Six days after the results of the UK Brexit referendum and it is still very hard to go back to a “normal” life, especially while remaining an EU citizen living in the UK. One of the most upsetting things of the referendum, at least for lawyer, is its nonsense. This holds true in particular in the field of data protection law given:
- the extraterritorial effect of EU data protection law,
- the role and importance of the adequacy mechanism to make trade with third countries possible, as recalled recently by the Court of Justice of the European Union (CJEU) in its Schrems Decision, which lead to a renegotiation of the EU-US Safe Harbour Framework rebranded the Privacy Shield [recent documents have been leaked by Politico on this matter here], and
- not to speak about the necessary legal implications of remaining part of the European Economic Area (the EEA Agreement incorporates EU legislation from all policy areas of the Single Market and new EU legislation is regularly added).
In sum, it is a rather weak position to sustain that by leaving the EU, the UK will be able to re-gain its normative freedom in the field. In fact, the result is likely to be quite the opposite, given the facts that the UK Information Commissioner’s Office (ICO) will lose its voice at the EU level. This will mean that it will be excluded from the soon-to-be-born European Data Protection Board to be introduced by the GDPR. Besides, by definition the UK representatives will no longer be able to participate in the EU law-making process (in the same way as their ex-partners at least).
It is a loss both for the EU and the UK. Yes, the European Data Protection Board would clearly have benefited from the ICO’s input, in the same way as the Article 29 Data Protection Working Party has benefited from it. This is true in particular as regards the development of best practices for impact assessment and anonymisation purposes [even if the relationship between the two bodies has on occasion be cloudy…. But isn’t it the case with all sibling relationships? See e.g. my previous post here on the GDPR and anonymisation].
The UK had also things to learn from the EU and its other partners. To take one example, and one example only, trust services and electronic Identity (eID) schemes are not the most vibrant parts of the UK e-economy, at least in comparison with other Member States, such as Estonia or Austria. It is almost a “lieu commun” to present the defunct e-signature Directive 1993/93/EC within the UK borders as one of the most ineffective or pointless pieces of EU legislation. Yet, once again the assessment is not exactly the same in all corners of the EU Continent.
To push the argument further, the application of the eIDAS Regulation (Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market, which repeals Directive 1999/93/EC) from tomorrow was (and for the Continent remains) a clear sign of hope. The eIDAS – standing for ‘Electronic Identification and Signature’ – framework aims at fostering exchanges between Member States, while ensuring “an adequate level of security of electronic identification means and trust services” [as per Article 1] in the information society. The eIDAS Regulation:
“(a) lays down the conditions under which Member States recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State;
(b) lays down rules for trust services, in particular for electronic transactions; and
(c) establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication”.
It is the last of 12 key actions proposed in the Single Market Act and seeks to enable secure and seamless cross-border electronic interactions between businesses, citizens and public authorities, thereby increasing the effectiveness of public and private online services, e-business and e-commerce in the EU. And, of course, it is an understatement to say that the future is digital: certainly, electronic identification means and trust services will be the foundations of this online world, if they are not already.
The UK eID scheme, GOV.UK Verify, is still officially in the making. However, more and more refuse to be misled by the official discourse on its progress: without more resources and more exchanges with experts (including experts from EU countries such as Austria, Estonia, Germany, Belgium…) its uptake within national borders is doomed, as well as its interoperability with other EU schemes. Niko Tsakalakis et al. from the University of Southampton, for example, shed light in a recent paper on the limits of the UK’s approach to eID. It is possible, if not very likely that Brexit will have a further chilling effect, if not freezing effect, on these developments, even if the UK Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (SI 2016 No. 696) was adopted to implement the eIDAS Regulation and have effect from 22 July 2016 making the ICO the supervisory body.
While the eIDAS Regulation itself remains a high-level framework, several implementing acts have been adopted in its wake. These clarify some of the key issues, such as the content of the minimum dataset for a natural person. Nevertheless, just as with any other pieces of legislation, be it national or supra-national, the eIDAS Regulation is not perfect and uncertainties remain. In particular, its overlap and interplay with the GDPR is not entirely clear (e.g. to what extent the eIDAS Regulation is really technologically neutral and aims at encouraging privacy by design and default, since it does not seem to fully support systems which rely on selective disclosure such as the German system; to what extent pseudonyms should act as unique identifiers; what the difference is between eIDAS pseudonyms and data that has undergone pseudonymisation in the GDPR’s Article 4(5) definitional sense of this term). [Note in passing that Article 14 regarding international aspects of trust services uses the term “legally equivalent” and that was before the opinion of the Advocate General Bot in Schrems!]. The UK had the opportunity to be an active participant to the debate and exchange with others.
Hopefully, “success does not consist in never making mistakes but in never making the same one a second time”, as once said a talented European who found a home in the UK.