In the midst of political upheavals the new EU-US data protection regime has been approved – here’s what it means for lawyers.

Before Brexit comes Complexit. We have entered a land of bewildering difficulty, where no one is sure what laws will apply in two years’ time (if it is two years’ time).

As others have pointed out, there was a second, crucial question missing from the referendum, which is whether, if we leave the EU, we wish to remain a part of the single market. And even that question should probably have been followed by further questions about exactly which model we wish to choose, since each has fundamental ramifications for immigration, the economy, sovereignty and all those other wonderful issues.

Maybe the first question should have been: do you think these questions should be settled by a referendum, or through parliamentary democracy?

In some areas, we will have less choice – for instance, data protection. I have written about it previously in the context of Brexit, but there was very important news at the very end of last week, which has barely been reported as a result of our political upheavals. On Friday 8 July, the European Commission announced that the new EU-US data protection regime, Privacy Shield - replacing Safe Harbour, struck down last year by the Court of Justice of the European Union - has been approved by the member states, and so will become operational within days. That should cause a big sigh of relief, meaning that EU-US data transfers can again be undertaken with a measure of safety.

I say ‘a measure of safety’ because Privacy Shield will doubtless soon be challenged on the same grounds as Safe Harbour. That is still some way down the line, and so we need not worry about it for the time being, and can go back to business as usual.

Privacy Shield should make us all pause, post-Brexit. Our data will be going into the EU, and EU data will be coming to us. Those two situations are different. For data going into the EU - all Facebook data, for instance, which was the basis of the Safe Harbour challenge - we will need to comply with the new EU data protection regulation. Many people have pointed that out, and no amount of referenda will change it. The only difference is that in future we will have no say over changes to the EU data regime with which we will have to continue to comply.

As for data coming out of the EU to the UK, the chief ground of complaint against Safe Harbour was that US surveillance authorities had access to EU data, without the guarantees which apply in the EU. We know that the UK’s GCHQ is no slouch when it comes to examining our data.

For the time being, member states’ own intelligence authorities’ surveillance actions are exempt from EU control, and so GCHQ can continue to look at incoming EU data without too many problems under data protection legislation. (That state of affairs is itself of course the subject of the case brought by David Davis, Tom Watson and others against the data retention regime in the UK – Case C-698/15. The advocate general’s decision in that - and another joined case from Sweden, Case C-203/15 - is due next week.)

One thing is for sure: there is a lot of negotiation ahead, all in the trickiest of areas

Once we are outside the EU, will the EU consider the actions of GCHQ in the same way as it considers the actions of the US’s National Security Agency (NSA)? If so, we will presumably have to negotiate our own Privacy Shield with the EU before EU data can come here safely. If the EU insists on the same conditions as it won against the mighty US, we will have to pass the same kind of legislation as the US passed earlier this year with its Judicial Redress Act, to allow EU citizens redress in our courts against breaches by GCHQ of the standards negotiated, which will presumably be the EU’s standards.

That will give those pesky Europeans the right to uphold their standards in our courts, just when we have voted to be free. (And, unless we want our data to be accessed by the NSA, we will have to negotiate a separate Privacy Shield with the US.)

As I have said before, this is just one of those examples where we will probably have to reconstitute the equivalent of the EU’s regime, but with fewer rights to control it. The nation state is no longer the sole vehicle operating in a borderless world, and we will have to accept the laws of our giant regional neighbour. One thing is for sure: there is a lot of negotiation ahead, all in the trickiest of areas.

Will there also be further referenda, as we ask the people each time exactly how free they want to be?

Jonathan Goldsmith is a consultant and former secretary-general at the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs


Data protection seminar: prepare and protect your organisation (28 September, the Law Society, London)

We have enlisted expert speakers to provide you with further clarification on the GDPR, address key questions relating to Brexit and highlight the issues you should be thinking about as we enter a transitional phase between the current regulation and the new framework. The seminar will cover the practicalities of what you need to do next to prepare your firm, including exploring the new role of the Data Protection Officer. Book here.