Saturday, 26 August 2017

HMG's Exchange and Protection of Personal Data Position Paper

Jane Lambert

Even though it has absolutely nothing to do with the rights of the citizens of the remaining member states in the UK or those of British citizens rights in the remaining member states, the Irish border or our residual financial commitments to the EU budget that are the subject of the present art 50 negotiations. our government has published a position paper entitled  The exchange and protection of personal data. The paper discusses how the UK could continue to cooperate with the Commission and the supervisory authorities of the other member states on data protection if and when it leaves the EU in March 2019.

The government's thinking is not hard to discern.  Despite attempts by the Coalition and Conservative Governments to rebalance the British economy since 2010, it remains overwhelmingly services orientated. Financial services are particularly important to the United Kingdom and these depend on the free flow of personal data.  If and when we leave the European Union, the General Purpose Data Protection Regulation will cease to apply to us and we shall become a "third country" for the purposes of the Regulation.

Art 44 of the Regulation would then apply:
"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."
In other words, the unrestricted flow of personal data between financial institutions in the UK and their customers, suppliers and partners in the remaining EU member states, which is the lifeblood of the banking, insurance, fintech and so many other industries, ceases unless and insofar as the provisions of Chapter V of the Regulation can be met.

The position paper seems to be a response to art 44 of the Regulation. Paragraph 4 of the paper states:
"After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal."
Paragraph 6 emphasizes the UK's vulnerability in this regard:
"Estimates suggest that around 43 per cent of all large EU digital companies are started in the UK, and that 75 per cent of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries, and has an economy dominated by service sectors in which data and data flows are increasingly vital. The UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population, but the value of data flows to the whole economy and the whole of society are greater still."
As the next paragraph notes, any disruption of cross-channel data flows would harm both the UK and the remaining member states but it would harm the UK more because financial services are so important to this country. Moreover, disruption of data flows between London and the rest of the EU might be the ill wind that diverts business and investment from London to continental financial centres and Dublin.

The paper is very short - some 15 pages including the covers.  The first 4 paragraphs are an executive summary.  The next 5 are an introduction which stresses the importance of transborder data flows for financial services and security cooperation. The following 3 headed "Context" explain why states need data protection laws. The paper traces the UK's commitment to data protection back to Younger though it omits to mention that a major incentive to implement our own data protection legislation was the refusal of the Swedish data protection authority on 12 April 1974 to allow a Swedish local authority to transmit health and social security records to a British company that had contracted to supply plastic identity tags. The next four paragraphs summarize the General Data Protection Regulation and the Data Protection Directive and the UK's plan to continue the protection afforded by that legislation with a new Data Protection Bill (see my article What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit). Other international arrangements for data protection such as the Council of Europe Convention and the OECD Guidelines on Transborder Data Flows are discussed in paragraphs 17 and 18.

The really interesting bits of the paper are paragraphs 19 and 22 which outline the UK's objectives. Paragraph 21 states that it is the UK’s ambition to remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules and paragraph 22 explains why:
"as the UK and the EU build a new, deep and special partnership, it is essential that we agree a UK-EU model for exchanging and protecting personal data, that:
  • maintains the free flow of personal data between the UK and the EU; 
  • offers sufficient stability and confidence for businesses, public authorities and individuals; 
  • provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection; 
  • continues to protect the privacy of individuals; 
  • respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection; 
  • does not impose unnecessary additional costs to business; and 
  • is based on objective consideration of evidence."
The remainder of the paper discusses the close cooperation between the Information Commissioner and her opposite numbers elsewhere and the undoubted advantages of maintaining that cooperation. Realistically, the paper also includes an annexe on how businesses can comply with Chapter V of the Regulation if there is no UK-EU model but observes that that would be much more burdensome for business than somehow finding a way to continue the existing arrangements.

The paper shows that a UK-EU model for exchanging and protecting personal data is something that the British need badly from the art 50 negotiations. It is not yet on the formal agenda and if I were advising Michel Barnier and his team I would not be in a hurry to put it on the agenda unless and until we see some movement on the rights of citizens at least equivalent to those of investors in bilateral investment treaties and maybe a little bit more money into the divorce settlement.

Should anyone wish to discuss this article or data protection law generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

No comments:

Post a Comment