On data protection Brexit means mirroring EU rules, confirms UK minister

What does Brexit mean for UK data protection rules? Likely mirroring the major part of EU data protection law, according to UK digital minister Matt Hancock, who was giving evidence to a House of Lords Home Affairs sub-committee earlier today on the implications of Brexit for domestic DP law.

So anyone under the fleeting impression Brexit means taking back control of the rules enabling personal data to flow freely between the UK and the European Union should reset their expectations accordingly. (Albeit data protection policy was unlikely the most pressing reason for the 52 per cent of referendum voters wanting to pull the plug on the UK’s EU membership.)

“The government wants to ensure unhindered data flows after Brexit” was Hancock’s most oft repeated line during the scrutiny session. He also said the government wants these unhindered data flows to be “uninterrupted” — so, he was quizzed, that means no cliff edge in data protection terms, then? His answer: “Exactly.”

While there wasn’t a great deal of certainty to be gleaned from Hancock’s responses, with the minister frequently fending off questions by repeating Prime Minister Theresa May’s line that the government will not provide specifics on its thinking as it does not want to undermine its negotiating position with the EU, Hancock did provide some steerage on its hopes for the outcome: i.e. what it wants the UK’s data protection policy will look like, post-Brexit.

And hopes are of course all they can be at this point — i.e. before the negotiations have begun. May has maintained she will start the two-year Article 50 EU exit talks by the end of March. While other aspects of UK’s domestic data protection policy agenda will rely on it being able to quickly secure data flow arrangements with other countries that the EU has deals with — such as the US — given an UK that’s outside the EU will also no longer be covered by the recently implemented EU-US Privacy Shield, for example.

A lot of the government’s hopes re: data protection appear to rest on not changing very much vis-a-vis the current data protection regime. Hancock confirmed the government will be harmonizing domestic law with the incoming EU GDPR (General Data Protection Regulation), for example; and said it wants to continue current data-sharing activity with the EU for law enforcement purposes.

Yet the government also wants to maintain this status quo while removing the UK from the jurisdiction of the European Court of Justice. Hancock was asked by the committee how the government could square that circle. Who would be the arbiter or adjudicator in data protection matters if not the ECJ? “Well there’s several different ways that can take place — but we don’t have the answer to that question because we haven’t begun the negotiations, let alone concluded them,” was one of his less than illuminating answers on that.

Pressed to expand on the range of possible alternatives, to at least help the committee understand the options the government is considering are in play, Hancock again deflected, falling back on the line that: “I don’t want to stress any particular options because we’ve got to protect our negotiating position.”

“What I will very clearly do is state the goal: which is unhindered flow of data,” he reiterated. “But I can’t go any further than that in terms of the pros and cons of various different arrangements to make this happen. Because we’ve got to go through a negotiation.

“As the Prime Minister puts it we’re not going to give a running commentary on it. But as you know there are different ways to make it happen.”

Hancock was also less than comfortable discussing a scenario whereby the UK fails to secure a so-called ‘adequacy decision’ from the EU — i.e. an agreement that UK DP law meets European standards, which it will need to ensure data flows continue “unhindered” as is hoped — saying he did not want to get into “ranking alternatives” there either.

One possibility that’s been mooted is the UK having to negotiate a Privacy Shield type mechanism of its own with the EU. “Those sorts of agreements are possible,” said Hancock when a committee member pointed out that a UK outside the jurisdiction of the ECJ might need to agree something similar.

“The approach that we’ve taken in order to maximize the ease with which we can negotiate an uninterrupted and unhindered flow of data is to put GDPR into UK law in full. So in a sense we are matching them rather than asking them to match anything new from the UK,” he continued.

“That is the thing with this EU negotiation is that we’re starting from a position of harmonization, rather than from a position of difference. In the case of GDPR and data one of the reasons that there’s a lot of interesting questions around it is because the EU is moving its own domestic law at the same time as we’ll be going through the Article 50 process. And there’s several different directives and regulations in question. We’ve got to make sure that we look at the whole of that as we go through the process.”

On possible timeframes for securing a deal to ensure continued UK<>EU data flows he pointed to the EU-US Privacy Shield having being done and dusted in nine months.

However this is not strictly true. A replacement for the predecessor arrangement had in fact been being negotiated long before the ECJ invalidated Safe Harbor — with the latter event undoubtedly helping to accelerate the rest of the talks by injecting the urgency of uncertainty (thus allowing Hancock to claim it took ‘nine months’). But in fact the whole negotiation process took two and a half years. (Still, you can say one thing about Brexit: it does at least have uncertainty in spades, so may also entail similar levels of expeditiousness.)

Hancock was also at pains to describe the GDPR as “a decent piece of legislation”, further justifying why the government intends to implement it in full. The regulation includes measures aimed at strengthening privacy protections for data subjects, and increases penalties on data controllers for breaches, and is due to come into force across the EU in May 2018.

He also confirmed that Implementing the GDPR into UK law will require changes to be made to the 1998 Data Protection Act to bring it into compliance — and said the government will be introducing legislation to do that in the next session.

What will happen in future if the GDPR is updated after the UK has left the EU — will the government continue to mirror the legislation, he was asked. “We’ll have to make that decision at the time according to what the changes are,” he responded.

But the need to ensure a continuation of the sought for uninterrupted and unhindered data flows heavily suggests any UK government would indeed need to keep mirroring EU DP law ad infinitum if it doesn’t want to choke off data flows with the continent. The rest of Hancock’s answer essentially went on to flesh out that point…

“In the same way that there’s the potential to make GDPR easier to comply with or more flexible, we’d only want to do that consistent with maintaining unhindered data flows within the data protection regime,” he said. “Likewise if the rest of the EU once we’d left chose to change their data rules then we’d have to make a decision as to whether to change ours to mirror that — because there’s advantages to doing that, to being he same as the European system, or whether we maintain a slightly different system. But again we’d want to maintain unhindered data flows.”

“Once we’ve left there’s a corollary with our relationship with other major economies — the US being the best example,” he added. “If the US changes its data rules now, the EU now (and in future us and the EU) have to think about whether we update ours. It’s part of having an international accord like that, that you need to think about what happens when the other side changes theirs.”

So, in other words, Brexit means the UK following a lot of EU rules for the foreseeable future. Or, to put it another way, plus ça change.

How will the government avoid making people feel like they voted for change but just got more of the same, wondered one committee member?

“What we’ll need is a set of global relationships, rather than only at a European level. And the UK domestic government will be able to decide the changes that we make domestically given everybody else’s position — and so that means that if we need to respond to other changes we’ll be able to, as opposed to being dictated to by [another] system,” was Hancock’s response there.

On the prospect of the UK negotiating its own equivalent to the EU-US Privacy Shield with the US, to keep data flowing between the two countries, Hancock was upbeat — saying he is “confident” of securing a “successful agreement to make sure we have the same unhindered flow of data with the US as we do now”. No references were made, however, to how new US President Donald Trump might complicate matters on that front.

The committee also questioned the minister on ongoing concerns over the legal robustness of the Privacy Shield. And on risks that new UK surveillance legislation, the Investigatory Powers Act, conflicts with European data protection law — following a recent ECJ ruling against general requirements being placed on electronic service providers to carry out bulk data collection. Hancock played down both concerns.

He also confirmed the UK government is supporting European Commission efforts to defeat at least one legal challenge to Privacy Shield, brought by Digital Rights Ireland — expressing confidence in the legal basis of the EU-US data flow mechanism despite the demise of the prior arrangement after it was challenged in the courts over data protection failures.

“Privacy Shield was put in place in response to those challenges. So, in a sense, it’s taken into account the challenges to Safe Harbor so we think it’s stronger,” he added.