GDPR: Will the UK be able to gain adequacy status?
The Data Protection Bill is now before Parliament. It will repeal the Data Protection Act 1998 and implement the General Data Protection Regulation in the UK. This, in the Government’s view, will give the UK parity in its privacy laws with the European Union.
Once outside the EU, it is important that the UK is recognised by the European Commission as having adequate protections in place in order to continue to have free movement of data throughout the Union. It is the Commission that makes the final decision on adequacy status.
And this is where the problem lies.
It is the view of the EC that the UK has not fully implemented the EU Directive 95/46/EC that led to the Data Protection Act 1998. There were more than 20 problems identified by the EC in 2005, which led them to declare the implementation of the Directive as deficient. Some of these issues remain unresolved and are regarded as serious deficiencies.
As the UK is a member of the EU these deficiencies, whilst not overlooked, will not stop this country from being part of the ‘single market’ for data transfers. However, once we have left the EU then the Commission will have to decide whether the new Data Protection Bill sufficiently addresses these issues. If the EC decides that it does not then the UK cannot meet the adequacy test and data transfers between this country and member states would become unlawful in most cases.
There are also concerns about the extensive powers of the security services and especially the Investigatory Powers Act 2016. The provisions of this Act, such as the mass retention of data, seem incompatible with the provisions of GDPR. This is an issue of great concern to other EU member states, especially Germany, who are also concerned about the non-EU Governments and agencies with whom the UK shares it’s data.
Further down the line, the issue of who decides on case law is bound to create conflicts. GDPR cases will be decided by the European Courts of Justice (CJEU) and the UK has declared that we will not be subject to the jurisdiction of the CJEU from the day we leave the EU. If a point of law is decided in Brussels after that date, how can the UK claim to have compatible laws and therefore adequacy status?
Finally, we should not underestimate the cultural and historical differences that exist between the UK and the continent. As I alluded to earlier, there is a certain amount of grumbling tolerance that has been afforded to Britain’s position on implementing the previous directive whilst we are a member of the club. This protection, such as it is, will not exist after Brexit. Countries like Germany and Spain, who have a history of authoritarian regimes misusing the personal data of citizens in order to oppress them, are much more serious about privacy protection.
Tolerance may well be in short supply after a stressful period of testy Brexit negotiations. In such circumstances it is not inconceivable that the European Commission will decide that the UK’s implementation of GDPR is defective and not adequate.