Someone asked me on Twitter how the repeal of the Human Rights Act in the UK would affect an adequacy decision for UK data transfers. It is simpler to blog about it than try to squeeze the answer into numerous tweets, so here goes…
For all this talk about Brexit, many people forget that the General Data Protection Regulation will be automatically enforceable in all EU member states in May 2018. There is no “opt-in”. Subject to the outcome of the apeal to the Supreme Court in December, the UK government or Parliament will issue notice to leave the EU under article 50 in spring 2017 onwards. The government will probably take the full two years to negotiate terms of exit. Thus, the UK will still be an EU member state by the time GDPR applies so it will apply in UK too before Brexit.
Parliament will pass the Great Repeal Bill to repeal the European Communities Act which at present effectively gives supremacy to EU law in the UK. To save having to write UK versions of many EU laws all at once, it is likely the GRB will preserve all of them, including GDPR, until they are expressly repealed.
The UK government is sticking to its vacuous “Brexit means Brexit” line and, until the deal is on the table, nobody actually knows what Brexit will look like.
If the UK stays in the single market, then part of the cost of that will probably be to retain GDPR standards so that would mean data could be transferred as now. But another cost would be the free movement of workers which the government doesn’t want but the other EU members have said is part of the single market.
This might mean the UK ends up leaving the single market. If we nevertheless retain GDPR standards then UK will have adequate protection, again allowing data transfes. If we don’t retain GDPR standards as part of the cull of red tape or “taking back our country” then we would need a UK Privacy Shield.
So, how does the new Human rights Act affect this? At present the European Convention on Human Rights is enforceable in the UK. ECHR was part-drafted by the UK after WWII and protects the right to a private life and right to family life. This is the basis of the data protection laws. As for the repeal of the effect of ECHR in the UK, remember this is separate to the EU. GRB probably won’t repeal it as it’s not an EU law. But the government has promised to replace it anyway. I would expect it to be replaced by the new Human Rights Act and not before so there won’t be a gap. Imagine one of the founders of human rights simply ditching human rights while it works out a new version! I would expect the new version to contain similar privacy and family protections. So the UK will still have its basis for data protection laws.
Without a new Human rights Act and without data protection laws we would definitely need a UK Privacy Shield.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net