Tuesday 8 August 2017

Brexit, data protection, and the myth of 'taking back control'

Yesterday’s statement from the government about the planned new UK Data Protection Bill is the first concrete example of something which has been in prospect ever since the publication of the Brexit White Paper last February. The White Paper made it clear that post-Brexit the UK would seek to maintain a great deal of regulatory harmonization with the EU, with data protection mentioned as one example (paragraphs 8.38 to 8.40).

The Data Protection Bill will be the first fruit of that. In one way, it can be seen as business as usual in that Britain needs to comply with the new EU General Data Protection Regulation (GDPR) which comes into force in May 2018 when, of course, Britain will still be a member of the EU. Yet as yesterday’s announcement made clear, the Bill will “prepare Britain for Brexit” by ensuring data transfer and its associated business can continue smoothly after leaving the EU. The reason this is necessary is that on exit Britain will be a third party nation but such nations need to demonstrate regulatory equivalence with the GDPR in order to trade freely with the EU.

This is a clear illustration of how, whether in the EU or not, the UK in practice needs to comply with EU regulations. There is a strong element of regulatory pull in any situation where a smaller economy sits alongside a much larger economy because proximity also means that – again, whether in or out of the EU – a large proportion of UK trade will be with the EU. This is so regardless of what the trading arrangement turns out to be, although of course the absolute volume of trade will be very much affected by the nature of that arrangement.

As regards the GDPR, since it has been some time in the making, Britain has had the opportunity to shape the new regulations. But once we have left we will become ‘rule takers’ – not only of any further developments in data protection regulation but also across all of the very numerous areas of EU regulation. This is so even if we leave the single market, as the government plans. In fact it is especially true if we leave the single market in that if we stayed in (as an EFTA member) we would have somewhat more scope to influence regulations than as a third party nation (albeit less than as an EU member).

Nor is the issue confined to the formulation of law and regulation. Equally important will be its ongoing interpretation and enforcement which in the EU means the ECJ, of course. But the government have, for unnecessary reasons of pure dogma, made freedom from ECJ jurisdiction a ‘red line’ (something which is causing an endless number of conundrums and disputes, from Euratom to air travel to citizens’ rights). So this creates a new problem. If UK law (in this case on data protection) follows EU law, then what happens as over time the ECJ makes judgments on the interpretation and application of the latter?

This is the force behind today’s call from Lord Neuberger, the President of Britain’s Supreme Court, for guidance from the government as to how to treat ECJ rulings after Brexit. Steve Peers, on his EU Law Blog, pointed out that the White Paper implied that EU case law would continue to be relevant to British courts post-Brexit in the same way as at the moment, but that what this meant was unclear – as it remains. In reality it is impossible to see how the UK could effectively maintain compatibility with EU regulation in the way envisaged by, in this case, the data protection legislation if over time its interpretation and application diverged by virtue of incompatible decisions in the EU and UK courts (this is one of the underlying issues I drew attention to in my recent post on the Brexiter fantasy that current regulatory harmonization makes a UK-EU trade deal easy). The likelihood is that, in practice, ECJ judgments will be applied in the UK. Indeed the government’s own formulation, both in the White Paper and in its spokesperson’s response to Lord Neuberger, that Brexit will end the “direct jurisdiction” of the ECJ seems to suggest just that: what will happen is ‘indirect jurisdiction’.

So the data protection legislation is an early glimpse of just how meaningless the mantra of ‘taking back control’ and ‘making our own laws’ really is. The reality is that – unless the plan is for complete economic autarky, and I wouldn’t put that past some of the Brexit Jacobins – the UK will have less control over law making than it had as an EU member. The data protection case is an example of how, as I wrote at the time of the White Paper, what is in prospect is the creation of a whole host of shadow regulations and institutions to mirror those of the EU. In other words, a situation where the reality is less control will be created in order to give the illusion of having control so as to assuage (what the White Paper calls) the “feeling” of having lost control by being in the EU.

No comments:

Post a Comment