One area of law that highlights the daunting complexities of Brexit is data protection.
Let me nominate data protection as a case study highlighting some of the complexities underlying Brexit. They play out with particular clarity in this otherwise overlooked area.
For instance, there is a debate just developing over the relationship between the human rights that come from our EU membership and the content of the Great Repeal Bill that the government is expected to publish later this year in the Queen’s speech. How many of our rights will the bill protect? Some of our current rights come from decisions of the Court of Justice of the European Union (CJEU), whose jurisdiction over the UK the government wishes to end – see principle 2 of the prime minister’s recently announced 12 guiding principles on Brexit.
So what will be the status of CJEU decisions in the Great Repeal Bill and, more particularly, will the government be able to change them through a lesser procedure than full parliamentary approval, by using so-called Henry VIII clauses, which delegate parliamentary power to the executive or elsewhere? To make it more concrete, there is a recent instance of a right granted by the CJEU in the area of data protection from the line of cases which culminated in the decision of Secretary of State for the Home Department v Watson (Case C‑698/15).
This confirmed that data should be subject to certain protections against prying by the government (such as that access by the government should be subject to prior review by a court or an independent administrative authority). Will this right be protected in the future? There is no answer yet.
Next, the evidence of various experts before the House of Commons justice select committee, looking at Brexit implications, has made it clear that future criminal justice cooperation will depend on the UK continuing to comply with EU data protection rules. Otherwise, EU member states and agencies will be prevented by their own data protection laws from sharing vital data with us. Such data could be criminal records (through the European Criminal Records Information Service), or the exchange of biometrics such as fingerprints and DNA (through the future Prüm roll-out). The area of criminal justice cooperation has been recognised as being sufficiently important to make it on to the list of 12 guiding principles – albeit at number 11.
The UK government has also confirmed in recent months that the UK will implement the General Data Protection Regulation (GDPR), which is part of the new EU data reform package published last year. The GDPR has to be implemented in all member states by 25 May 2018. This is a sign, of sorts, that the government intends us to continue to have equivalence with the EU after Brexit. Lawyers should therefore be focusing on the changes it will bring, even as we are coping with the Brexit process.
The Council of Bars and Law Societies of Europe has published a very useful set of recommendations, drawing attention to those issues in the GDPR which deserve particular attention from the legal profession. For solicitors, the recommendations are aimed at the Law Society, or any others interested in lobbying our government on the shape of the implementing legislation. Most are aimed at protecting legal professional privilege.
For instance, the GDPR (article 6) allows member states to adopt provisions specifying under which circumstances the processing of personal data may take place ‘for the performance of a task carried out in the public interest’. The government should therefore be urged to include special provisions for the processing of data related to contentious legal work in the implementing legislation.
Article 14 provides for an explicit exception to the requirement that the data controller should provide information and access to the data subject. It applies in those circumstances where the controller has not obtained the personal data from the data subject, and if the data are covered by legal professional privilege. Again, the government should be urged to provide lawyers with full protection in the implementing legislation.
Similarly, there is a possibility for the legislation to protect lawyer-client confidentiality against the power of data supervisory authorities (article 90).
Here is another interesting question. Since we need to implement the GDPR by May 2018, and are hoping to withdraw the following year, and on the basis that the Great Repeal Bill will continue the GDPR into UK law for the indefinite future, how will we maintain equivalence after withdrawal? This will presumably be necessary if criminal justice cooperation is to continue after withdrawal, too. What will happen to CJEU decisions on the GDPR in the future? If they do not bind us, will our equivalence fail? This will affect the fate of all our data going into the EU.
The solutions to these knotty legal problems await us.
Jonathan Goldsmith is a consultant and former secretary-general at the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs