How can post-"BREXIT" UK implement GDPR?

How can post "BREXIT" UK implement GDPR?

Introduction

One feature of the GDPR, which has been in force since 25th May 2016 and which comes into effect on 25th May 2018, is that it pays frequent reference to the European Charter of Fundamental Rights.

In European law the Charter, which incorporates Churchillian Human Rights into European law, trumps all other treaties, regulations and directives. The rights incorporated into the charter are universally applicable where EU law is engaged.

In recent pronouncements, the British government has stated that it intends to “incorporate the GDPR into UK law” and to overhaul UK data protection law.

Fundamental to the government's Brexit policy is the stated objective of removing the influence of the European Court of Justice (the “CJEU”) from UK law.

Are these objectives compatible?

The Charter of Fundamental Rights of the EU

The Charter, as I will refer to it, embodies European Convention on Human Rights (“ECHR”) and similar “rights and freedoms” into EU law. It does so without using the same numbering as the ECHR which can be confusing.

The EU cannot be a signatory to the Convention as it is not a state, despite what many believe. The Charter makes good this deficit by incorporating ECHR-like rights and freedoms into EU law. It does this in such a way that Charter rights now trump all other elements of EU law. The Charter was enacted by the Treaty of Lisbon in December 2007 which entered into force on 1st December 2009.

The competent court for claims under the Convention is the European Court of Human Rights (“ECtHR”) and the competent court for claims under EU law is the European Court of Justice (“ECJ”). Charter rights are therefore dealt with by the ECJ.

The GDPR and the Charter

On a rapid skim-read of the Articles of the GDPR, one finds that approximately one third of those articles mention “rights and freedoms” which is a direct reference to Charter rights.

This very crude assessment makes no reference to indirect references to Charter rights in the Regulation. Such indirect references include those in the Recitals, all 173 of them, and references where an Article refers to another article where Charter rights are directly mentioned.

It follows that Charter rights are fundamental to the working of the GDPR.

Everywhere in the GDPR where there is direct or indirect reference to Charter rights poses a potential difficulty for non-EU organisations. This is the first significant EU legislation which has extra-territorial scope and as such has potentially far-reaching consequences.

GDPR(UK)?

If the UK legislature is to enact a GDPR-like piece of legislation, it will have to deal with all of the above mentioned Charter references. How might it do this?

The UK Government has published a White Paper on the subject and nowhere in that document is the word “charter” mentioned and the words “rights and freedoms” are mentioned only once.

One approach might be to expressly enact a UK Charter of Rights (politicians have been mentioning a “UK Bill of Rights” for many years) where the competent court is the Supreme Court of the United Kingdom.

Another approach, which on the face of recent statements by those in government seems to be unlikely, would be to expressly cede jurisdiction to the ECJ for issues arising under the GDPR, thereby avoiding the necessity to re-write at least 1/3rd of the articles.

A third approach would be to expressly set out in a UK GDPR “Act” that references to “charter rights” are to be dealt with by the UK courts and that the UK Supreme Court will be the final arbiter. The Supreme Court justices have already indicated in open communication that some guidance will be required from Westminster as to how ECJ authorities should be considered post-Brexit.

Given the rhetoric of the UK Government in recent months, it seems unlikely that the second option mentioned above is likely to gain any significant traction. However, the die is not cast yet.

One of the issues with the first and third options, however, is how the UK Supreme Court will deal with “charter rights”. Whether the “charter rights” come from a UK specific “charter”-like enactment or are the existing EU Charter rights, one has to consider how the UK Supreme Court will deal with those rights. If the UK Supreme Court is able to follow ECJ decisions, it is likely that there will be a convergence on consistency. However, if the UK courts are discouraged from considering European jurisprudence when considering alleged infringements of “charter rights”, whether European charter rights or equivalent/near-equivalent UK rights, there is a significant possibility of decisions of the UK Supreme Court diverging from those of the ECJ.

The same is likely to apply to lower level courts as well. Lower UK courts will be obliged, as they are now, to consider UK Supreme Court decisions. Post-Brexit if they are discouraged from considering European Jurisprudence those decisions will have far less weight than they do today. Similarly, European courts will pay no heed to divergent UK decisions and there will be no need for the ECJ to consider them as the UK will not be a Member State any longer. Similarly, the UK will not be in a position to claim any derogations reserved for Member States under this or any other European legislation.

Consequences of UK decisions diverging from European decisions

If UK decisions cannot be rendered consistent with European jurisprudence, there will be an increasing tendency for forum shopping. The GDPR applies, in relation to data subjects, to the “personal data of data subjects who are in the Union...” (Art. 3(2)), thereby not restricting its scope to only EU citizens but covering any person who is from time to time within its borders. Because of the federal structure of various member states, there will, after Brexit, be 45 regulators active in the field.

There is nothing in the GDPR to prevent the data subject who believes that his fundamental rights and freedoms (Charter rights) have been infringed from seeking redress through his home regulator or any regulator who has jurisdiction over the offending establishment (company). If UK decisions diverge from those of the EU courts, any data subject will be entitled to seek redress from the EU regulators and EU courts and the establishments risk being investigated, prosecuted and fined by European courts instead of UK ones. This may, it is suggested, completely negate the stated political aim of removing the UK from the jurisdiction of the ECJ.

Conclusion

The stated aim of the UK Government to “enact the GDPR” and/or to “enact a UK equivalent of the GDPR” appears, at first blush, to have been made without any or any significant reference to the fundamentals underpinning the GDPR. Those fundamental principles are embodied in the Charter of Fundamental Rights and take precedence over any and all other EU law.

To “enact” the GDPR or a UK version of the GDPR, the Government of the UK is going to have to find a way of enshrining equivalent rights along with a consistent jurisprudence or it will risk forum shopping leading to European decisions having effect on UK companies in any event.

This article was first published on the Invictus Chambers web site on 10th September 2017.

X