• Menu
  • Skip to right header navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

EU BARRISTER

Header Right

Tel: 020 7993 7642

  • UK / Domestic / Brexit Law
  • EU / International Law
  • About Abigail Holt
  • Blog
  • Contact
  • UK / Domestic / Brexit Law
  • EU / International Law
  • About Abigail Holt
  • Blog
  • Contact

Header Right

Tel: 020 7993 7642

GDPR

August 25, 2019 //  by Abigail Holt

On 25 August 2019 the Guardian newspaper reported that a No-deal Brexit will ‘instantly disrupt’ the UK’s role as £174bn global data hub. The article is based on a “Brexit Insights” paper from University College London’s European Institute.

The GDPR directive protects personal data in a way that protects privacy, security and allows for appropriate economic activity. The GDPR directive has direct effect and has been transposed into UK law by the Data Protection Act 2018.  In the UK the directive is enforced by the Information Commissioners Office (IOC). The IOC’s “teeth” bite with heavy and painful fines.

Consequently, the current UK legislation and IOC regulation protects privacy and private data giving effect to the values enshrined in the Charter of Fundamental Rights of the European Union, particularly article 1 which declares that human dignity is inviolable, article 7 requires respect for private and family life and article 8 which gives protection of personal data: (1) Everyone has the right to the protection of personal data concerning him or her. (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority. In short, data protection is part of the EU constitutional order and the right to protection has been robustly defended by the Court of Justice of the European Union (CJEU).

A huge number of businesses and enterprises depend upon the movement of personal data across international borders in order to function; particularly service industries such as finance, banking, retail and hospitality (Patel and Lea say that 79% of the UK economy is dependent upon services). Digital technology companies are particularly reliant on international free data flow in circumstances whereby the digital technology sector is of pivotal importance to economic growth. Given that the rationale for Brexit is said to be enhanced international trading opportunities, it is ironic that the data-dependent services sector is acutely vulnerable to uncertainty by disruption of their life-blood data circulation post-Brexit.

The effects of Brexit playing out in relation to data protection are, unsurprisingly, dependent upon whether or not the withdrawal agreement negotiated by Mrs May’s government, or a different draft which would have to have been agreed before the end of October by Mr Johnson’s government, is in fact ratified; so-called “soft” Brexit. In the event of ratification of either the May or a Johnson withdrawal agreement, then after the end of October 2019 the UK will no longer be an EU “member state” and will become a “third country”, in the terminology of the EU. If there is ratification of a withdrawal agreement, however, then this will at least create a period of transition which would allow for the UK and EU27 to investigate, negotiate and potentially settle a new UK-EU treaty dealing with data flow and concomitant protection. 

In the alternative, if it transpires that there is no ratification of any withdrawal agreement and a “cliff edge” or “hard” Brexit occurs, then the sudden transformation of the UK in the eyes of the EU to third country status will cause significant legal, economic, political and social disturbance and interruption. The current free flow of data is likely to be immediately obstructed, generating all manner of unpredicted knock-on effects which are likely to adversely affect service industries engaged in cross-border activity and trade. 

In either the “hard” or “soft” Brexit scenario, the immediate problem will not be data flow interactions moving from the UK to the EU, but in the opposite direction from the 27 EU member states to the UK. Application of EU legal norms will dictate that data can only move to the UK if the UK complies with EU law and with the additional rules applying to third countries. 

The mechanisms whereby the EU ensures that data protection standards are respected by third countries include adequacy decisions. Adequacy decisions have been summarised as “the EU’s way of ‘protecting the rights of EU citizens by insisting upon a high standard of data protection in foreign countries where their data will be processed’”. The EU currently has adequacy decisions with 13 third countries and, entirely predictably, the European Commission investigates and assesses whether the third country’s data protection laws are sufficient and acceptable according to EU legal criteria. Thus, the balance of power is with the EU who can determine who can enjoy the economic advantages of unhindered data flows through the vehicle of adequacy decisions. Also entirely predictably, the adequacy assessment process is hugely complicated and inevitably involves significant administrative time and resources. 

From the perspective of the EU 27, the most sensitive and difficult element of the adequacy decision process is the enforcement of EU data protection legal standards and controlling onward transfers of data from a third country with whom it has an agreement to other third countries outside its sphere of control. Obviously, the EU cannot enforce its rules in foreign jurisdictions. Once personal data has travelled out of the EU to a third country then the EU loses power over how the data can be controlled and whether it is forwarded across other international borders in onwards transfers. Therefore, the only mechanism that the EU can use to protect the forwarding of EU citizens’ sensitive personal data is by being able to rely upon the agreeing third country’s judicial systems and regulatory bodies to respect and police EU legal norms and standards to preserve the protection afforded to EU citizens. 

Immediately after Brexit, the starting point vis a vis the EU is that the UK domestic data regulation system is likely to be considered to be high. However, the EU will be obliged by its own rules to assess particularly how EU citizens’ data is to be dealt with when there is a risk that it will be transferred onwards beyond the UK. 

Nonetheless, if, post-Brexit, there is no country-wide adequacy agreement between the UK and the EU, then there is still the possibility of entities in the EU being able to transfer data legally to entities in the UK. However additional safeguards will have to be put in place by the individual organisations involved which will generate an additional administrative burden for that entity. In effect, the UK-based entities risk being forced to “re-invent the wheel” on an individual, case-by-case basis according to the EU’s rules if they want to continue to benefit from receiving EU-origin personal data.      

In summary, whether hard or soft, Brexit seems most likely to generate uncertainty, disruption of dataflows and generate additional bureaucratic obstacles. This will be particularly challenging for small and medium-sized enterprises who will find it more difficult to absorb the additional layer of administration.

Category: EU Law

About Abigail Holt

Abigail Holt is a Barrister based in Manchester with expertise in negligence/tort cases, health, disease, medical issues and EU law as it applies to UK and EU citizens alike. She is passionate about bolstering the rule of law via European and international norms and standards, enhanced by increased diversity in the legal professions. She builds resilience by endurance swimming and switches off by learning Spanish and French. She is part of several networks of European lawyers and judges.

Previous Post: « May 2019’s European Circuit Event was a Huge Success!
Next Post: Litigate! Or Mediate and Move on? »

Primary Sidebar

Contact

Please keep your message concise. You have a maximum of 400 words.

Recent Posts

  • EU-UK Negotiations for a future agreement – Observations after the 3rd and 4th round of negotiations and the High Level Meeting
  • A European Union of Citizens: Will UK nationals retain EU Citizenship?
  • ALL CHANGE! Statements of truth and foreign language speakers
  • C-19, Online Courts And The Future of Justice
  • Invisible killers. C-19 and lessons from the slow-burn asbestos scandal.

Categories

  • Brexit
  • EU Citizens' Rights
  • EU Law
  • Health
  • Health & Safety
  • Industrial Disease
  • International Trade Law
  • Legal Profession
  • Mediation and ADR
  • News
  • Procedure

Footer

Quick Links

  • About Abigail Holt
  • Blog
  • Covid Timeline
  • European and International Law Services
  • Industrial Disease, Medical Negligence and Personal Injury Services
  • Privacy Policy
  • Terms of Use

Latest from the blog

  • EU-UK Negotiations for a future agreement – Observations after the 3rd and 4th round of negotiations and the High Level Meeting
  • A European Union of Citizens: Will UK nationals retain EU Citizenship?
  • ALL CHANGE! Statements of truth and foreign language speakers
  • C-19, Online Courts And The Future of Justice
  • Invisible killers. C-19 and lessons from the slow-burn asbestos scandal.

Contact Details

EU Barrister Abigail Holt via Emma Manning,
Garden Court Chambers,
57-60 Lincoln’s Inn Fields,
London,
WC2A 3LJ.

Send a message via the contact form or email emmam@gclaw.co.uk

Tel: 020 7993 7642

© EU Barrister 2019-2020

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
SAVE & ACCEPT