• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Data Privacy, Brexit and a British Bill of Rights

The possibility of the United Kingdom leaving the EU, colloquially known as a Brexit, or replacing the Human Rights Act 1998 with a British Bill of Rights has generated many pages of news print and interesting academic debate about the constitutional impact. At the same time, the EU’s proposal for a General Data Protection Regulation (“GDPR”) is finally beginning to emerge from its legislative cocoon but with a two-year implementation timetable the GDPR will not become law until 2018. How would these potential constitutional changes affect the regulatory landscape for data protection and privacy in the UK?

There is an array of scenarios in which these changes could play out, with various different types of Brexit mooted, and there would most likely be lengthy transitional arrangements. Following the UK government’s agreement with the EU Commission for certain reforms, the Conservative government is following its manifesto commitment to put the United Kingdom’s continued membership of the EU to a public vote, with a referendum scheduled for 23 June this year. On the other hand, the government’s plans for a British Bill of Rights to replace the HRA have been delayed due to the complexity of untangling the constitutional knot[1].

In this article, we consider the possible impact for data protection and privacy in the UK, taking into account some of the various permutations in which a Brexit or British Bill of Rights could come about.

Brexit

The precise form of Brexit would have a big impact on how the UK legislative landscape will change. The Data Protection Directive 95/46/EC (the “Directive”) and the E-Privacy Directive 2002/58/EC were implemented as UK law by the Data Protection Act 1998 (“DPA”) and PECR[2], and so their status in the UK as binding legislation would presumably be unaffected by a Brexit. The UK government would need to consider how EU case law is treated, but could be free to revisit the DPA and PECR and propose changes which differ from the respective Directives.

Following the Lisbon Treaty, the Charter of Fundamental Rights of the European Union (the “Charter”) has been part of EU law and binds member state national governments[3]. Article 8 of the Charter provides everyone to have a right to the protection of personal data concerning them, a requirement for data to be processed fairly for specified purposes and on the basis of consent or some other legitimate basis laid down by law, a right of access and a right to rectification. A Brexit is likely to break the link between the UK and these fundamental rights, including the right to protection of data. It would be interesting to see how this might unfold, as the nature of data protection as a fundamental right has been important to some more recent court decisions.

The Data Protection Directive and the GDPR both include restrictions on transfers of personal data outside the EEA, which can only be made if certain conditions are fulfilled. One possible Brexit scenario is that the UK becomes a member of the EEA like Norway and the other members of the European Free Trade Area. These countries are obliged to adopt certain EU legislation (including in relation to data protection), so in this scenario the UK would be required to comply with the Directive and the GDPR.

Alternatively, if the UK does not join the EEA following a Brexit, it may consider applying to the European Commission to be added to the white list of countries providing adequate protection of personal data. This could be granted on a temporary basis as part of transitional arrangements, but a permanent white-listing would not necessarily be a formality given GCHQ’s role in the PRISM allegations and other criticisms of the UK’s implementation of the Directive[4] as well as the effect of any potential UK legislative reforms such as the Investigatory Powers Bill.

If EEA membership or a whitelist adequacy finding are not achieved, then the UK could seek to agree an arrangement along the lines of the “Safe Harbor” and “Privacy Shield” deals agreed between the EU and the US. Pending any such arrangement, UK businesses would need to follow one of the other compliance routes to enable lawful transfers of personal data from the EU to the UK, such as entering into Standard Contractual Clauses with the European provider of personal data; implementing binding corporate rules; or ensuring the European provider of personal data has obtained the consent of the data subject to the transfer.

The timescales involved in a potential negotiated exit from the EU and the implementation of the GDPR are unclear, but there is a chance that the GDPR will have become live before the UK in fact leaves the EU. In the interim period between any final decision being taken to leave the EU and before the UK actually leaves, would the UK be bound by new EU regulations or required to implement EU directives?

In any case, following the implementation of the GDPR by the EU, a Brexit may have little impact on data protection in a post-Brexit UK due to the extra-territoriality requirements of the GDPR. British firms offering goods or services to EU residents or monitoring their behaviour will need to comply with the GDPR, regardless of whether the British firm is based in the EU. British firms, outside the EU, would need to examine their customer base to assess the extent to which they are required to comply with the GDPR.

There may, however, be increased compliance costs for British firms and firms wishing to trade in Britain, as they would be regulated by both the ICO in the UK and a lead regulator in an EU member state under the “one-stop-shop” approach. This is still an improvement on the current situation, where firms must deal with the regulator in each of the member states in which the firm is established or processes personal data. However, if the UK adopts the GDPR, then the ICO could be the lead regulator for British firms.

British Bill of Rights

At the moment, the content of any British Bill of Rights is a matter of speculation. However, Article 8 (right to respect for private and family life) of the Human Rights Act 1998 is a likely candidate for amendment given that the UK government has had a number of recent clashes, in particular in relation to the hastily-enacted (and soon to expire) Data Retention and Investigator Powers Act 2014[5].

The HRA and the Data Protection Directive both have their origins in the European Convention of Human Rights (“ECHR”). Article 8 concerns respect for privacy rather than data protection, but the two frameworks are mutually supportive. We first examine the relationship between the HRA as it stands and the DPA before looking at the potential consequences of a move to a British Bill of Rights.

Article 8 (right to respect for private and family life)

The Article 8 right is a qualified right, which means that interference by a public authority is only permitted where in accordance with law and necessary in a democratic society for specified purposes (e.g. national security, public health and prevention of crime). The Data Protection Act 1998 sets out certain circumstances where personal information may be processed (by private entities as well as public authorities).

Lawfulness

Article 8 requires that any interference by a public authority in an individual’s right to privacy must be lawful. This corresponds with the lawfulness requirements in:

  • Principle 1 of the DPA: processing of personal data must be fair, lawful and satisfy one of the Schedule 2 conditions and, in the case of sensitive personal data, one of the Schedule 3 conditions;
  • Principle 2 of the DPA: processing of personal data must be for specified and lawful purposes; and
  • Principle 7 of the DPA: data controllers must protect personal data against unauthorised and unlawful access.

Necessary in a democratic society

Many of the Schedule 2 and 3 conditions include a necessity test, as does Principle 5 which requires that personal data processed for any purpose “shall not be kept for longer than is necessary for that purpose”. The courts have interpreted the DPA necessity test as analogous to the necessity test in the HRA[6]. If a public authority is retaining personal data longer than is necessary for the specified, lawful purpose, then (where this concerns an individual’s privacy) this may not be a justifiable interference in the individual’s privacy.

The European Court of Human Rights (“ECtHR”) assesses “necessity” by reference to whether there is a pressing social need for any interference with a right and whether that interference is proportionate. It will also look at any safeguards that have been put in place[7]. Similarly, when assessing necessity under the DPA, the proportionality, safeguards and justification will be examined by the courts.

Article 10 (freedom of expression)

The obverse of the right to privacy granted by Article 8 is the right to freedom of expression granted by Article 10. This right applies to everyone, and is again a qualified right subject to the same lawfulness and necessity tests for any interference.

Principle 1 of the DPA permits data controllers to process personal data where the processing is fair and lawful (see above) and satisfies a Schedule 2 condition and (in the case of sensitive personal data) a Schedule 3 condition, including in the case of regular personal data where the processing is necessary for the legitimate interests of them or the person to whom the personal data are disclosed, balanced against any unwarranted prejudice to the rights, freedoms or legitimate interests of the data subject. This restriction on the ability of data controllers to process personal data reflects the requirements of the HRA, that any interference must be necessary in a democratic society, i.e. that individuals should be protected from unwarranted prejudice to their rights, freedoms and legitimate interests.

The DPA sets out situations which limit freedom of expression, imposing conditions on the processing (including dissemination) of personal data, and the DPA itself is subject to Articles 8 and 10. In addition, the Information Commissioner’s Office is a public authority for the purposes of the HRA, so must act in a manner compatible with the ECHR, including when interpreting and enforcing legislation.

Potential consequences

A British Bill of Rights is likely to break the link between the DPA and the ECHR rights. The UK courts’ interpretation of “necessary” may therefore change to depart from the ECtHR’s interpretation. The HRA and ECHR currently treat public and private bodies differently, as the balance is weighted in favour of private rights and freedoms.

Repealing the HRA would give the UK government greater scope to amend data protection laws and to introduce data retention and investigation laws without the possibility of a court ruling that they are incompatible with rights under ECHR.

The EU acceded to the ECHR following the Lisbon Treaty[8], and as a result the UK is subject to the ECHR as a matter of EU law. As a result, repeal of the HRA is likely to impact the UK’s relationship with the EU. On the other side of the coin, a Brexit may facilitate the UK’s withdrawal from the ECHR by removing one of the barriers.

Conclusions

The GDPR will remain the centre of attention for data protection lawyers for the foreseeable future, but there could be changes to the regulatory landscape in the UK as a result of a Brexit or a British Bill of Rights. However, given the extra-territoriality of the GDPR’s requirements, British firms which trade with the EU are likely to be caught by the GDPR and so the effect of a Brexit on UK business may be limited.

The British state is less likely to be caught by the GDPR, so the main outcome of a Brexit or British Bill of Rights would be to increase the powers of the state to process, retain and monitor the data generated by its citizens.

For further information please contact Nicola Fulford, Michael Butterworth or James Leaton Gray.


[2] The Privacy and Electronic Communications (EC Directive) Regulations 2003

[3] Article 6, Treaty on European Union

[4] See European Commission press release IP/10/811 at http://europa.eu/rapid/press-release_IP-10-811_en.htm

[5] R (on the application of David Davis MP and Tom Watson MP) v Secretary of State for the Home Department [2015] EWHC 2092 (Admin)

[6] The Information Commissioner v Southampton City Council EA/2012/0171

[8] Article 6, Treaty on European Union