How did we get to where we are now with what’s commonly perceived as the global “gold standard” of regulation with regard to the protection of our personal data, including sensitive data that reveals the most private information about our health, religion, political opinions and sexual orientation, amongst others?
Our data privacy and intellectual property specialist, David McIntosh has been on a personal 40 year privacy journey to date. This article briefly covers all the principal elements of that journey, the vast majority of which he has been involved with and advised on. There will be a following article covering what might be happening next in the UK on the privacy front in the next two to three years, with a snapshot of what’s happening in the US and globally.
UK Data Privacy - How it started
It could be argued that the European and UK privacy journey really started in 1981 with the Council of Europe Convention on the Automatic Processing of Personal Data. This led to the UK Data Protection 1984 which was put in place to provide a legal basis for the privacy and protection of the data of individuals in the UK, and provided for the first time a regulatory authority, the Data Protection Registrar, to oversee the implementation of, and compliance with, the 1984 Act.
A decade later the EU’s first substantive legislative framework was put in place with the EU Data Protection Directive 95/46 EC. This laid the ground rules for the development of regulatory protection that we know today. The UK passed the Data Protection Act 1998 to implement this legislation; this Act also renamed the Registrar as the Data Protection Commissioner. Following the Freedom of Information Act 2000 which extended the remit of the DPC to cover FOI, the DPC was renamed as the Office of Information Commissioner.
From 1998 to 2000 inter-governmental discussions took place between the US, UK and EU which resulted in the US Department of Commerce issuing the International Safe Harbor Privacy Principles in July 2000; this was followed by the EU/US Safe Harbor Framework in the same year. The writer was involved in several of the early discussions between the UK government and industry groups and drafted one of the UK’s first safe harbor certification arrangements over the transfer of significant quantities of personal data from the UK to the US under the safe harbor framework.
In 2001 the European Commission issued Standard Contractual Clauses (SCCs) to be used by contracting parties to govern the privacy arrangements which were required to be put in place in accordance with their obligations under the 1995 Directive.
Updated Regulation and GDPR
The next development took place more than a decade later, after the Snowden revelations about US surveillance when Austrian privacy advocate, Maximillian Schrems complained about Facebook Ireland’s transfer of his personal data to Facebook in the US. The European Court of Justice in 2015 ruled, in what is now known as Schrems I, that the International Safe Harbor Privacy Principles were invalid.
In April 2016 the EU passed Regulation 2016/679 (GDPR). The GDPR was designed to give EU and EEA citizens control over their personal data and, by having standardised procedures across the EU and EEA, aimed to simplify processes for economic relationships with other countries. The GDPR is considered by most practitioners to be the high watermark in the global regulation of privacy protection and standards and which many countries around the world have followed to a greater or lesser degree. Significant elements of the UK government, however, portray these protections as unduly onerous and as EU “red-tape” which stifles innovation and hinders the UK’s “global Britain” aspirations. One Minister has spoken recently of “irritating cookie popups”.
Three months after the GDPR, in July 2016, the EU and US put in place an enhanced mechanism, the EU/US Privacy Shield, to provide a regulatory framework for the transfer of EU/EEA personal data to the US.
The UK Data Protection Act 2018 sets out the data protection framework in the UK, alongside the UK GDPR and replaces the DPA 1998. It was amended on 1 January 2021 by regulations made under the EU (Withdrawal) Act 2018, to reflect the reality of Brexit.
Schrems continued...
Meanwhile the Privacy Shield continued in force. However, Mr Schrems hadn’t yet finished his privacy crusade. In continuing proceedings, he lodged a complaint with the Irish Data Protection Commissioner. He argued that the transfer of his personal data from Facebook Ireland to its US parent company, now made on the basis of the Standard Contractual Clauses, did not protect his fundamental rights under EU law, given the demonstrable ability of US public authorities (National Security Agency amongst others ) to carry out surveillance on EU subjects’ personal data without adequate controls or judicial remedies. This case was then remitted, for the second time, to the ECJ which ruled in July 2020, in the case now known universally as Schrems II, that the Privacy Shield was invalid. Later in the same month, the European Data Protection Board ruled that transfers of personal data outside the EU/EEA on the basis of the Privacy Shield were illegal.
In June 2021 the European Commission issued revised SCCs to reflect the Schrems II ruling and the EDPB ruling.
Brexit and Data Privacy
Returning to the UK perspective, on 28 June 2021, the European Commission published two adequacy decisions for the UK, one for transfers under the EU GDPR and the other for transfers under the Law Enforcement Directive; this means that the EU recognises that the UK provides an “essentially equivalent” level of data protection to that which exists in the EU. If the Commission doesn’t extend these adequacy decisions, then they will expire on 27 June 2025. Under pressure from the European Parliament, the four-year “sunset” clause on the adequacy decision, imposed by the Commission, is a safeguard that has been applied to no other country by the Commission and which privacy commentators believe reflects mistrust of the UK government’s ability to protect EU citizen’s data.
Could these adequacy decisions terminate before 2025? Yes. The Commission will be monitoring developments in the privacy field in the UK to ensure that the protections continue.
Why is this important? The UK government has made clear its wish to move in a bold new direction with, at the very least, different, and some may argue, potentially lower, privacy standards.
What has the European Commission said on this subject? The European Commission vice-president Věra Jourová said: “The UK has left the EU but today its legal regime of protecting personal data is as it was. Because of this, we are adopting these adequacy decisions today.” She added that the Commission had listened “very carefully” to concerns expressed by the European Parliament, EU members and the European Data Protection Board, “in particular on the possibility of future divergence from our standards in the UK’s privacy framework”.*
(*See also the DCMS consultation document referred to in the following article.)
In August 2021 the ICO published for consultation its draft UK Addendum to the SCCs. The consultation ended on 11 October, following which the ICO is expected to publish the finalised UK addendum in early 2022. Substantive changes to the draft addendum, which is already in use, are not expected, but we will need to await developments.
So, as we come to the close of 2021, I will set out my views in my follow up article, “To 2025 and Beyond”, on what might be happening in the next few years.
About the Author
David McIntosh was admitted as a Solicitor in 1988 and is a highly experienced commercial projects lawyer who has advised clients in a number of different fields including intellectual property, data privacy, procurement law (both public and private), manufacturing, distribution, information governance and general regulatory matters covering both the nuclear and pharmaceutical sectors.
For more information or advice on data protection or intellectual property issues please contact David McIntosh on dmc@prospectlaw.co.uk or +44 (0) 7483 300 132.