Snooper's Charter could cause GDPR headache

Published: 17 May 2018 at 08:58

Data centre

UK could be denied ‘adequacy decision’, post-Brexit, due to Investigatory Powers Act

The Investigatory Powers Act, in its current form, could mean the UK will be unable to fully comply with the new General Data Protection Regulation (GDPR) in the event of a hard Brexit. 
In an article published in the 2018 edition of the International Review of Law, Computers & Technology, Dr Aysem Diker Vanberg of Anglia Ruskin University has set out how the UK, post-Brexit, could fall foul of the EU’s strict data protection standards.
GDPR becomes binding on all EU member states, including the UK, on 25 May.  It aims to harmonise data protection laws across Europe, and shift power away from corporations and towards consumers, giving individuals greater control of the information held about them.  
Even if corporations are not based in the EU, GDPR will apply to them if they conduct business within the EU.  A number of non-EU countries have already secured “adequacy decisions”, allowing data transfers to carry on as normal after 25 May. However for the time being it is not clear whether the UK will be able to secure an adequacy decision post-Brexit.
In her article Data protection in the UK post-Brexit: the only certainty is uncertainty Dr Diker Vanberg explains that over 70% of all trade in services is enabled by data flows and without an effective data protection framework which allows data exchanges with the EU to continue, the UK is likely to suffer significant financial losses.
And she believes that the Investigatory Powers Act 2016, also known as the Snooper’s Charter, could be a major sticking point regarding the UK securing an adequacy decision from the EU. 

In particular, the ability of intelligence agencies to intercept communications data is likely to be at odds with EU case law (Tele2 Sverige and Watson).  Without an adequacy arrangement, individual UK businesses and organisations will be faced with expensive and burdensome red tape. 
In April the High Court in London ruled that changes need to be made to some parts of the Investigatory Powers Act by 1 November to bring it in line with EU law, but it is unclear whether the Government will be able to make the necessary amendments within this timeframe.
Dr Diker Vanberg, Senior Lecturer in Law at Anglia Ruskin University, said: 

“If the European Commission decides that the UK’s data protection laws post-Brexit are not up to the same standard as GDPR, it could be highly damaging for UK businesses trading with the EU, because they will be subject to two different sets of data protection regulations, putting them at a disadvantage against any company based in the EU.
“In this scenario, transfers of data from EU member states to the UK would require businesses in the UK to apply for, and abide by, individual agreements. These arrangements are likely to lead to costs and complexity for UK businesses, and it’s likely these costs will be passed on to consumers.
“An additional concern is that even if the UK manages to secure an adequacy decision, the European Commission can suspend or even repeal its decision at any time if it believes that the UK no longer ensures an adequate level of data protection. This uncertainty might push companies to move their operations outside the UK, leading to negative consequences for the UK economy.
“Data protection is an example of the significant complexity and consequences of Brexit relating to a just one area of law. There are solutions to these problems, but it will require a massive effort.”