More Brexit missed or almost missed deadlines

More Brexit missed or almost missed deadlines

This article, or one very similar to it first appeared on AEIP's Brexitspotlight. The 3rd deadline of the post Brexit Future relationship passed on the 30th June. The deadlines were on the issues of cross border data adequacy, northern Irish meat product movement, the end of equivalence for share depositaries and the end of the grace period to allow EU citizens resident in the UK to apply to stay. It looks like the security depository equivalence was sorted in Sept. 2020 and the EU have granted a three month extension on moving chilled meat from Great Britain to Northern Ireland as required by the treaty’s Northern Ireland protocol[1]. The Commission flagged the agreement of a data adequacy ruling earlier in the year and finally agreed it with two days to go. The parliament is more sanguine. The EDPB is also more cautious, and we expect the CJEU to be so too. Whenever the CJEU has ruled, it has ruled in favour of citizens, whereas the ECtHR gives nation states significant leeway. For more see here, or read more ....

Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

No Deal & cross border data flows

No Deal & cross border data flows

I have just written a blog at linkedin on the impact of a No Deal Brexit on cross border personal data flows. Obtaining an adequacy agreement will take time, one would have hoped that the transition period would have been enough, but without one there will be no adequacy decision on Day 1. Large and prepared entities may be OK as they can use the currently legally permitted alternatives. The US privacy shield may not be avaialable n Day 1, since its an EU agreement. If we leave, we i.e. the UK state may no longer avail itself of the Article 23 powers and the Investigatory Powers Act and the DPA “immigration exception” may cause problems in achieving an adequacy decision. …

On Adequacy after Brexit

I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us. …

The Data Flow implications of Brexit

The Data Flow implications of Brexit

Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries.  This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation. …