Written by Brian Mund
Introduction
Amidst the political excitement of Brexit, few onlookers in the United Kingdom have considered the importance of the data reform legislation sweeping through the European Union. In a recent poll, only 44% of surveyed IT professionals indicated that they had, at best, a “vague awareness” of data reform legislation.[1] This collective disinterest is severely misguided. With the ongoing Brexit negotiations, the United Kingdom cannot afford to allow the data privacy issue to remain in obscurity. Data privacy allows British citizens to engage everyday activities without fear of harmful discrimination. Even in the absence of intentional human activity, the disclosure of personal information can lead to disparate treatment based on gender, race, or other protected categories.[2] Without proper safeguards in place, implicit bias can deny citizens fair treatment in fields such as healthcare, housing, employment or education.[3] An over-zealous national security surveillance apparatus can also endanger civil liberties through discriminatory tactics.[4] However, “discriminators need information to discriminate.”[5] Thus, robust data privacy laws protect the British populace from the threat of unjust treatment. The Brexit movement risks disrupting the current data protection regime and creates the potential for the discriminatory use of personal information. Fortunately, the British government can take proactive measures to ensure the continuity of optimally protective data privacy policies.
Regardless of the Brexit negotiations, the United Kingdom will need to implement enhanced EU data protection standards for some period of time. In April 2016, the European Council and the European Parliament adopted the General Data Protection Regulation (GDPR),[6] which calls for Member States to implement uniform data privacy rules.[7] All Member States must begin compliance with the GDPR reforms by May 25, 2018.[8] As long as Britain remains a member of the European Union, Britain has a legal obligation, pursuant to the Treaty on the Functioning of the European Union, to observe the GDPR reforms.[9]
Brexit will not come in time to save Britain from it obligation to comply with the GDPR. Even if Britain invokes Article 50 in December 2016 and initiates the two-year withdrawal process, Brexit would not take effect until December 2018.[10] If the U.K. remains non-compliant, U.K. companies will face tremendous liability in potential GDPR fines.[11] Moreover, the British government has stated unequivocally that “[t]he UK will continue to fulfil [sic] our rights and obligations as a member state until we leave the EU.”[12] Thus, in the short term, Britain will need to adopt the same data protection standards as the rest of Europe.
The discussion below reveals that the U.K. risks severe data privacy vulnerabilities through Brexit. Brexit threatens both a loss of influence in determining the scope of acceptable sovereign data use and also encourages political risk-taking detrimental to data privacy interests. Britain can position itself to weather the winds of political change and uncertainty through proactive behavior to secure current data privacy policies. Specifically, Britain can best protect its long-term data privacy interests by passing the GDPR into domestic law.
Discussion
British citizens would receive excellent personal data security through the GDPR. One can debate whether the data privacy policy that provides maximum protection of personal data is necessarily the best data privacy policy if the policy also precludes government access. After all, the government can utilize valuable data in order to aid national security efforts or further other compelling governmental interests. While the GDPR imposes strict notice requirements and limits extraterritorial sharing, [13] it contains an exemption for “activities which fall outside the scope of Union law, such as activities concerning national security.”[14] Thus, the GDPR provides an optimal balance between far-reaching personal data protections and carve-outs for important state interests. With a thoughtful balance between privacy and national security protections, the GDPR offers an excellent data privacy option for British citizens.
Some in Britain fear that judicial review by the European Court of Justice (ECJ) will lead to a loss of sovereign control over national privacy policies. The ECJ has not yet ruled on the extent of the “important state interests” carve-out. The GDPR only allows these carve-out restrictions when “such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard [public security and other important public interests].”[15] This qualifying language is critical. Unlike in the United States, British and European Union courts recognize a fundamental right to data privacy under Article 8 of the binding European Convention on Human Rights (ECHR).[16] As such, under current European law, data collection policies infringe upon a fundamental right and are therefore only allowable when “necessary and proportionate.”[17] A recent ECJ opinion found that EU member states could require companies to retain data, but only under strictly circumscribed situations that further key governmental interests like fighting “serious crimes.”[18] Thus, the GDPR carries the threat that European courts will interpret the data privacy carve-outs in an overly restrictive fashion that infringes upon key spheres of British national sovereignty.
Sovereignty concerns notwithstanding, Britain is poised to receive the best data privacy policy by staying within the European Union. ECJ review would ensure that the British government does not take an excessively cavalier approach to personal data privacy. For example, in 2014, the ECJ reined in the U.K.’s Data Retention Directive (DRD), finding the DRD unconstitutional for lack of proportionality.[19] While the ECJ can impose some of its own limitations, it has also traditionally adopted relevant case law decided by the European Court of Human Rights (ECtHR).[20] Recent ECtHR opinions should offer reassurance to British citizens of a reasonable balance between data privacy and legitimate security needs. The ECtHR cases Weber and Saravia v. Germany[21] and Liberty and Others v. United Kingdom[22] support the proposition that as long as the government formally establishes minimum safeguards and provides sufficient clarity as to the scope and procedure of the surveillance, then subsequent surveillance will meet the carve-out exception in Article 8 of the ECtHR.[23] France’s experience appears to reflect the ECJ’s deference to the ECtHR standard: France has adopted GDPR-compliant data protection legislation,[24] yet still maintains extremely capacious surveillance capabilities for national security purposes.[25] As a result, ECtHR case law tempers the likelihood that the ECJ will adopt unduly restrictive data privacy measures, thus allowing for optimal data privacy policies.
The Brexit discussions offer an opportunity for Britain to clarify the scope of the GDPR restrictions. Many EU countries have an interest in maintaining sovereign discretion over data privacy infringements.[26] Brexit negotiations provide a forum for the U.K. to work with other Member States to clarify the scope of data protection carve-outs. Britain should “concede” its data privacy independence during negotiations, but should work with the other Member States to push for a collective interpretation of the data privacy carve-outs. By presenting a united data privacy interpretation, all Member States can further their interest in limiting the ECJ’s discretion to interpret overbearing data privacy restrictions. In this way, the U.K. can leverage Brexit negotiations to optimize their data privacy policy.
If the Brexit vote actually results in a British exit from the EU, the U.K. would initially retain its strong data privacy. Ideally, the British parliament would avoid any data privacy changes by legislating the GPDR into domestic law. Either way, British courts will remain bound by ECtHR decisions, and British courts have not shied away from enforcing personal data privacy rights against governmental infringement. While the ECJ held the DRD unconstitutional for lack of proportionality, U.K. courts independently found the DRD’s successor, the Data Protection and Investigatory Powers Act, to be “inconsistent with European Union law.”[27] Most recently, the British Investigatory Powers Tribunal found that British government bulk data collection policies “failed to comply with the ECHR principles” outlined in Article 8 establishing data privacy as a fundamental right.[28] Even if the U.K. leaves the EU, British courts will still safeguard citizen privacy rights.
Nevertheless, Brexit will adversely affect British data privacy in two major ways. First, once Britain leaves the EU, it will lose the ability to influence EU standards defining the scope of data protection carve-outs. Second, Brexit opens the U.K. to the risks of political uncertainty. Brexit would leave Britain subject to EU data transfer approval as a “third country.”[29] While the U.K. will already have compliant regulations through the GDPR, Brexit creates the risk that the U.K. will adjust their data protection policies and attempt a “Privacy Shield” agreement modeled after the arrangement between the United States and the European Union.[30] Such an arrangement would likely prove politically popular, as a separate agreement would emphasize Britain’s independence and sovereignty. While a Privacy Shield agreement would likely only comprise a cosmetic change to U.K. citizens’ data privacy, negotiations open the door for political risk-taking. Political miscalculation during a “Privacy Shield” negotiation could diminish U.K. data privacy interests or temporarily shut off the flow of digital information from the EU.[31] Even short-term digital isolation would prove economically disastrous for the U.K.[32] In sum, Brexit would harm U.K. data privacy through a loss of leverage and through the creation of political risk.
Conclusion
Britain’s best-case scenario for data privacy would be for a negotiated agreement that allows the U.K. to remain within the EU and avoids Brexit. If Britain stays within the European regime, Britain should collaborate with other states to clarify the scope of data privacy exceptions for compelling sovereign interests. If Brexit transpires, the second-best scenario would be for the U.K. to adopt the GDPR into domestic law. This would allow the U.K. to protect against any privacy protection slippage and also would safeguard key economic interests in an open data-sharing regime. The third best option, and the most likely in the event of a Brexit, would be for the U.K. to negotiate a “Privacy Shield” agreement with the EU. While a Privacy Shield agreement should not result in a significant deterioration of data privacy for U.K. citizens, it would create dangerous political uncertainty, which could lead to unpredictable outcomes.
The U.K. should mitigate the risk of Brexit by adopting the GDPR into domestic law immediately. If the U.K. meets their compliance obligations with the GDPR through independent legislative action transposing the GDPR into domestic law, the U.K. will already have the appropriate data privacy infrastructure in the event of a full Brexit. Britain can justify their legislative adoption of the GDPR as a means of demonstrating British independence: the U.K. would adopt the GDPR through its own sovereign process rather than accept the imposition of rules from a foreign multinational entity. Moreover, immediate implementation of the GDPR would give British courts time to begin interpreting the legislation, thereby allowing for the development of a precedential tradition and making the law appear more closely entwined with British sovereignty. The threat of Brexit has created tremendous uncertainty for the future of the United Kingdom, but immediate adoption of GDPR legislation will help ensure an optimal data privacy policy for British citizens in the years ahead.
[1] Chiara Rustici, Don’t Think That Brexit Will Save You From the EU Data Protection Rules, Computer Wkly (Mar. 2016), http://www.computerweekly.com/opinion/Dont-think-that-Brexit-will-save-you-from-the-EU-data-protection-rules.
[2] Claire Cain Miller, When Algorithms Discriminate, N.Y. Times (Jul. 9, 2015), https://www.nytimes.com/2015/07/10/upshot/when-algorithms-discriminate.html.
[3] Id.
[4] Kate Crawford, Artificial Intelligence’s White Guy Problem, N.Y. Times (Jun. 25, 2016), https://www.nytimes.com/2016/06/26/opinion/sunday/artificial-intelligences-white-guy-problem.html.
[5] Jessica L. Roberts, Protecting Privacy to Prevent Discrimination, 56 Wm. & Mary L.R ev. 2097, 2099 (2015).
[6] Council Regulation 2016/679, 2016 O.J. (L 119) (EU).
[7] Reform of EU Data Protection Rules, Eur. Comm’n (Aug. 2, 2016), http://ec.europa.eu/justice/data-protection/reform/index_en.htm; Vĕra Jourová, EU Data Protection Reform: What Benefits for Businesses in Europe?, Eur. Comm’n (Jan. 2016), http://ec.europa.eu/justice/data-protection/document/factsheets_2016/data-protection-factsheet_01a_en.pdf; Ali Qassim, Brexit from EU Wouldn’t Obviate Privacy Reg Mandates, Bloomberg BNA (Apr. 19, 2016), http://www.bna.com/brexit-eu-wouldnt-n57982069948.
[8] See Reform of EU Data Protection Rules, supra note 2.
[9] Consolidated Version of The Treaty on the Functioning of the European Union art. 288, May. 9, 2008 O.J. (C 115) 171-72 [hereinafter TFEU],http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012E288&from=EN.
[10] Id. at art. 50.
[11] The EU General Data Protection Regulation, Allen & Overy 6, (2016), http://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf.
[12] See Adam Lusher, Why is the EU Appointing a British Security Chief After Brexit?, Independent (Aug. 2, 2016), http://www.independent.co.uk/news/world/europe/brexit-eu-terrorism-security-commissioner-julian-king-appointment-eu-security-union-jean-calude-a7168046.html.
[13] See generally (General Data Protection Regulation) No. 5419/16, Apr. 6, 2016, art. 4(1), http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf.
[14] Id. at ¶ 16; Id. at art. 23.
[15] Id. at art. 23(1).
[16] European Convention on Human Rights, Nov. 4, 1950, Europ. T.S. No. 5, http://www.echr.coe.int/Documents/Convention_ENG.pdf.
[17] See General Data Protection Regulation, supra note 10 at art. 23(1). This exception for fundamental states interests is consistent with Article 8(2) of the ECHR, European Convention on Human Right, supra note 11. See also Internet: Case-Law of the European Court of Human Rights, E.C.H.R. (June 2015), http://www.echr.coe.int/Documents/Research_report_internet_ENG.pdf.
[18] Judgment Joined Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for Home Department v Tom Watson and Others, Press Release No. 145/16, ECJ, Dec. 21, 2016; see also Advocate General’s Opinion in Joined Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for Home Department v Tom Watson and Others, Press Release No. 79/16, ECJ, Jul. 19, 2016, [hereinafter “Advocate General’s Preliminary Opinion”], http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-07/cp160079en.pdf (describing preliminary decision).
[19] Digital Rights Ireland, Seitlinger and Others, Joined Cases C-293/12 and C-594/12 (Apr. 8, 2014),
http://curia.europa.eu/juris/documents.jsf?num=C-293/12; The Court of Justice declares the Data Retention Directive to be invalid, ECJ, No. 54/14, Apr. 8, 2016, http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf.
[20] Stefan Kadelbach, Charter of Fundamental Rights of the European Union (2000), in Max Planck Encyclopedia Pub. Int’l L. 1864, http://opil.ouplaw.com.
[21] No. 54934/00, 29 June 2006.
[22] No. 58243/00, 1/10/2008.
[23] Directorate-General for Internal Policies, National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law, Eur. Parliament, 30, Oct. 2013, http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/493032/IPOL-LIBE_ET (2013)493032_EN.pdf. While the ECtHR plans to consider blanket surveillance conducted by the U.K. in collaboration with the United States, this decision is unlikely to change the Court’s procedural standards. See Ryan Gallagher, Europe’s Top Human Rights Court Will Consider Legality of Surveillance Exposed by Edward Snowden, Intercept, (Sep. 30, 2016, 1:16 P.M.) https://theintercept.com/2016/09/30/echr-nsa-gchq-snowden-surveillance-privacy. U.K. Courts have already ruled the behavior to comprise a compliance failure with the ECHR, and the ECtHR has little incentive to go further. See Privacy International v. Secretary of State for Foreign and Commonwealth Affairs, [2016] UKIPTrib 15_110-CH ¶84, (U.K.), http://www.ipt-uk.com/docs/Bulk_Data_Judgment.pdf.
[24] Explanatory Memorandum, Republique Fr., https://www.republique-numerique.fr/pages/digital-republic-bill-rationale.
[25] Parliament Adopts the Intelligence Bill, Republique Fr. (Jun. 30, 2015), http://www.gouvernement.fr/en/parliament-adopts-the-intelligence-bill. For concerns about the scope of the privacy tradeoffs, see Privacy Int’l, The Right to Privacy in France, Privacy Int’l (June-July 2015), https://www.privacyinternational.org/sites/default/files/PI%20submission%20France.pdf.
[26] See, e.g., Amar Toor, France and Germany want Europe to crack down on encryption, Verge (Aug. 24, 2016 6:22 AM.), http://www.theverge.com/2016/8/24/12621834/france-germany-encryption-terorrism-eu-telegram.
[27] David Davis & Ors v. Secretary of State for the Home Department, 2015 E.W.H.C. 2092 ¶144 (Admin) (U.K.), https://www.judiciary.gov.uk/wp-content/uploads/2015/07/davis_judgment.pdf.
[28] Privacy International v. Secretary of State for Foreign and Commonwealth Affairs, [2016] UKIPTrib 15_110-CH ¶84, (U.K.), http://www.ipt-uk.com/docs/Bulk_Data_Judgment.pdf.
[29] (General Data Protection Regulation) No. 5419/16, Apr. 6, 2016, art. 45, http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf; Lokke Moerel & Ronan Tigner, Brexit: Data Protection Implications, Morrison Foerster (Jun. 27, 2016) https://media2.mofo.com/documents/160627brexitdata.pdf.
[30] The EU-U.S. Privacy Shield, U.S. Dep’t Comm. (Jul. 25, 2016, 2:28 PM.,) https://www.commerce.gov/page/eu-us-privacy-shield.
[31] General Data Protection Regulation, art. 3(2).
[32] Ali Qassim, Brexit from EU Wouldn’t Obviate Privacy Reg Mandates, Bloomberg BNA (Apr. 19, 2016), http://www.bna.com/brexit-eu-wouldnt-n57982069948.