Brexit may (or may not) become a reality on Saturday, but even if the UK Parliament does approve the deal, it will not settle the issue of how data protection laws will operate. “There is an assessment that needs to be done after Brexit on whether we need GDPR 2.0,” said Maarten Stassen, partner in the Brussels office of corporate law firm Crowell and Moring.
He was speaking at an event run by the firm, which is acting for Marriott in the ICO data breach issue, that was considering GDPR one year on under the title, “The ICO bares its (sharp) teeth”. According to Stassen, “a lot of companies have spent time, effort and money on being compliant, but often that was a tick box exercise around consent.”
The discussion pulled out two key areas that may require further legislation. The first is around how consent operates in the new realms of data-driven technology, like AI. He pointed to a recent case in Denmark where a school had introduced facial recognition to identify children and monitor who was attending each day. Although they were given the opportunity to opt out, Stassen noted that, “the authority said that is not valid consent, it is not proportionate and it needs to use less intrusive technology.”
In a case in Belgium relating to a retail loyalty card, customers were asked for their e-ID to sign up. “That was ruled not valid because there was no other way to get the card except with consent,” he explained. “We need to step back and look at GDPR again.”
International data transfers are the other major issue facing UK data controllers. As soon as Brexit happens, the UK becomes a third country and any data being transferred from the EU is no longer legitimate without additional measures from 31st December 2020 (or potentially two years after that). A no deal Brexit would end legal data transfers from the EU into the UK on 1st November this year. Transfers to the EU are not affected.
What is required is an adequacy ruling by the European Commission which recognises that UK data protection laws offer European citizens the same level of cover as GDPR. This is not as straightforward as may be assumed. For one thing, there is a queue of countries requesting similar rulings and the UK will have to wait in line.
For another, the same basis on which Safe Harbour was successfully challenged in the European Court of Justice - that US national intelligence services had too much access to personal data - could see the UK’s Data Protection Act subject to a law suit in the ECJ.
Robert Holleyman, partner in the Washington office of Crowell and Moring, pointed at the recent experience of Japan. “The EU has put Japan into an equivalency process for one year and will grant it adequacy once it has changed its laws. The UK has more extensive national intelligence processes than Japan, based on public domain information, which could prove to be much more of an issue.”