Blog Post

Post-Brexit transfers of personal data: The clock is ticking

The UK government would like to keep EU-UK data transfers largely the same following the country's separation from the EU. But talks have yet to even commence on a future data-sharing relationship, and a landmark European Court of Human Rights ruling in September bodes poorly for the UK's future status under the EU’s General Data Protection Regulation.

By: Date: November 7, 2018 Topic: European Macroeconomics & Governance

The UK economy is closely integrated with that of the rest of the EU. One need only consider the number of UK firms with branches in the EU27, and the number of EU27 firms with branches in the UK, to realise that data interchange is of vital economic importance.

Assuming that the UK indeed leaves the EU as a result of the Brexit referendum of June 23rd 2016, transfers of personal data from the EU27 to the UK may become problematic. This problem has long been recognised, but the associated risks have increased markedly in the past few weeks. Aside from the obvious risks associated with the UK “crashing out” with no agreement at all in place, newly visible developments include:

In its “Chequers” White Paper, the UK Government called not only for an Adequacy Decision to permit personal data to be transferred in both directions largely as it is today, but also for a close integration of the UK into the ongoing evolution of EU27 privacy policy. The developments noted above call into question whether this is a realistic hope in the limited time remaining.

The disruption of the UK “crashing out” with no agreement in place would likely be severe.

The linkage between data transfers and surveillance for purposes of national security

The UK has already implemented the EU’s General Data Protection Regulation (GDPR) in UK national law. Prime Minister Theresa May has rightly claimed that the UK has “exceptionally high standards of data protection”. This is all well and good, but it is not sufficient to ensure continued transfer of personal data to the UK post-Brexit.

For the UK to no longer be an EU or EEA Member State would raise issues that previously emerged in a case brought by Austrian privacy activist Maximilian Schrems. A European Court of Justice (ECJ) ruling on October 6th 2015[1] invalidated data transfers from the EU to the US under a Safe Harbour agreement that had existed since July 2000. The finding was that the personal data of EU users is not adequately protected when it is transferred to the US from the EU because US firms make the data available to the US National Security Agency (NSA), for which the Safe Harbour protections are either unavailable or irrelevant.[2]

As long as the UK is an EU Member State, transfers of personally identifiable data to the UK are governed by Article 23 of the GDPR, which permits Member States to take liberties with data protection and data transfers when doing so “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard … national security”. If the UK were no longer an EU (or EEA) Member State, the UK would become a third country relative to the GDPR, and transfers of personal data would instead be governed by Articles 45 through 49 of the GDPR. Article 45 of the GDPR is consistent with the Schrems Decision, but it establishes a much higher threshold for transfers of personal data.

In order to establish an adequacy decision (the GDPR equivalent of Safe Harbour), the European Commission would be obliged to take account of “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”. In light of GCHQ activities, the UK would be unlikely to get a free ride.

Even if there were strong economic and political grounds to do so, these privacy issues cannot simply be waved away. In the EU, privacy is treated as a human right under the European Convention on Human Rights. It is not easy to grant administrative latitude to the enforcement of a human right.

What sequence of events is likely?

Prior to the developments of the past few weeks, one might have expected the following sequence of events:

  • Brexit takes place in some form other than EEA membership (unfortunately):
  • The Commission grants an Adequacy Decision permitting EU27 personal data to be shared with parties in the EU).
  • An appeal similar to the Schrems case is filed and works its way up to the ECJ.
  • The ECJ rules as they did in Schrems, thus invalidating the Adequacy Decision, but probably allowing the UK and the EU27 time to put other arrangements in place.
  • There would then be the risk that data transfers would be blocked until and unless an agreement analogous to Privacy Shield[3] were negotiated between the UK and the EU27. The agreement would ideally be better structured than Privacy Shield, which has not yet been shown to be effective.

In light of the September 13th finding of the ECHR, one has to wonder whether it will still be possible for the Commission to issue the Adequacy Decision that appears in the second bullet. Recall that the ECHR found the UK guilty of abuse of human rights in September due to its overbearing surveillance. Under these circumstances, the Commission may not be able to grant the Adequacy Decision; having granted it, there is no assurance that it would be sustained.

As previously mentioned, in granting an Adequacy Decision the Commission is obliged under Article 45 of GDPR to take into account “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country”.

Given that ECHR has already ruled that the UK’s surveillance services are in violation of Articles 8 and 10 of the European Convention on Human Rights, can the Commission grant the Adequacy Decision in the absence of concrete commitments from the UK security establishment?

The Adequacy Decision entails a complex procedure consisting of (1) a proposal from the European Commission, (2) an opinion of the of the European Data Protection Board, (3) an approval from representatives of EU countries, and (4) the adoption of the decision by the European commissioners. This presumably cannot take place overnight.

Even after the Adequacy Decision is in place, it might or might not be sustainable. The European Parliament and the Council could at any time request that the European Commission amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation. In the absence of concrete commitments from the UK security establishment, the Parliament would likely have concerns over an Adequacy Decision.

Aside from that, a case similar to the Schrems case should be expected. In the absence of changes on the part of the UK security establishment, a similar ECJ outcome should be expected.

Implications

This seems to be headed for a rather bad place. In the unlikely event that the UK were to become an EEA member (or were it not to exit at all), all of this could be avoided. In all other scenarios, and especially in the “crashing out” scenario, problems with data transfers appear highly likely.

This is in nobody’s interest. It would harm both the UK and the EU27 economies.

These problems are not amenable to a quick fix through legislative or administrative measures. Most probably needed are some actual accommodations in the manner in which the UK conducts surveillance for purposes of national security.

The ECHR did not argue that surveillance is prohibited per se; what they argued, rather, is that it must be subject to a range of procedures and protections, as established in the case law. Notably, the ECHR “was satisfied that the intelligence services of the United Kingdom take their Convention obligations seriously and are not abusing their powers, [but] it found that there was inadequate independent oversight of the selection and search processes involved in the operation, in particular when it came to selecting the Internet bearers for interception and choosing the selectors and search criteria used to filter and select intercepted communications for examination. Furthermore, there were no real safeguards applicable to the selection of related communications data for examination, even though this data could reveal a great deal about a person’s habits and contacts.”

If the UK is to avoid economically harmful limitations to its ability to transfer personal data to the EU27, UK security services should be working now to consider undertakings that the UK would be willing to offer in order to address the concerns that the ECHR has already raised.[4]

References

[1] As the ECJ’s press release notes, “United States public authorities are not themselves subject to [the safe harbour agreement]. Furthermore, national security, public interest and law enforcement

requirements of the United States prevail over the safe harbour scheme, so that United States

undertakings are bound to disregard, without limitation, the protective rules laid down by that

scheme where they conflict with such requirements. … ” An additional concern was that “the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and … rectified or erased.” See http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. The decision itself appears at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62014CJ0362.

[2] See also J. Scott Marcus and Georgios Petropoulos (2016) ‘Data transfers under the threat of terrorist attacks’, Bruegel.

[3] See J. Scott Marcus and Georgios Petropoulos (2016) ‘Data transfers under the threat of terrorist attacks’, Bruegel.

[4] There may be implications for EU27 security services as well under the UK equivalent of the GDPR, but these seem less immediate at the moment.

 


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article More on this topic More by this author

Podcast

Podcast

Backstage: How think-tanks can make themselves heard in an information-rich world

Think-tanks have come a long way since their organisational blueprint was first conceived, but they have work to do in order to adapt to meet the needs of both policymakers and the general public, and transmit their signals above the noise of the modern age.

By: The Sound of Economics Topic: Global Economics & Governance Date: November 8, 2018
Read article More on this topic More by this author

Podcast

Podcast

Director’s Cut: Options yet open for a Brexit deal

Robin Niblett, director of Chatham House institute, joins Bruegel deputy director Maria Demertzis for an assessment of what progress can be reasonably expected from the final months of the Brexit negotiations.

By: The Sound of Economics Topic: European Macroeconomics & Governance Date: November 7, 2018
Read about event

Past Event

Past Event

Global Think Tank Summit 2018

The public session of the Global Think Tank Summit will discuss trade and fair global competition

Speakers: Edward Kofi Anan Brown, Aart de Geus, Zhao Hai, Jacob Funk Kirkegaard, Cecilia Malmström, Catherine McBride, James McGann, Jan Mischke, Izumi Ohno and Guntram B. Wolff Topic: Energy & Climate, Global Economics & Governance Location: Bozar, Rue Ravenstein 23, 1000 Bruxelles Date: November 7, 2018
Read article More on this topic More by this author

Blog Post

The international use of the euro: What can we learn from past examples of currency internationalisation?

The recent State of the Union speech by Jean-Claude Juncker sparked a discussion about the potential wider use of the euro on the international stage. Historically, it is not the first debate of this kind. Emmanuel Mourlon-Druol analyses four previous cases of debates on international currencies to reveal the different scenarios associated with their greater use, as well as the need to have a clear objective for a currency’s internationalisation.

By: Emmanuel Mourlon-Druol Topic: European Macroeconomics & Governance Date: October 15, 2018
Read article More on this topic

Blog Post

Improving the efficiency and legitimacy of the EU: A bottom-up approach

The 2019 European elections promise to be a watershed moment for the EU. A recent Bruegel paper made the case for restructuring the Union’s model of governance and integration. The authors of this post critically assess this proposed institutional engineering, and argue for the principle of “an ever closer union” to be safeguarded by a bottom-up approach to respond to the common needs of the citizens.

By: Silvia Merler, Simone Tagliapietra and Alessio Terzi Topic: European Macroeconomics & Governance Date: October 9, 2018
Read article More on this topic

Blog Post

Italy’s new fiscal plans: the options of the European Commission

The Italian government has announced an increase of its deficit for 2019, breaking the commitment from the previous government to decrease it to 0.8% next year. This blog post explores the options for the European Commission and the procedures prescribed by the European fiscal framework in this case.

By: Grégory Claeys and Antoine Mathieu Collin Topic: European Macroeconomics & Governance Date: October 8, 2018
Read article More on this topic More by this author

Blog Post

Digesting the Salzburg Summit

As the moment of truth for Brexit negotiations is approaching, with the October European Council around the corner, we review opinions on the outcome and meaning of the Salzburg summit.

By: Silvia Merler Topic: European Macroeconomics & Governance Date: October 1, 2018
Read article More on this topic More by this author

Blog Post

Something Putin and Juncker appear to agree on – the euro

“It is absurd that Europe pays for 80% of its energy import bill – worth €300 billion a year – in US dollars when only roughly 2% of our energy imports come from the United States,” said President Juncker in his state of the union speech.* Europe’s largest supplier of energy – Russia, who accounts for a third of that bill – couldn’t agree more. Russia’s offer to switch to euros in trade with the EU will likely be costly to implement, but the US switch towards unilateralism is forcing its long-standing partners to question the dollar’s global dominance.

By: Elina Ribakova Topic: European Macroeconomics & Governance Date: September 25, 2018
Read article More on this topic More by this author

Podcast

Podcast

Backstage: Brexit consequences for EU’s ICT policy

Bruegel senior fellow Scott Marcus welcomes former European Regulators Group chairman Kip Meek to explore the consequences of Brexit for ICT policy-making in Europe.

By: The Sound of Economics Topic: European Macroeconomics & Governance Date: September 25, 2018
Read article More by this author

Parliamentary Testimony

European Parliament

Brexit and industry & space policy

Testimony before the European Parliament's Committee on Industry, Research and Energy (ITRE).

By: Reinhilde Veugelers Topic: European Parliament, Innovation & Competition Policy, Testimonies Date: September 25, 2018
Read article Download PDF More on this topic

Policy Contribution

The macroeconomic implications of healthcare

Health-care systems play a crucial role in supporting human health. They also have major macroeconomic implications, an aspect that is not always properly acknowledged. Using a standard method to measure efficiency, data envelopment analysis (DEA), the authors find significant differences between countries. This finding calls for policy responses.

By: Zsolt Darvas, Nicolas Moës, Yana Myachenkova and David Pichler Topic: European Macroeconomics & Governance Date: August 23, 2018
Read article More on this topic

Opinion

Europe should avoid a no-deal Brexit

The UK government finally tabled a serious proposal for the country’s future relationship with the European Union (EU). The White Paper puts the ball in the EU court as it now has to say what kind of relationship it wants to establish with its neighbour.

By: Jean Pisani-Ferry, Norbert Röttgen, André Sapir, Paul Tucker and Guntram B. Wolff Topic: European Macroeconomics & Governance Date: July 24, 2018
Load more posts