opportunity to review its current privacy laws and create standards that provide individuals and organisations with robust but simpler, more meaningful, data protection standards. 


Many European data protection opinion formers consider any UK divergence from the strict GDPR regime to be heresy. 


I think it’s worth the effort, though.


With the departure of the UK from the EU, the Government should exercise its own margin of appreciation about the extent to which it promotes and protects the ‘fundamental right’ of data protection. Should all aspects of data protection remain a fundamental right? Who, for example, ever thought that data portability should be a fundamental right until it appeared in a GDPR draft?


The UK should not feel obliged to embrace the entire EU privacy acquis when, on reflection, parts of some laws do not work as intended, or when some legal interpretations have perverse implications that unnecessarily paint everyone into a corner. 


Consider, for example, the mayhem that has just been caused by the Schrems II decision. The Court of Justice of the European Union took 7 months to review the Advocate General’s non-binding opinion. Yet, its final decision failed to provide sufficient practical guidance on precisely what controls are appropriate when personal data is exported from the EU to countries other than the 11 countries that apparently have ‘adequate’ privacy laws. A cursory glance at the immediate reactions published by EU data protection supervisory authorities indicates that, collectively, they haven't yet got a clue as to what to do. Some consulting firms have taken this opportunity to offer their own (untested) solutions to this almighty problem. 


The organisations that export personal data from the EU remain in a legal limbo. As do the organisations in the USA - and elsewhere - that import the personal data. Evidently, it is their responsibility to assess whether non-EU countries have adequate laws that guarantee appropriate data protection standards. If they don't, additional measures to enhance the protections provided by the EC’s Standard Contractual Clauses (SCCs) must be implemented. But what these are, and whether they would be sufficient: well, nobody knows.


Who in their right mind would want transborder data flows to be such a difficult issue for so many organisations to deal with? Notwithstanding the decision, which had immediate effect, I predict that almost all of European data protection supervisory authorities will exercise a large degree of regulatory forbearance about these data flows for a good few months, or at least until they are provoked by pressure groups such as noyb.  


In future, why should the UK expect UK organisations to continue to use the EC’s SCCs to safeguard transborder data flows? A UK free from the constraints of the GDPR could commend its own set of SCCs for use by UK-established organisations when data was exported from the UK. This set could comprise recommended, rather than mandatory clauses, allowing the parties a degree of flexibility over what would be agreed. 


In future, why should the UK rely on the EC to determine when or whether SCCs would be appropriate? If a test of adequacy needs to be set to determine when the UK SCCs should be used,  rather than rely on a country’s membership of the EU or an EC adequacy assessment as the determining factor, the UK could simply recognise the 11 existing adequacy assessments and, in future, allow unimpeded data flows to and from all countries that sign the Council of Europe 108+ convention[Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data].  This approach would not be too heretical, as there are currently only 36 signatories to this convention, and of the EU countries that are also members of the CoE, only Denmark has not yet signed it.


One final point. The UK’s data protection supervisory authority is undergoing the fastest expansion in its history. With such expansion should come a greater focus on ensuring that it delivers value for money. It is not an insignificant organisation. However, my twitter feed doesn’t contain many tweets that praise the ICO’s work.  UK data controllers paid registration fees totalling £48.7m to the ICO in 2018/19, a 24% increase on the previous year. Most may well have had virtually no engagement with any of the ICO’s 768 (720.3 FTE equivalent) staff. Only a decade ago, the ICO had just 282 staff and an operating income of £11.3m; its annual report illustrates how much it achieved even on that budget. 


All UK organisations will, by now, have heard of the GDPR, but how many know enough about privacy laws to be able to explain how fully they comply?


And, does it really matter if the majority of them can’t fully comply?


Rather than clinging so tightly to the privacy rules that have been embedded within the GDPR, the Government could develop an alternative approach in a post Brexit world which ensures that: 

  • people in the UK benefit from robust and effective data protection standards;
  • UK organisations can demonstrate that appropriate data protection controls are in place; and 
  • the ICO delivers regulatory value for the money it spends. 


Heresy aside, Brexit ought to be capable of providing the UK with a data protection dividend.