At the moment the media, political parties and the legal establishment are all focussed on the big questions of Brexit. What happens to the Northern Ireland border? What does Brexit mean for farmers? And what does it mean for the future of the Nations and regions of the UK? However potentially the most problematic aspects of Brexit are not the big issues but the small technical details: too small to merit day-to-day attention but too important to be left to float on the tides of the Brexit seas.
One such issue is potentially data transfers between the UK and the EU after Brexit. Although not as immediate or striking as the Irish border issue, nor as politically engaging as the issue of devolution and Brexit this has the potential to derail UK trade post Brexit across every sector of the economy from finance to manufacturing by way of education, agriculture, and media and entertainment. The reason for such a potentially catastrophic outcome is because as first observed by Clive Humby, the architect of Tesco’s Clubcard scheme, in 2006 and oft repeated since, “data is the new oil”.
Much like the flow of oil which was the driver of globalisation in the 20th century, data is the essential ingredient of every business in the information age of the 21st century. Every business, no matter how large or small, has customer or subscriber databases; digital account, logistics, and stock management software; and business analytics. Many businesses are built around the refining of personal data and trade only in digital oil. Modern banking is essentially a data management operation with data representing investments of billions of dollars.
“Much like the flow of oil which was the driver of globalisation in the 20th century, data is the essential ingredient of every business in the information age of the 21st century.”
Thus for the UK to continue to play a leading role on the world stage we must trade data seamlessly with our trading partners including the EU. The UK Government is confident that our implementation of the General Data Protection Regulation (GDPR) will ensure that flow continues unhindered post Brexit. In their working paper The Exchange and Protection of Personal Data the DExEU state that
“Given that the UK will be compliant with EU data protection law and wider global data protection standards on exit…the UK believes that a UK-EU model for exchanging and protecting personal data could provide for regulatory cooperation and ongoing certainty for businesses and public authorities.”
In the same document, the DExEU states that they are seeking an adequacy ruling under what will be Art.45 GDPR, or at very least something “which could build on the existing adequacy model”.
However the adequacy past may not be as simple to navigate as the DExEU imagines. It is not clear that the UK will be “compliant with EU data protection law…on exit”. The EU institutions will be no longer form part of the UK’s legal and constitutional framework and thus institutions such as the Commission and the Court of Justice will have no direct authority (unless the UK accedes to CJEU oversight). The UK will also no longer be a member of the new European Data Protection Board (EDPB), for the Board is “composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives” (GDPR, Art 68(3)).
More importantly though the UK will leave the EU Charter of Fundamental rights on Brexit for as Cl.5(4) of the European Union (Withdrawal) Bill clearly states “The Charter of Fundamental Rights is not part of domestic law on or after exit day.” The Government seems to believe this is unproblematic for an adequacy ruling presumably on the basis that we will remain a member state of the European Convention on Human Rights and will remain subject to the right to privacy.
However there is no equivalent in the ECHR to Article 8 of the EU Charter (the right to the protection of personal data). This leads to the conclusion that there will no longer be a fundamental right to data protection in the UK post-Brexit and this is something which cannot be remedied through domestic legal settlements short of a British Bill of Rights, and even then perhaps not so if Parliament retains sovereignty to amend or repeal these rights by normal Parliamentary procedures. This implies that EU citizens residing in the UK will not be able to rely on their Charter right, whereas EU citizens in EU Member States will be able to so do. This is more than a semantic difference as the UK seemingly seeks a hard Brexit beyond the jurisdiction of the ECJ and quite possible the EFTA Court.
Although it may be argued that our membership of the ECHR may shelter the UK in this regard by applying the expansive interpretation of personal S and Marper v the United Kingdom that “The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8” this argument is undermined by the fact that rights under Article 8 of the ECHR are not clearly of horizontal effect and therefore may not be said to be equivalent to the Article 8 right under the EU Charter.
Ultimately we must conclude that it is folly to assume that the UK’s legal framework guarantees an adequacy ruling merely by the implementation of the GDPR through domestic legislation. Further, even if by 29 March 2019 an agreement on data transfers has been reached, we cannot assume that position would remain in effect indefinitely given the responsibility of the Commission to ‘to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified’ as they are required to do by the Schrems decision.
It is just possible that at some point beyond Brexit Day the digital oil may stop flowing. This would be disastrous for all sectors of the UK economy.
Featured image credit: Brexit, Puzzle, EU, Europe, England by Daniel_diaz_bardillo. CC0 public domain via Pixabay.