In the event of Brexit, the UK will leave the EU Charter, the GDPR and related EU instruments. It will, however, remain committed not only to achieving EU ‘adequacy’ standard but doing this within the framework of Council of Europe’s Data Protection Convention 108+. These slides therefore explore the commonalities and contrasts between EU DP and Convention 108+. Both have a similar scope and common principles. However, Convention 108+'s transparency and sensitive data rules are considerably less stringent and there are many fewer compulsory controller discipline provisions. Whilst only modest change should be expected initially as the UK will essentially replicate the GDPR in the short-term, this less prescriptive and more flexible approach is likely to exert an influence on UK data protection should Brexit happen.
2. Introduction
S. I. 2019/419 provides for only minor immediate
changes to UK DP in event of even “no deal” Brexit.
But longer-term will likely see divergence.
But in addition to seeking adequacy, UK will remain
part of CoE framework including Convention 108+.
Going to explore what less prescriptive substantive
approach within CoE framework might look like.
3. Article 8 of EU Charter Will Go
Specific things within Article 8 are high-level & not
controversial: fairness, purpose specification, legal basis,
right of access & rectification.
But Article 8 gives a special status not just to this but to right
of data protection more generally.
Special status is bolstered by emphasis Court of Justice
places on DP as a fundamental right.
None of that is fully replicated in CoE DP or will be
replicated in UK domestically in event of Brexit.
4. Transparency Rules
Both instruments have proactive & reactive rights here.
But, Convention 108+ much weaker esp. re: proactive (A. 8):
Less information ‘mandatory’ (storage period, automated
decision-making, source etc.).
Explanatory Report seems to see public notice as sufficient.
Report also seems to imply that if not direct collection then must
be from third party – but what about imputed or public domain?
Disproportionate effort is also full exemption – no mention of
appropriate protective measures, let alone “making the information
publicly available” (cf. GDPR, art. 14(5)(b)).
5. Special/Sensitive Data: Overview
Special/sensitive data not mentioned per se in EU Charter.
But it is a core part of granular law in both EU and CoE.
However, divergences here could also feed into shift to less
prescriptive, more “pragmatic” approach.
This is especially apparent as regards the definition of special
data but may also arise as regards type of safeguards.
6. Protection of Criminal-Related Data
Scope:
Stringency:
GDPR: “data relating to criminal convictions and offences or related
security measures” (A. 10)
Convention 108+: “data relating to offences, criminal proceedings and
convictions and related security measures.” (A. 6)
GDPR: Control of official authority or law with appropriate safeguards.
Convention 108+: Law with appropriate safeguards.
7. Other Special/Sensitive Data
Stringency:
Convention 108+: Law with appropriate safeguards.
GDPR: General prohibition absent waiver or weighty public
interest & safeguards (A. 9)
Scope:
Both adopt categorical approach & only minor differences.
But Convention 108+ usually also requires sensitive purpose:
This would even cover super-sensitive areas like health & sex life.
“The processing of: …
- personal data for the information they reveal … shall only be allowed with
appropriate safeguards are enshrined in law.”
8. Discipline Provisions
CoE & GDPR:
Security
Accountability
Export Control
(DPA Breach)
Rules on:
Processor
Joint Control
Export Rules:
“essential
equivalence”
Closed list
Breach Regime:
- DPA
- Subject
- Public
DP Officer
Documentation
Impact Assess.
Prior Consult
9. Conclusions
In event of Brexit, UK with leave EU Charter and
substantive DP regime will slowly diverge from that of EU.
UK remains commited not just to ‘adequacy’ but also CoE DP,
which shares common roots and structure with EU DP.
But CoE less prescriptive & more pragmatic especially re:
Proactive Transparency
Discipline provisions
Special data regime.
Those differences are likely to impact UK DP in future.