Data Privacy and Brexit

  1. The UK is due to leave the EU on 29 March 2019, whereupon, in the absence of any other agreement, all EU laws, including GDPR, will cease to apply as a matter of EU law. At a purely domestic UK level however, all currently applicable EU laws, including GDPR will then have been incorporated into UK law by the European Union (Withdrawal) Act 2018. In addition, GDPR has been implemented in the UK by the Data Protection Act 2018 (“DPA”) which is expressly stated to be read alongside GDPR.
  2. The clear intention of the DPA, as stated in its explanatory notes is to set new standards for protecting personal data “in accordance with recent EU data protection laws”. So, after 29 March 2019, at least from a domestic UK law perspective, GDPR will apply to activities in the UK, including transfers of personal data from the UK to countries remaining in the EEA.
  3. However, what is less clear, is how transfers of personal data from the EEA to the UK will be dealt with and of course this is of practical importance to multinational businesses with substantial continuing operations and interests elsewhere in the EU. After Brexit, although the UK’s data privacy laws will be substantively similar to those in the EU, the UK will technically be considered a third country and so require a decision from the European Commission that its protections are “adequate” to enable the continuation of the status quo for transfers to the UK. Although on the face of it, this should be a formality due to the DPA incorporating GDPR, the political and institutional context of the broader relationship between the UK and the residual EU members (“rEU”) may complicate matters. At the very least, there may be a degree of uncertainty between the date of Brexit and the date on which the Commission issues any decision on adequacy.
  4. That said, from a practical perspective, the most likely approach would be that the Commission, the CJEU, domestic EU regulators and Courts, would find it uncontroversial to treat transfers to the UK pending an adequacy decision as being in any event ones which were to a third country with adequate protections, at least in terms of prioritising investigations of complaints. This may provide some degree of comfort, particularly when combined with companies’ Binding Corporate Rules (“BCRs”) if they have been approved by that time (the process in the UK for approval involves notification to ICO which reviews and approves from a UK perspective and then forwards to the regulators in two other EU Member States for their approval – if a company has not already notified its BCRs to ICO it is highly unlikely that the process would be capable of being completed prior to 29 March 2019).
  5. This is nevertheless, dependent to the progress and nature of the continuing negotiations between the UK and the EU around the terms of Brexit and the future relationship between the UK and rEU. Although at present there does not seem to be any intention by the current government to reach an agreement which would involve departing from the UK applying GDPR, whether by legal obligation or as a voluntary matter, until that position is crystallised, there is uncertainty and therefore risk. The more antagonistic an approach the UK takes over the coming months, the greater the uncertainty on this issue and in particular, the lower the chances that the Commission would be inclined to reach a quick decision on matters like making a declaration of adequacy in the UK’s favour (or that the EU national privacy regulators would feel any need to attempt to find UK companies’ BCRs compliant ahead of Brexit or expedite doing so[1]).
  6. Another issue worth noting is that on Brexit, the UK, in the absence of other agreement, will not be party to the EU-US Privacy Shield. This may cause some operational difficulties if a company exports data collected within the EU which was transferred to the UK prior to further processing in the US, although this would be avoidable by ensuring that such transfers, if hitherto reliant on the privacy shield were directly from the EU to US without going via the UK. From a UK perspective, while the privacy shield may not technically apply, it is not likely that ICO would consider transfers from the UK to the US to breach DPA if prior to 29 March 2019 they would have benefited from the privacy shield.
  7. There are five broad scenarios for the future relationship with the EU which will have differing impacts from a data privacy perspective. The account below is by necessity somewhat speculative as the actual direction and content of what is negotiated and ultimately agreed between the UK and EU is evolving and may not fully come to light until very close to the date of Brexit itself.
    1. Reversing the decision to leave the EU
    2. Continuing to remain a member of the EEA and/or rejoining EFTA and negotiating some UK-specific derogations (sometimes referred to as “Norway+”)
    3. An agreement with the EU largely based on the approach set out in the government’s White Paper on the future relationship with the EU
    4. A looser agreement with the EU, in particular without any form of “common rule book” which would preserve EU laws in the UK in a way which would be formally recognised by the EU (sometimes referred to as “Canada+++”)
    5. No deal – no ongoing legal or treaty obligations towards the EU at all
  8. Scenarios a and b do not raise any significant data privacy issues as they both involve keeping the UK within the scope of GDPR directly and not being a third country. At present neither scenario looks particularly likely and both would involve significant political change within the UK including the possibility of a change of government, a further referendum and/or a General Election. The uncertainties that would arise from these political changes are such that while the final outcome of these scenarios would be to retain the current status quo in respect of data privacy, the impact of data privacy as a business risk would be likely to be minor compared to the other business risks posed by such a period of political upheaval.
  9. Scenario c is the government’s currently preferred position, although as with much of the debate around Brexit there are competing reports as to how acceptable it might be to the EU and what changes to the White Paper might be required by the EU or as concessions in Parliament to those who do not agree with the government line (whether to remove elements of the White Paper or to expand its scope). In general terms, the aim of the White Paper’s approach is to retain a common rule book with the EU in relation to trade in goods. For those matters covered by such a common rule book, there would by definition be agreement from the EU that the pre-existing UK position would be compliant with EU laws. It is not obvious from the White Paper where this leaves data privacy and GDPR.
  10. From a technical legal perspective, the common rule book, if it “would cover only those rules necessary to provide for frictionless trade at the border” (White Paper Section 1.2.3 para 25) would not extend to GDPR and need not cover any EU laws beyond those which on their face have a Treaty Base of any of Articles 34-37 TFEU (the provisions establishing free movement of goods other than those establishing the Customs Union, which current UK policy is to no longer be bound by). Data privacy is dealt with by Article 16 TFEU, which is the stated Treaty Base for GDPR and so would not be included in that narrow conception of the common rule book. It is most likely that if covered at all by the agreement between the UK and EU, GDPR would be treated as part of the provisions relating to services and “digital” trade which the White Paper proposes will involve new arrangements which will mean “the UK and EU will not have current levels of access to each other’s markets” (White Paper Section 1.3 para 48).
  11. That leaves open the possibility that GDPR might not be included in the future arrangements or even that the UK may decide to have a different data privacy regime, although that does not look like the approach the current government will pursue given the way in which the DPA was written and its stated intent. It is most likely that the future arrangements under this approach would either incorporate GDPR as is to provide certainty in relation to digital and services trade between the UK and EU without the need for a separate adequacy finding or that they would be silent on it but the general atmosphere would be one in which obtaining an adequacy decision would be considered by both EU and UK to be routine based on current UK legislation. As a broadly non-confrontational negotiation stance it would also be likely to be neutral with respect to the progress of approval by EU regulators of a UK company’s BCRs.
  12. Scenarios d and e would both require the UK to rely upon an adequacy finding and/or for UK companies’ approval of its BCRs. Neither inherently alters the underlying substance of existing UK law and its implementation of GDPR but as both are more potentially confrontational they may raise the risk of delay in obtaining those decisions or even (if the discussions become particularly acrimonious) grounds arising for refusing them. For example, if scenario e of “No Deal” transpired and there were threats from either side of any form of trade war, given the importance of personal data in many businesses, restricting the UK or UK companies’ ability to receive and process data from rEU may be considered as a valid tactic in such a dispute.
  13. Escalation of matters this far is probably not very likely but if it did occur may require more significant mitigations to be adopted. For example, it might be prudent in these circumstances to conduct a detailed audit of the actual data flows within a company group to identify the extent to which it was operationally essential and unavoidable to transfer personal data from rEU to the UK and whether this could be worked around (eg by dealing with more processing in-country and using third party processors in rEU rather than the UK, if transfers out of rEU are needed, to look at whether there are other third countries which have more settled relations with the EU on privacy etc).
  14. A more likely outcome is that scenario d would require, to be realistic, maintaining good relations with the EU (eg if the government wishes to get Canada+++ it will want to be as friendly in its discussions with the EU as Canada is). Scenario e could also be achieved without confrontation, albeit that most of its current proponents seem to be otherwise inclined. In both of these situations, a longer term risk might be that the UK decides that the GDPR framework is too restrictive a way of achieving its aims and looks to create an alternative approach (eg California has recently enacted data privacy laws focusing on specific practices by businesses like selling consumer data rather than processing per se, or this suggestion that the UK should change from a blanket prohibition on processing without a lawful basis to prohibiting particularly egregious types of processing while not regulating processing generally) . This would be a risk as a change to domestic UK law from DPA would impact any previous finding of adequacy of UK protections and so would push UK companies back to relying on their BCRs and model clauses (etc) unless the UK were able to persuade the Commission that its new approach remained adequate.

 

[1] The Government has published a guidance note on the anticipated effect on data protection in the event of “No Deal”. It states that while preliminary discussions about an adequacy assessment have taken place, the Commission has not indicated a timetable and has stated that it cannot take an adequacy decision until after the UK has left the EU and become a “third country”.

Advertisements

Steel Yourself

Over the past week steelworks in the UK have ceased production one after the other. First SSI in Redcar, then Caparo and Tata Steel. The basic reason for this is that the global price of steel has fallen significantly from $500 a tonne when SSI spent £1bn on taking the Redcar plant it acquired from Tata out of mothballs five years ago to $300 a tonne now. Even without looking at the economics in any detail that sort of a price crash in such a short period of time would cause any business serious difficulties and even more so in an industry for commoditised products with typically low margins like steel.

Many commentators have said, “surely something can be done”. Britain has a long and proud industrial tradition in the manufacture of steel. Middlesbrough even briefly had a league football club called Middlesbrough Ironopolis and at one point produced more steel than the rest of the world combined. It seems wrong that apparently at the stroke of a liquidator’s pen so much history and so many jobs could vanish. While it seems that Tata Steel will be mothballing its remaining plant (as it did with Redcar in 2008*), the furnaces have been switched off at Redcar. This means that they cannot subsequently be restarted so this really is the end for much British production. But, the sad reality is that there is probably nothing which can be done quickly enough to save production, jobs and heritage, even if the money could be found to support the steel industry until global prices rose sufficiently to make it viable again (and that itself is unlikely to happen while there is substantial overcapacity elsewhere in the world).

However, even if there were the means for the government to afford to rescue British steelmakers, there’s a bigger obstacle in the form of the EU State Aid rules. In brief, these prohibit the provision of state support where that could distort competition. In a market economy that means that bailing out bankrupt businesses is almost always prohibited. There are provisions for notifications of proposed aid to be made to the European Commission to seek approval and these have, for example been used when RBS and Lloyds/HBOS were rescued during the crash of 2008. The approvals granted then were subject to significant conditions involving divestments of profitable parts of the business and spinning off divisions which had too large a share of the market. These were then updated later in the process of nursing those banks back towards health to include prohibitions on paying out dividends.

Well, why not provide aid to the steel companies and have some conditions like this? Unfortunately, steel has been considered a special case, along with coal, since the European Coal and Steel Community (ECSC) Treaty of 1952 which predated the Treaty of Rome establishing what is now the EU (the existence of this treaty and the community it established is the reason you sometimes still hear references to the European Communities rather than European Community, ECSC, the European Atomic Energy Community and the EEC were merged in 1965 and the UK joined the merged Community in 1972). The ECSC Treaty arose in the aftermath of World War II and specifically sought to create a single market across its signatory states for coal and steel. The reason for this is that coal and steel were at the time the raw materials for the building of national military strength. By looking at capacity requirements on a transnational basis the thinking was that it would not be possible for any country to ramp up production in preparation for building a load of tanks, planes and warships as had occurred prior to both World Wars. Article 4(c) abolished and prohibited “subsidies or state assistance… in any form whatsoever” and the Treaty more broadly set out the basis for competitive markets in coal and steel to operate in the absence of such subsidy.

The ECSC Treaty expired after 50 years in 2002 and the case law and guidance which had built up over the previous 50 years on what was covered by the prohibition of subsidies was summarised in the Commission’s Notice under EU law of 19 March 2002. This was titled “Rescue and restructuring aid and closure aid for the steel sector” and covered two different scenarios. First, the rules to apply in respect of aid for rescuing or restructuring steel firms in financial difficulties and second, the rules in respect of assisting steel workers who lost their jobs when steel works closed.

Article 1 of the Notice concludes:

“In these circumstances [referring to prior decisions], the Commission considers that rescue aid and restructuring aid for firms in difficulty in the steel sector …are not compatible with the common market.”

Under the EU State Aid laws, it is up to the Commission to decide, where a proposed aid package is notified to it (such as with RBS), whether that aid package is “compatible with the common market” and therefore can be approved. This Notice makes it clear that the Commission does not have any power to determine whether aid to bail out a steel company is compatible with the common market by deeming that it never would be. Although the Notice expired in 2009, this is very unlikely to make any difference at all to the position because the previous history of the industry and its regulation by the Commission is so clearly against the provision of such aid in any circumstances. The Commission would technically have discretion to consider a notification, but it is difficult to see how it could conclude that aid of a form which had been prohibited for 57 years could now be seen as compatible with the common market. This can be simply illustrated by putting yourself in the position of say a German steel maker which had managed to remain solvent despite the drop in steel prices. That business would rightly feel aggrieved that the reward for having run itself so as to be able to bear a 40% drop in steel prices was to find its British competitors being given a handout to let them carry on trying to win business from them. 

So, why not do as Nigel Farage suggested and simply ignore the EU rules? After all, apparently we Brits are far too overzealous and scrupulous about complying with them, whereas those perfidious Europeans simply ignore them if they aren’t in their national interests. The problem here is that the sanction for illegal state aid is that the amount provided has to be repaid immediately and in full. As the businesses in question here are bankrupt, if the aid is considered to be a loan which is repayable when the ECJ gets round to making an order, the value of those loans would have to be calculated on the basis of the sort of interest rates which a significantly distressed borrower might have had to pay (ie a very high interest rate!). It is not too fanciful to imagine that SSI, Tata and Caparo would not wish to borrow at those sorts of rate and so would not accept an offer of aid, which is probably why one thing which has not been reported is any of those companies complaining they couldn’t get any financing from the government. It is also worth noting that when in 1993 the Italian government wanted to write off €4bn of debts for the Italian steelmaker, Ilva, as part of the preparations for privatisation this was blocked by the Commission. This is also noteworthy because investment by a state in a nationalised industry with the intention of maximising the return on privatisation is something which is generally allowed as long as that investment is proportionate to that aim.

An alternative might be to nationalise and then pump whatever was needed in. At least this would in theory take away the risk to the business of repayment, right? No, unfortunately not, the Commission isn’t that stupid! It would be as if after the government bailed out RBS it was told it was not allowed to guarantee its massive debts. Instant collapse of RBS. Or here, instant collapse of “National Steel”. At the moment, the Commission is in fact investigating a complaint about the aid Italy has given to Ilva this year (Ilva having been renationalised in January to protect it from the consequences of breaches of environmental law) so nationalisation is no magic bullet either,

In summary, while remaining in the EU, the state bailing out the steel companies is not an option. It probably wouldn’t be an option even if we were outside the EU as enabling them to export steel at market price while it cost 40% more to produce would be a pretty clear violation of the anti-dumping rules, but that is another set of laws entirely (as is the question whether the global market price has been artificially depressed by the Chinese or Russians subsidising exports – which might in theory provide a defence were either of them to bring an anti-dumping case against a hypothetical non-EU UK). The best we could do would in those circumstances would be to require the use of domestically produced steel by British users of steel for products which were not to be exported.

Sadly, those who think more could be done are I think indulging in wishful thinking.

* After Redcar was mothballed in 2008 I advised various public sector funding bodies and possible users of the site on what uses for the facilities could be supported by the state without falling foul of the State Aid rules. From memory, these were largely confined to using the testing and laboratory facilities to develop new product prototypes and research rather than any form of commercial production. I did enjoy a few Parmos while taking the bracing sea air though. 

Bank Bashing Competition

Raaah, aren’t the bankers evil? Crashing the economy and all that. Then giving themselves massive bonuses. Pure evil. Something must be done. It is time for a reckoning. Hard to disagree and so a nice easy run for Ed Miliband in his recent speech. The weird thing is that the speech actually committed a Labour government to doing things which were already happening, doing things it didn’t have the power to do without primary legislation, and doing things which might lead to answers it didn’t like.

Continue reading