The E.U.

s General Data Protection Regulation and Its Impact on

Englands Investigatory Powers Act of 2016

Patsy Ciardullo
The American University
International Law Review
First Draft Spring 2017-Option IV
Senior Note and Comment Editor: Valli Sanmugalingam & Janet Lee
Note and Comment Editor: Powell Wright & Gabriela Chambi
Abstract

The European Unions (E.U.) new General Data Protection

Regulation (GDPR) will extend the legal power of the E.U.

Commission, responsible for enforcing the GDPR beginning in

2018. The GDPR will resolve the existing conflicts among

disparate data protection laws across the Union through a single

legal framework applicable to all Member States. In addition,

the GDPR will expand individual data protection rights. Since

the United Kingdom was a Member State when the Regulation passed

into law in 2016, and will not exit the E.U. by 2018 when the

GDPR will be enforced, it is still subject to the GDPRs data

protection requirements. However, this is problematic for the UK

for two reasons: (1) the UK adopted an expansive and invasive

individual data privacy law known as the Investigatory Powers

Act (IPA), which conflicts with the purpose of the GDPR, and (2)

when the UK exits the E.U., UK businesses still must meet the

adequacy jurisdiction requirements if they want to transfer or

exchange data of citizens within the jurisdiction of the E.U..

The UK could still adopt the GDPR to benefit from the data

exchange regime on behalf of UK businesses, but doing so may

require rescinding or modifying the IPA in its present form.

Abstract........................................................
I. Introduction .............................................. 1
II. Background ................................................ 6
A. Data Protection in E.U. Before The GDPR ................. 6
B. The Harmonization of Data Protection in the E.U ........ 11
C. The UK Decides to Exit the E.U. and Implements IPA ..... 22
D. Data Protection After Schrems and Watson ............... 26
III. Analysis ............................................... 29
A. The GDPR Augmented Individual Data Protection Rights
Because it Bolstered the Definition of Consent and Individual
Ownership of Data ........................................... 29
B. The GDPR has High Standards for Data Protection Because It
Will Not Grant Adequate Jurisdictions to Third-Party Countries
Indiscriminately ............................................ 36
C. Englands IPA is Incompatible with GDPR because It
Violates The GDPRs Consent Requirement ...................... 40
D. Data Protection Requirements Between England and GDPR
Creates a Burden for British Businesses because of the
Diverging Standards in Each Law ............................. 45
IV. Recommendations .......................................... 50
A. The GDPRs Procedural Vagueness Will Increase Operational
Costs for Businesses ........................................ 50
B. GDPR Should Have Defined the Process for Obtaining Consent
Explicitly .................................................. 51
C. The GDPR Reflects a Strong Commitment to Individual Data
Protection .................................................. 53
D. The UK Will Need to Broker a Data Exchange Agreement ... 54
V. Conclusion ............................................... 56

i
 I. Introduction

Data privacy is relevant across all areas of public life,

from government to social media.1 Article 8 of the European

Convention on Human Rights states that everyone has the right

to respect for his private and family life, his home and his

correspondence.2 This Article has served as the primary backbone

of many of the holdings issued by the European Union Court of

Justice (CJEU) protecting the rights to data privacy of European

Union citizens.3

1 Gerald Oppenheim: Why We Are Launching Guidelines On Data

Consent, Civ. Socy (Jan. 20, 2017),

https://www.civilsociety.co.uk/voices/gerald-oppenheim-why-we-

are-launching-guidelines-on-data.

2 ECtHR, European Convention for the Protection of Human Rights

and Fundamental Freedoms art. 8, Nov. 4, 1950, 213 U.N.T.S 221

[hereinafter European Convention on Human Rights].

3 Case C-362/14, Maximillian Schrems v. Data Protection

Commissioner, 2015 E.C.R. 627, 105 (holding that where systemic

deficiencies exist in a Third Party country that is part of a

data exchange agreement to receive the personal data of E.U.

citizens, the "Member States must be able to take the measures

necessary to safeguard the fundamental rights protected by

1
 The 1995 E.U. Data Protection Directive will be replaced by

the General Data Protection Regulation (GDPR), effective on May

25, 2018.4 The GDPR resulted from extensive negotiations between

the European Commission, the European Parliament, and the

Council of the European Union. Different from a directive, a

regulation under E.U. is directly binding on the E.U. Member

States.5

Articles 7 and 8 of the Charter); See, e.g., Case C-698/15

Secretary of State for the Home Department v. Tom Watson, 2016

E.C.R. 572 para. 128 (arguing that the right to privacy has been

enshrined in Article 7 of the European Charter as well as the

corollary right to data protection guaranteed in Article 8 of

the European Charter, and that any interference with these

rights is an effective violation of these rights).

4 Regulation 2016/679 of The European Parliament and of the

Council of 8 April 2016 on the protection of natural persons

with regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC (General

Data Protection Regulation), 2016 O.J. (L. 119) 1, [hereinafter

General Data Protection Regulation].

5 Id.

2
 The GDPR outlines the requirements governments must meet to

permit access to an individuals personal data6 and the

procedures for protecting individual data privacy.7 The GDPR,

6 See General Data Protection Regulation, supra note 4, art. 4

(defining personal data as any information relating to a data

subject which reveals the name, an identification number,

location data, an online identifier or to one or more factors

specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of that data subject).

See generally Martha Finnemore & Duncan B. Hollis, Constructing

Norms for Global Cybersecurity, 110 Am. J. of Intl L. 425, 425-

26 (2016) (discussing calls for norms to control government

invasion of individual privacy in cyberspace).

7 European Commission Press Release, Agreement on Commissions

Data Protection Reform Will Boost Digital Single Market (Dec.

15, 2015), http://europa.eu/rapid/press-release_IP-15-

6321_en.htm [hereinafter Data Protection Reform](explaining that

ninety percent of the European population wanted homogeneous

data protection rights in all E.U. member states; this public

sentiment was part of the impetus for reforming the data

protection Directive and replacing it with the GDPR, which will

put an end to the patchwork of data protection rules that

currently exists in the E.U.).

3
however, also falls within a broader scope of what data privacy

is and its role within Internet governance.8 Specifically, the

GDPR is the Member States response to E.U. citizens demands

for more data privacy rights.9 The individuals right to data

privacy will be further enhanced through the European Unions

GDPRs implementation, entering into effect in 2018. UK

companies doing business in the E.U. post Brexit will be subject

to the rules and regulations of the GDPR.10 The GDPR, however,

directly conflicts with the UKs invasive Investigatory Powers

8 See Finnemore & Hollis, Constructing Norms for Global

Cybersecurity, supra note 6, at 425-26 (2016); see also What is

the General Data Protection Regulation and why should you care?,

Network World (Nov. 15, 2016), http://www.networkworld.com/

article/3140459/compliance/what-is-the-general-data-protection-

regulation-and-why-should-you-care.html (explaining why we

should care about the General Data Protection Regulation and the

impact that the new legal framework will have around the world).

9 Data Protection Reform, supra note 7 (reiterating that as

drafted the anticipated reform package will consolidate and

harmonize data protection laws across the E.U.).

10 Brexit To Further Splinter Global Data Protection Rules, L.

360 (June 4, 2016), https://www.law360.com/articles/

810750/brexit-to-further-splinter-global-data-protection-rules.

4
Act, passed into law in 2016 because the UKs law violates GDPR

consent and data minimization principles.11

This Comment discusses the GDPRs operational impact in

processing personal data and the new enhancement of subjects

rights with respect to their own data. As the E.U.s new law, it

will impact countries outside of the E.U. whose laws are

incompatible with the data protection rights afforded by the

GDPR. Part II discusses the history of the previous Directive

which the GDPR replaces, and the reasons that the old data

protection framework became obsolete. It also explains the

convergence of the UKs position in meeting the GDPRs

regulatory demands amidst its transition out of the E.U. while

at the same time having enacted the arguably conflicting

Investigatory Powers Act. Part III analyzes the GDPRs

substantive provisions and how they will harmonize disparate

data protection laws across the E.U., including those expanding

individual data protection rights. It also analyzes why the UK

must rescind or modify the IPA if UK companies doing business in

the E.U. remain compliant with the GDPRs requirements. Part IV

includes recommendations relating to the strengths and weakness

of certain GDPR provisions and terms as well as the impact of

the GDPR and data exchanges.

11 Id.

5
 II. Background

A. Data Protection in E.U. Before The GDPR

The E.U. Data Protection Directive (the Directive),

formally titled Directive 95/46/EC12 served as the primary data

protection law.13 The E.U. designed the law to protect the

privacy and protection of all personal data collected on

citizens of the E.U., relative to processing, using, or

exchanging such data.14

The Directive directly encompassed all key elements from

Article 8 of the European Convention on Human Rights.15 As

12 Directive 1995/46 of The European Parliament and of the

Council of 24 October 1995 on the protection of individuals with

regard to the processing of personal data and on the free

movement of such data, 1995 O.J. (L. 281) 31, [hereinafter

Directive 1995/46].

13 Albert H. Kritzer & Francesco G. Mazzotta, The New E.U.

General Data Protection Regulation and Its International Impact

on Business, in Intl Cont. Manual 45-4 (Kritzer & Mazzotta,

2016) [hereinafter Kritzer & Mazzotta, The New E.U. General Data

Protection Regulation].

14 Id.
15 Directive 1995/46, supra note Error! Bookmark not defined., at

38 (specifying that the object of the national laws on the

6
drafted and implemented, the Directive was applicable to all

Member States.16 However, since the Directive was not a

regulation, Member States could implement it in the way they saw

fit.17 National authorities in turn had to create or adapt their

legislation to meet these aims by the date specified in the

Directive.18

While the Directive permitted leeway into how E.U. Member

States could enforce their own data protection laws, the

Directive imposed restrictions on data transfers outside of E.U.

countries. Article 25(1) of the Directive stipulated the

processing of personal data is to protect fundamental rights and

freedoms, notably the right to privacy which is recognized both

in Article 8 of the European Convention for the Protection of

Human Rights and Fundamental Freedoms); Definition E.U. Data

Protection Directive (Directive 95/46/EC), Whatis.com (Jan.

2008), http://whatis.techtarget.

com/definition/EU-Data-Protection-Directive-Directive-95-46-EC.
16 Directive 1995/46, supra note Error! Bookmark not defined., at

38.

17 Id. (noting in Article 5 that Member States were to decide how

to draft laws that were compatible with the objectives of the

data processing as laid out in the Directive).

18 Id.

7
requirements for data transfers to countries outside of the

E.U.19 Here, the E.U. stated that personal data transfers could

only occur if they were without prejudice to comply with the

Directive.20 Furthermore, personal data transfers to

jurisdictions outside of the E.U., including Third-Party

countries, can occur under two conditions: first, the

destination has been the subject of an adequacy decision,21 or

second the transfer is subject to appropriate safeguards to

protect the personal data.22

Article 6 of the Directive sets out principles relating to

data quality.23 Member States had to ensure that data was

19 Id.

20 Id.

21 IT Governance Privacy Team, Chapter 13: Managing Personal Data

Internationally, in E.U. General Data Protection Regulation

(GDPR): An Implementation and Compliance Guide (IT Gov. Ltd.

Nov. 2018) https://www.safaribooksonline.com/library/view/eu-

general-data/9781849288378/xhtml/chapter_13.html# [hereinafter

IT Governance Privacy Team, Managing Personal Data

Internationally].

22 Id.
23 Directive 1995/46 supra note Error! Bookmark not defined., at

40.

8
processed fairly and lawfully, collected for specified,

explicit and legitimate purposes, and not further processed in

a way incompatible with those purposes.24 The Directive required

Member States to ensure that personal data was collected in a

manner that was adequate, relevant and not excessive in

relation to the purposes for which they are collected and/or

further processed.25

The Directive was deemed inadequate in its ability to

protect individual rights principally because of data leaks that

were subjects of European Court of Justice cases.26 Revelations

that the United States was spying on E.U. citizens27 by accessing

24 Id.

25 Id.

26 See Case C-698/15 Secretary of State for the Home Department

v. Tom Watson, 2016 E.C.R. 572, para. 34; e.g., Maximillian

Schrems, supra note 3, at 627; Case C131/12, Google Spain SL

Google Inc. v. Agencia Espaola de Proteccin de Datos (AEPD)

Mario Costeja Gonzlez, 2013 E.C.R. 424.

27 See Maximillian Schrems, supra note 3, at 627 (noting that

Snowdens revelations brought to light the existence of large-

scale information-gathering programmes [sic] in the United

States which raised serious concerns as to whether the

requirements of E.U. law [were] observed when personal data

9
their personal data to track terrorists in countries within the

E.U. were disclosed.28 As a result, Maximillian Schrems brought

his case to the ECJ and prevailed, effectively striking down the

E.U. Safe Harbor Agreement.29

[was] transferred to the United States, and more importantly

called into question the inconsistency of the safe harbor [sic]

scheme).

28 Snowden, Schrems, Safe Harbor ... It's Time To Rethink Privacy

Policies, Says FTC Commish, The Reg. (Oct. 25, 2015),

https://www.theregister.co.uk/2015/10/23/ftc_eu_safe_harbor/.

29 See Maximillian Schrems, supra note 3, paras. 157-59 (stating

that the scale and scope of United States surveillance

programmes [sic] raised concerns over the continuity of

protection of personal data lawfully transferred to the United

States under the safe harbour scheme and that it became

apparent that there existed collusion between businesses

certified under the Safe Harbor Agreement who then also granted

access to United States authorities to data stored and

processed in the United States, which simply made the safe

harbour [sic] scheme one of the conduits through which access is

given to United States intelligence authorities to the

collecting of personal data initially processed in the European

Union.). But see Timothy Edgar, Schrems v. Data Protection

10
 In 2014 England enacted the Data Retention and

Investigatory Powers Act (DRIPA) 2014.30 DRIPA established

Englands surveillance of personal data framework by requiring

Internet and phone companies to keep Internet connection

records, tracking every website visited (but not every page),

for a maximum of 12 months.31 The law notably did not require a

warrant for the police, security services or other bodies to

access the data.32

Commissioner: Some Inconvenient Truths The European Court of

Justice Ignores, LAWFARE (Oct. 6, 2015), (noting that the

Schrems case ignores the fact that data found in the E.U. is

more easily susceptible to spying without oversight because

when such data about non-US citizens is located outside the

United States, the NSA needs no court order to collect it).

30 Data Retention and Investigatory Powers Act 2014, c.27,

(Eng.).

31 Theresa May Unveils UK Surveillance Measures in Wake of

Snowden Claims, The Guardian (Nov. 4, 2015), https://www.

theguardian.com/world/2015/nov/04/theresa-may-surveillance-

measures-edward-snowden.

32 Id.

11
 B. The Harmonization of Data Protection in the E.U.

The General Data Protection Regulation replaced the

Directive, which became law in April 27, 2016, but is not

effective law until May 25, 2018.33 The GDPR intends to

synchronize privacy rights across Member States of the E.U.34

Although the GDPR leaves room for maneuver in the application of

the Regulation, it does not permit Member States to modify the

substantive standard of protection.35

The GDPR has six principles, which while not formally

stated as principles in the text of the Regulation36, are

33 A Primer on the GDPR: What You Need to Know, Proskauer (Dec. 25,

2015), http://privacylaw.proskauer.com/2015/12/articles/european-

union/a-primer-on-the-gdpr-what-you-need-to-know/.

34 Kritzer & Mazzotta, The New E.U. General Data Protection

Regulation, supra note 13 (explaining that the GDPR seeks to

harmonize the so far highly inconsistent European data

protection law).

35 Id.

36 IT Governance Privacy Team, Chapter 4: Six Privacy Principles,

in E.U. General Data Protection Regulation (GDPR): An

Implementation and Compliance Guide (IT Gov. Ltd.),

https://www.safaribooksonline.com/library/view/eu-general-

12
commonly referred to as such37. The principles emanate from

Article 538 and guide compliance with the Regulation.39 The six

principles are: lawfulness; fairness and transparency40; purpose

data/9781849288378/xhtml/chapter_04.html# [hereinafter IT

Governance Privacy Team, Six Privacy Principles].

37 Id.

38 General Data Protection Regulation, supra note 4 art. 5.

39 Chapter 6: Data Protection Principles Unlocking the E.U.

General Data Protection Regulation, White & Case (Jul. 22,

2016), https://www.whitecase.com/publications/article/chapter-6-

data-protection-principles-unlocking-eu-general-data-protection.

40 IT Governance Privacy Team, Six Privacy Principles, supra note

36 (The three components of this principle are clearly linked:

the data subject must be told what processing will occur

(transparent), the processing must match this description

(fair), and the processing must be for one of the purposes

specified in the Regulation (lawful).).

13
limitation41; data minimization42; accuracy43; storage

limitation44; integrity and confidentiality.45

41 Id. (noting that compliance with the purpose limitation

principle means that the data subject must be told what the

data will be used for and limit the processing to only what is

necessary to meet that purpose.).

42 Id. (meaning that for the sake of data minimization only

relevant data should be retained and that companies should not

hold more data beyond what is strictly required.).

43 Id. (attempting to curtail the profiling of data subjects with

incorrect information).

44 Id. (explaining that if the data is no longer needed it should

be deleted, i.e. once the purpose for which it was collected is

fulfilled the data is no longer required).

45 Id. (pointing out that per the requirement of the GDPR,

personal data must be classified as confidential even within

an organization to protect the data subject because not everyone

within a business needs to be privy to the personal information

of a data subject unless it is somehow connected with their

work).

14
 The GDPR redefines what information constitutes personal

data46 and what consent47 means under the new regime. It further

expands the subjects rights to know a companys process for

accessing his or her information, and the reasons for accessing

that information.48 Expanding data subject rights for

accountability is a reiteration of the transparency principle.49

The GDPRs requirements for transparency are greater than under

the Directive, which only required that information be in an

46 Chapter 5: Key Definitions Unlocking the E.U. General Data

Protection Regulation, White & Case (Jul. 22, 2016),

https://www.whitecase.com/publications/article/chapter-5-key-

definitions-unlocking-eu-general-data-protection-regulation#.
47 IT Governance Privacy Team, Chapter 10: Consent, in E.U.

General Data Protection Regulation (GDPR): An Implementation and

Compliance Guide (IT Gov. Ltd.) https://www.safaribook

sonline.com/library/view/eu-general-data/9781849288378/

xhtml/chapter_10.html.

48 IT Governance Privacy Team, Chapter 9: Data Subjects Rights,

in E.U. General Data Protection Regulation (GDPR): An

Implementation and Compliance Guide (IT Gov. Ltd.) [hereinafter

IT Governance Privacy Team, Data Subjects Rights].

49 IT Governance Privacy Team, Six Privacy Principles, supra note

36.

15
intelligible form.50 For example, the right to information

under the GDPR requires that data controllers provide minimum

levels of information to data subjects to demonstrate that their

personal data is fairly collected and processed.51 Moreover, the

individual whose personal consent was obtained and given can

exercise the right to seek confirmation regarding what personal

data is being processed by the controller or a Third-Party

processor.52 The GDPR does not allow the controller to deny the

individual exercising his or her right to information.53

50 Id.

51 IT Governance Privacy Team, Data Subjects Rights, supra note

48.

52 See id. (seeking information about personal data being

processed also gives the individual a right to access a copy of

that data which is being processed, to find out the purposes

of processing the data and the period of retention that the

controller will have the personal data).

53 IT Governance Privacy Team, Data Subjects Rights, supra note

48 (noting that article 12 of the GDPR asks that this

information be provided in a manner that is concise,

transparent, intelligible and easily accessible form, using

clear and plain language, in particular for any information

addressed specifically to a child).

16
 The GDPR will utilize the One-Stop-Shop theory to

standardize access to personal data for data controllers.54 Under

the Directive, data controllers that operated in more than one

E.U. Member State also dealt with multiple Supervisory

Authorities (SAs) and their jurisdictions.55 The GDPR plans to

synthesize the regulatory obligations through a Lead SA for data

controllers operating in multiple jurisdictions.56 Each Member

State will still have national SAs,57 whose job function will be

54 Id.

55 Id. (noting that under the Data Protection Directive means

that often these SAs are enforcing distinct data protection

requirements, producing diverse best practice guidelines and

setting very different enforcement priorities.).

56 See id. (explaining that the Commission initially intended to

appoint only one SA who would be solely and wholly responsible

for supervising all data processing by data controllers which

had their main establishment within its territory was abandoned

because of the likelihood that data controllers with broad

processing activities would engage in forum shopping and the

difficulties that data subjects would encounter in seeking to

enforce their rights in jurisdictions distant from their own.).

57 See id. (operating under the One Stop Shop Procedure of the

GDPR imposes on SAs obligations to provide one another with

17
to investigate and enforce the GDPR whenever a complaint is

filed.58 Each Member States SA will investigate data privacy

infringements within his or her Member State, which impact data

subjects located within it.59

Each National SA has jurisdictional power over the domestic

needs of data control of the Member State the SA is located in.

However, if the National SA commences an investigation that may

overlap with the role of the Lead SA, it must inform the Lead

SA.60 The Co-operation Procedure is a part of the GDPRs attempt

mutual assistance by responding to information requests,

obtaining requisite authorizations, carrying out inspections,

investigations and consultations, and implementing supervisory

measures.).

58 Id.
59 Richard Craig, The One-Stop Shop, Taylor Wessing (Apr. 2016),

https://www.taylorwessing.com/globaldatahub/article-the-one-

stop-shop.html (noting that the European Data Protection Board

(EDPB) will provide guidance on the scope of the term

substantially").

60 See id. (explaining that the Lead SA is permitted a three-week

period in which it can determine if it wishes to intervene and

apply the co-operation procedure, in which case the National SA

can produce draft decisions for the Lead SA's consideration,

18
to have all Lead SA collaborate with Concerned Supervisory

Authorities (CSAs), with whom Lead SAs have an obligation to

co-operate in their investigations.61 The GDPR will facilitate

data transfer outside of the E.U.62 The Article 29 Working Party,

which drafted the GDPR also created the Biding Corporate Rules

(BCR), for businesses engaged in data transfers outside the

E.U.63 The goal of the BCRs was to permit multinational

corporations transfer personal data across borders.64

but the Lead SA can also decline to investigate allowing the

National SA to carry out its investigation on its own).

61 See id. (following the Co-Operation Procedure means the Lead

SAs must provide information to CSAs and endeavor to reach a

consensus on their decisionsseek CSAs' assistance, and conduct

joint investigations within the CSA's territory[and] submit

drafts of their decisions to CSAs).

62 Francoise Gilbert, E.U. General Data Protection Regulation:

What Impact for Businesses Established Outside the E.U.,

Martindale (May 10, 2016), http://www.martindale.com/internet-

law/article_Greenberg-Traurig-LLP_2228098.htm.

63 Id.

64 Id.

19
 Unlike the Directive, which only some Member States

recognized BCRs,65 the GDPR formally recognizes the use of BCRs

by creating a consistency mechanism that makes the approval

system more efficient and less onerous than the current one.66

The GDPR will also standardize contractual data protection

clauses by approving codes of conduct that include enforceable

commitments of the controller or processor in the recipient

country to apply the appropriate safeguards, including with

respect to the data subjects' rights.67

Once GDPR legislation takes full effect in 2018, countries

outside the E.U. must use the same standard of protection for

its citizens as the GDPR affords its own citizens to do business

or access personal data of E.U. citizens.68 Consent must be

65 See id. (explaining that only about two-thirds of the Member

States recognized BCRs under the Directive and that the process

for getting approval required multiple approvals, which would

take anywhere between eighteen or twenty-four months).

66 Id.

67 Gilbert, E.U. General Data Protection Regulation: What Impact

for Businesses Established Outside the E.U., supra note 62.

68 Top 10 Operational Impacts of the GDPR: Part 3 Consent, The

Privacy Advisor (Jan. 12, 2016), https://iapp.org/news/a/top-10-

operational-impacts-of-the-gdpr-part-3-consent/.

20
unambiguous, can be revocable, and can only be obtained through

a clear affirmative action by the data subject.69 No bundling of

consent in a single action is allowed.70 Nor can companies deny

access to a service if the user does not give consent.71

Data subjects are entitled to seek judicial remedies

against controllers and processors for damages arising from

breaches of the GDPR.72 The GDPR makes a controller directly

liable for the damage caused by processing that infringes the

Regulation.73 While the jurisdictional limit for the data breach

must affect an E.U. subject rights, the controller is

responsible for ensuring the security of any personal data that

69 Id.

70 Id.
71 Top 10 Operational Impacts of the GDPR: Part 3 Consent, The

Privacy Advisor, supra note 68 (elaborating on the role of the

controller by explaining that a controller may not make a

service conditional upon consent, unless the processing is

necessary for the service.).

72 IT Governance Privacy Team, Data Subjects Rights, supra note

48.

73 Id.

21
is passed to a processor, whether that processor is inside or

outside the E.U.74

C. The UK Decides to Exit the E.U. and Implements IPA

The United Kingdom decided to leave the European Union on

June 23, 2016.75 The UK has created further uncertainty by

enacting the Investigatory Powers Act (IPA). The Act received

Royal Assent in November 29, 2016.76 The IPA creates mass

expansion of the powers of the government to collect personal

data with few if any safeguards on government intelligence

agencies.77 The law, once in effect, will require

telecommunication companies to have a list of every site visited

or call made, with the date, time and duration of these actions

74 Id.

75 Brexit To Further Splinter Global Data Protection Rules, supra

note 11.

76 Madhumita Murgia, George Parker & Jim Brunsden, E.U.s Highest

Court Declares UK Surveillance Powers Illegal, Fin. Times (Dec.

22, 2016), https://www.ft.com/content/f847f522-c761-11e6-8f29-

9445cac8966f.

77 'Extreme Surveillance' Becomes UK Law with Barely a Whimper,

The Guardian (Nov. 19, 2016), https://www.theguardian.com

/world/2016/nov/19/extreme-surveillance-becomes-uk-law-with-

barely-a-whimper.

22
included.78 The UK Information Commissioner Elizabeth Denham is

charged with dealing with the implementation of the GDPR and the

IPA, and to date has claimed the UK will follow the GDPR.79

However, the IPA will not be limited to data obtained for

criminal investigation, rather, companies can be asked by the

government to provide data for any reason.80 Government bodies

will be permitted access into devices allowing it to masses of

stored personal data, even if the person under scrutiny is not

suspected of any wrongdoing.81 Moreover, the IPA grants new

powers to gather and retain data on citizens, and new ways to

78 See Murgia, EUs Highest Court Declares UK Surveillance Powers

Illegal, supra note 76.

79 Alison Deighton, New UK Information Commissioner, TLT (Aug.

19, 2016), http://www.tltsolicitors.com/insights-and-

events/insight/new-uk-information-commissioner/.

80 Brexit To Further Splinter Global Data Protection Rules, supra

note 11.

81 The UK Now Wields Unprecedented Surveillance Powers Heres

What It Means, The Verge (Nov. 29, 2016), http://www.theverge.

com/2016/11/23/13718768/uk-surveillance-laws-explained-

investigatory-powers-bill.

23
force technology companies and others to hand over the data that

they have about people to intelligence agencies.82

By granting such powers to spying agencies, the IPA will

enable access to records of all Internet activity without

requiring warrants.83 The IPA has raised substantial concern in

the E.U. due to its perceived invasiveness to the data privacy

rights of individuals.84 The primary concern is that through the

IPA the UK will require UK based businesses to not only retain

82 Investigatory Powers Act Goes Into Force, Putting UK Citizens

Under Intense New Spying Regime, The Indep. (Dec. 27, 2016),

http://www.independent.co.uk/life-style/gadgets-and-

tech/news/investigatory-powers-act-bill-snoopers-charter-spying-

law-powers-theresa-may-a7503616.html; The UK Now Wields

Unprecedented Surveillance Powers Heres What It Means, supra

note 81.

83 The UK Now Wields Unprecedented Surveillance Powers Heres

What It Means, supra note 81.

84 Government is Breaking the Law by Collecting Everyone's

Internet and Call Data and Accessing it with no Independent

Sign-Off and no Suspicion Of Serious Crime, Liberty (Dec. 21,

2016), https://www.liberty-human-rights.org.uk/news/press-

releases-and-statements/government-breaking-law-collecting-

everyones-internet-and-call.

24
personal information for their clients which may be accessed in

the future, but also to unencrypt such information at a moments

notice too.85 Under the IPA, many government agencies86 will be

able to access the communications of UK citizens, in some cases

without a warrant. As noted, the only way that UK businesses

will have access to the personal data of individuals in Europe

85 Phil Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell Phil Muncaster Tech. Writer (Feb. 24, 2017),

https://philmuncaster.com/2017/02/24/ gdpr-and-snoopers-charter-

a-marriage-made-in-hell/(noting that the problem with the

demands of the politicians in support of this law fundamentally

misunderstand what they are asking for [they] really just want

back end access so that they can access the cloud, and they

want access to data in transit as opposed to data already at

rest on the device, all of which has caused concern among

technology and communication companies).

86 Murgia, EUs Highest Court Declares UK Surveillance Powers

Illegal, supra note 76 (including the police, HM Revenue &

Customs, customs officials and intelligence agencies, to the

NHS, the Department of Health, the Food Standards Agency and the

Gambling Commission).

25
is by obtaining an adequacy jurisdiction ruling or having the UK

adopt the GDPR in its entirety.87

D. Data Protection After Schrems and Watson

In Maximillian Schrems v. Data Protection Commissioner

(Case C-362/14) the CJEU struck down the E.U.-US Safe Harbor

Decision, which served as the template for data transfer

agreements between Third-Party Countries and the E.U.88 In its

decision the Court ruled that transfers of personal data

involving E.U. citizens and countries outside the E.U. could

only take place where the non-E.U. county provided adequate

protection to that data.89 The standard requirement was that it

provided a level of protection that was essentially equivalent

to that guaranteed by the E.U. through the Data Protection

Directive 95/46/EC.90 The term equivalence meant that the

domestic laws and treaties of the non-E.U. country must offer

87 Simon Jay, Colin Pearson & Natalie Farmer, Some Reflections on

Brexit and the U.K. Data Protection Regime, 28 Intell. Prop. &

Tech. L. J. 18, 19 (2016).

88 Maximillian Schrems, supra note 3, at 105.

89 Id.

90 Id.

26
adequate level of protection of personal data belonging to the

E.U. citizen.91

Similarly, in Tele Sverige/Watson & Ors (C-203/15/C-

698/15), the CJEU ruled that the mass data retention powers

found in DRIPA were illegal.92 This ruling signaled to the UK

that data retention laws were illegal.93 At the time, two English

Members of Parliament, Tom Watson and David Davis, claimed that

the law violated Articles 7 and 8 of the European Union Charter

of Fundamental Rights. This claim became the subject of a

lawsuit where the ECJ struck down the law on appeal.94 The Watson

ruling caused UK businesses uncertainty because it forbids the

sharing of personal data with countries that do not meet the

equivalent of the GDPRs strict data privacy standards.95

91 Id.

92 Case C-698/15 Secretary of State for the Home Department v.

Tom Watson, 2016 E.C.R. 572, para. 128.

93 Id.

94 See Maximillian Schrems, supra note 3, para. 158; Theresa May

Unveils UK Surveillance Measures in Wake of Snowden Claims,

supra note 31.

95 Brexit Will Happen. The E.U. GDPR Will Happen. You Can't Avoid

Either, The Reg. (Sep 16, 2016), https://www.theregister.

co.uk/2016/09/16/data_centres_processors_gdpr_uk_vs_eu/.

27
 From its inception the IPA was scrutinized by human rights

organizations who criticized the law and point out that the

government is breaking the law by openly collecting Internet

activity and phone records.96 Some legal experts say that based

on the CJEUs ruling on the DRIPA 2014 law, the UK government

may ultimately either amend the IPA or limit it in some way.97

96 See Government is Breaking the Law by Collecting Everyone's

Internet and Call Data and Accessing it with no Independent

Sign-Off and no Suspicion of Serious Crime, supra note

84(explaining that the Investigatory Powers Acts principal

impact includes legalization of unprecedented bulk spying

powers including bulk hacking, interception of phone calls and

emails on an industrial scale and collection of huge databases

containing sensitive information on millions of people which

could integrate records such as Oyster card logs and Facebook

back-ups.).

97 See generally Snooper's charter: Bulk Internet Data Collection

Ruled Illegal by E.U. Court, CityA.M. (Dec. 21, 2016),

http://www.cityam.com/256017/snoopers-charter-internet-data-

collection-ruled-illegal-eu; Contra UK Snoopers' Charter Rolled

Out Despite 'Intrusive Surveillance' Legal Challenge,

(explaining that the CJEU ruled on the now expired DRIPA law,

28
 III. Analysis

A. The GDPR Augmented Individual Data Protection Rights

Because it Bolstered the Definition of Consent and

Individual Ownership of Data

In its capacity as a consumer protection law, the GDPR will

endow citizens with new digital rights, such as the right to

erasure, known as the right to be forgotten.98 For UK based

businesses, an inherent conflict will exist for complying with

aspects of the GDPR that enhance data privacy,99 while at the

same time, adhering to conflicting provisions of the IPA.100 For

example, under the IPA, if a communications company informs a

the IPA enacted the same month as the ruling is still in

effect).

98 IT Governance Privacy Team, Data Subjects Rights, supra note

48 (noting that the GDPR has codified the principle of the right

to be forgotten in Article 17 in which data subjects can now

proactively request that information be erased if they withdraw

consent or there is an issue with the underlying legality of the

processing, and in order for data processing companies to

remain compliant with the GDPR they must abide by these requests

and remove the personal data).

99 Id.

100 Investigatory Powers Act 2016, c.25, 61(7)(a)(Eng.).

29
data that they have their data, they also must inform them that

the data will be retained for an indefinite period of time

thereby violating the GDPRs demand that data be retained for a

specific period of time.101

A similar dilemma exists with respect to a data subject

withdrawing consent, which a subject has a right to under the

GDPR.102 The GDPR does not allow a data subject to withdraw

consent if the data has been shared with the government, as

required by the IPA because the government has now become a

controller of the data too.103 For the IPA to conform to the

GDPR, it must apply the GDPR provisions allowing data subjects

the right to withdraw consent to having their data retained.104

101 Id.

102 IT Governance Privacy Team, Chapter 10: Consent, supra note

47.

103 See generally Bert-Jaap Koops, The Trouble with European Data

Protection Law, 4 Intl Data Privacy L. 250 (2014); Matt

Burgess, Leaked Documents Reveal How The Government Will Demand

Your Data Under The Snooper's Charter, WIRED (May 5, 2017)

http://www.wired.co.uk/article/uk-government-encryption-

snoopers-charter.

104 See General Data Protection Regulation, supra note 4, art 5.

30
 The IPA and GDPR conflict precisely on the issue of

consent: the IPA completely disregarding this requirement and

the GDPR emphasizing that obtaining and rescinding consent

ensure that the data subject is in control of his or her own

data. The IPA is not concerned with these individual rights

since they are not taken into consideration when the government

wants to collect and investigate the personal data of an

individual to advance a national security objective.105 Thus, UK

businesses will face a legal conflict between these laws because

they must collect, retain and unencrypt data to comply with the

IPA.106 However, UK businesses would not be able to collect or

receive personal data since the GDPR requires data collection to

be kept at a minimum and only for the specified purposes for

which consent was granted.107

The GDPRs provisions for providing the freedom to own

ones personal data is required to limit the control

105 Phil Muncaster, GDPR and Snoopers Charter: A Marriage Made

in Hell, supra note 85.

106 Phil Muncaster, GDPR and Snoopers Charter: A Marriage Made

in Hell, supra note 85; GDPR - (New) Rights of the Data Subject,

Loyens Loeff (Aug. 25, 2016), http://www.loyensloeff.com/en-

us/news-events/news/gdpr-new-rights-of-the-data-subject.

107 See Background, infra II.c.

31
communications service providers have over personal data.108 By

contrast, requiring communications companies to comply with the

IPA for national security or other national purposes, amounts to

a law of sweeping scope, justifying virtually any form of data

collection for potential crimes.109 As such, the IPA severely

limits individuals rights to know what their data is being used

for because the individuals consent will not be sought when

data is collected under the IPA. Under the GDPR, an individuals

consent would be only granted for a specific transaction,

because a consumer gives a communication company the consent for

a specific purpose that cannot be changed or expanded without

the consent becoming void. Any additional processing like

sharing personal data with an enforcement agency would then

violate data minimization because the original consent was not

given with the law enforcement agency in mind.110 Consent thus

functions like a contract between the data subject and the data

controller. By involving a third party who is not party to the

original consent given, the IPA would force companies to serve

108 Id.

109 See Background, infra II.d.

110 Chapter 6: Data Protection Principles Unlocking the E.U.

General Data Protection Regulation, supra note 39.

32
as a proxy for its data collection activities. This profound

difference between the IPA and the GDPR remains unreconciled.

The GDPR is more effective because it will require greater

transparency: requiring that consent be obtained from users,

data subjects have a right to know the foreseen retention period

of the personal data, and the right to withdraw consent at any

moment.111 These rights ensure that when consent to process data

is obtained it is for a specific purpose and time frame. Thus

the data subject retains control of his or her data to the

extent that there is a clear sense of where the data is, and why

the data is being retained.112 The only way to guarantee valid

consent is by obtaining it through concise and transparent

language as required by the GDPR.113 The IPA, by contrast,

bypasses this crucial requirement by not disclosing why an

individuals data might be retained.

The GDPR procedurally allows data subjects to request

information from a data controller regarding personal

111 How the General Data Protection Regulation (GDPR) Expands

Privacy Data Scope and Provides New Rights of Data Control to

Customers, supra note Error! Bookmark not defined..

112 Id.

113 GDPR - (New) Rights of the Data Subject, supra note 106.

33
information that data controller has on the individual.114 The

GDPR places the responsibility on data controllers to grant a

data subject access to their data.115 The IPA undermines this

individual access to personal data by indiscriminately retaining

data without specifying procedures on retention and deletion for

personal data. In addition, the data subject has the right to

seek access to the specific data being processed by requesting

that the data controller grant access to that personal data,

and provide a copy of the data to the data subject.116

The right to be forgotten also creates the corresponding

responsibility on the part of the data controller to ensure that

requests to erase any link to, copy or replication of this

personal data are acknowledged and complied with.117 In this

regard, the right to be forgotten will mean that data subjects

own their personal data and can make informed decisions about

how data exists on the Internet.118 This right showcases the

E.U.s commitment to allowing individuals control of their own

data by limiting the timing and scope of that their personal

114 Id.

115 Id.

116 GDPR - (New) Rights of the Data Subject, supra note 106.

117 Id.

118 Id.

34
information may be held. It also forces a level of compliance

from companies to ensure that these types of requests be

acknowledged as they are made.119 The right to withdraw consent

triggers an obligation on behalf of the data controller, in

detailing precisely what the data subjects personal information

will be used for, and the power to withdraw consent will in the

end be what puts invasive laws like the IPA to rest.120

A company that does not comply with these requests would be

in violation and thus open to a potential lawsuit or sanctions

from the GDPR.121 For example, a UK based company with other

affiliates or offices within the E.U. cannot validly process the

employees GDPR-protected data. These employees must consent to

have their data processed outside of the E.U., otherwise the UK

based company will open itself up to possible sanctions.122

119 Id.

120 IT Governance Privacy Team, Six Privacy Principles, supra

note 36; GDPR - (New) Rights of the Data Subject, supra note

106.

121 A Primer on the GDPR: What You Need to Know, supra note 33.

122 Chapter 16: Remedies and sanctions Unlocking the E.U.

General Data Protection Regulation, White & Case (Jul. 22,

2016), https://www.whitecase.com/publications/article/chapter-

16-remedies-and-sanctions-unlocking-eu-general-data-protection.

35
Moreover, the right to withdraw consent triggers the data

controllers obligation in detailing precisely what the data

subjects personal information will be used for, and the power

to withdraw consent will in the end be what puts invasive laws

like the IPA to rest.

B. The GDPR has High Standards for Data Protection Because

It Will Not Grant Adequate Jurisdictions to Third-Party

Countries Indiscriminately

After the UK exits from the E.U., it will be a Third-Party

Country.123 The GDPR must grant an adequacy decision to ensure

that the UK will provide adequate protection to the personal

information that is being processed there.124 For example, the

123 Murgia, EUs Highest Court Declares UK Surveillance Powers

Illegal, supra note 76.

124 Opinion 4/2016 On the E.U.-US Privacy Shield Draft Adequacy

Decision, European Data Protection Supervisor [hereinafter

Opinion 4/2016 E.U.-US Privacy Shield] (noting that any

agreement between the E.U. and Third-Party Country will require

that the data transfer framework reflects the shared democratic

and individual rights-based values, which are expressed in the

E.U. and that in order for the EDPS to make a recommendation

for an adequacy decision the Third-Party Country must move away

from indiscriminate surveillance on a general basis to more

36
GDPR can only provide adequate protection to personal

information that is being processed is if it provides an

adequacy decision in favor of the UK. The GDPR assumes a higher

level of scrutiny is appropriate for countries which are not a

part of the E.U., in terms of what is actually happening to the

data.125 The GDPR is naturally read as attempting to contain data

while streamlining the process within E.U. countries, in order

that there is a greater level of consistency while also taking

into account that data flows beyond E.U. jurisdictional borders

in a global economy.126

The GDPR restricts indiscriminate data collection by

limiting retention periods and creating subject rights which

allow individuals to withdraw consent for the processing of

their personal data.127 To better protect these rights for E.U.

citizens, the E.U. will not lightly grant adequacy decisions to

a Third-Party Country. Adequacy decisions will be premised on a

targeted and selected approach, which reflects the data

minimization principle of the GDPR); Murgia, EUs Highest Court

Declares UK Surveillance Powers Illegal, supra note 76.

125 Murgia, EUs Highest Court Declares UK Surveillance Powers

Illegal, supra note 76.

126 Craig, The One-Stop Shop, supra note 59.

127 GDPR - (New) Rights of the Data Subject, supra note 106.

37
Third Party country providing essential equivalence128 in terms

of data protection to personal data. To grant a decision in

violation of the essential equivalence baseline would weaken the

GDPRs harmonization of data protection laws as they apply to

E.U. citizens. The laws purpose is to protect the data even

when it is not within the territorial boundaries of the E.U.129

In the absence of an adequacy decision permitting the UK

Third-Party Country status and thus making it eligible for

access to data transfers of E.U. citizens, UK businesses must

negotiate individual BCRs. The GDPR permits BCRs because these

rules were created to facilitate the data flows for

businesses.130 BCRs are significant to the GDPR because if a

country cannot get an adequacy decision designating it as a

Third-Party country for the purpose of data transfers, then each

individual business may rely on these types of individual

128 Opinion 4/2016 E.U.-US Privacy Shield, supra note

124(recognizing that adequacy does not require adopting a

framework which is identical to the one existing in the E.U.,

but, taken as a whole [data transfer agreements between the E.U.

and Third-Party Countries] should cover all the key elements of

the E.U. data protection frameworks.).

129 Craig, The One-Stop Shop, supra note 59.

130 Id.

38
contractual agreements to accomplish data transfers from the

E.U. However, the process is expensive and only applies to the

business that negotiated the BCRs.

The GDPR strengthened the right to be forgotten, otherwise

known as the right to erasure.131 By requiring that a data

subject have the right to request erasure of his/her personal

data on several grounds,132 a clear message is sent to data

controllers that they do not own the data about the subject,

they merely have permission to use the data until such a time as

consent is withdrawn.

The right to be forgotten also creates the data

controllers corresponding responsibility to ensure that other

controllers, which have access to the same data, abide by the

131 GDPR - (New) Rights of the Data Subject, supra note 106.

132 Id. (explaining that data should be deleted under the

following situations: (1.) when processing is no longer

necessary for the intended purpose; (2.) when the data subject

withdraws his/her consent; (3.) when the data subject objects to

the processing and there are no overriding legitimate grounds

for the processing; (4.) when the processing is unlawful; (5.)

when erasure is necessary for compliance with a legal

obligation; or (6.) when the data concerns a child and has been

collected via information society services.).

39
request to erase any link to, copy or replication of this

personal data.133 The right to be forgotten allows data subjects

to own their personal data and make meaningful and informed

decisions about how data lives on the Internet.134 In addition,

companies are forced to comply with these types of requests as

they are made.135

C. Englands IPA is Incompatible with GDPR because It

Violates The GDPRs Consent Requirement

The IPAs predecessor will be repealed by the end of this

year136, but the Investigatory Powers Act (IPA) will be adopted

in 2017.137 Even with a future agreement between the E.U. and UK

133 GDPR - (New) Rights of the Data Subject, supra note 106.

134 Id.

135 Id.

136 See Murgia, EUs Highest Court Declares UK Surveillance

Powers Illegal, supra note 76; accord E.U.'s Highest Court

Delivers Blow to UK Snooper's Charter, The Guardian (Dec. 21,

2016),(explaining that DRIPA was illegal because it promoted

general and indiscriminate data retention).

137 Yuli Takatsuki, The Tele2/Watson case: What are the key

takeaways?and what is to become of the new Investigatory Powers

Act?, FieldFisher (Jan. 18, 2017), http://privacylawblog.

40
on exiting, the IPA would still be in violation of Article 45 of

the GDPR.138 The IPA is broadly written so that all forms of data

retention can be legitimized under national security139,

preventing or detecting crime140, public health and safety141, and

the economic well-being of the UK.142 Thus, by exiting the E.U.,

the UK may not have access to the One-Stop-Shop or single market

of data sharing.143 Other problems may also arise in determining

whether or not the UK receives an adequacy decision to give it

access to the personal data of E.U. citizens. However, the UKs

exit from the E.U. does not mean that companies in the UK will

fail to be affected by the GDPR.144 Perhaps more than in any

other country, the UKs exit from the E.U. has created domestic

fieldfisher.com/2017/the-tele2watson-case-what-are-the-key-

takeaways-and-what-is-to-become-of-the-new-investigatory-powers-

act/.

138 General Data Protection Regulation, supra note 4, art 45.

139 Investigatory Powers Act 2016, c.25, 61(7)(a)(Eng.).

140 Id. at 61(7)(b).

141 Id. at 61(7)(d).

142 Id. at 61(7)(c).

143 Jay, Some Reflections on Brexit and the U.K. Data Protection

Regime, supra note 87, at 22.

144 Id.

41
uncertainty about the future of personal data access, since the

GDPR is a forgone conclusion and it is not clear how the UK will

comply with it in the interim before exiting.145

The Court in Watson noted that Member States could perform

targeted retention of that data solely for fighting serious

crime, 146 but not mass and indiscriminate data collection in the

hopes of fighting crime. It is illegal to collect a mass amount

of personal data and expose it to possible hacking, or what the

GDPR calls data breaches147, in the hope of finding a possible

criminal without first having some form of probable cause to

believe that there is crime afoot and that the data collected

would only serve as another form of indicia corroborating the

crime.

In its current form, the IPA will allow the personal data

of many UK citizens to be combed for possible crime in violation

145 Id.

146 Murgia, EUs Highest Court Declares UK Surveillance Powers

Illegal, supra note 76.

147 General Data Protection Regulation, supra note 4, art. 4

(defining personal data breaches as any unauthorised [sic]

disclosure of, or access to, personal data transmitted, stored

or otherwise processed by the data controller).

42
of both Article 7 and 8 of the European Charter148 and the GDPR.

While the GDPR attempts to put power over personal data back in

the hands of individuals by giving them the power to grant or

deny consent, withdraw consent, and request that certain

personal data be erased, the IPA makes these rights null by

requiring companies to preserve the personal data of individuals

indiscriminately. Clearly, the IPA contradicts the E.U.s

sentiment in the GDPR that favors the protection of data

subjects privacy rights by forcing communication companies to

hold enormous amounts of personal data.149

By forcing an Internet and phone company to keep the

records of every phone call made and every website visited by

any of their users, without giving the individual the chance to

withdraw consent, the IPA will violate the concept of consent

promoted by the GDPR.150 The UK may try to justify the violation

of consent to access personal data by arguing that it is trying

148 See Watson, supra note 3, para. 128.

149 The Law We All Thought A Safe Zombie Bill Is Alive Key

Things You Need To Know About The Snoopers Charter, Data Econ.

(Mar. 6, 2017), https://data-economy.com/law-thought-safe-

zombie-bill-alive-key-things-need-know-snoopers-charter/.

150 See Murgia, EUs Highest Court Declares UK Surveillance

Powers Illegal, supra note 76.

43
to combat terrorism, but this is an insufficient reason for

depriving people of the right to their personal data privacy.

Other law enforcement tools like seeking a warrant in order to

investigate evidence of a crime is still a better alternative to

indiscriminate spying on citizens and monitoring their

activities on the Internet.151

The GDPRs new data subject rights allowing an individual

to restrict the processing of his or her data will be severely

impacted by the IPAs requirement that data companies make data

on individuals unencrypted and accessible immediately on-demand

to government authorities. The GDPRs requirements that consent

151 Cf. Europe Under Threat Minister Says Snoopers Charter

Should be Celebrated as he Reveals Unprecedented Threat From

Terror, The Sun (Dec. 2, 2016), https://www.thesun.co.uk/news/

2317900/minister-says-snoopers-charter-should-be-celebrated-as-

he-reveals-unprecedented-threat-from-terror/ (observing that one

of the outcomes of the IPA is that more information than ever

before is now public about the powers our security and

intelligence agencies will use in an attempt to keep UK

citizens safe, but that some of this personal data is also

highly sensitive and could if it falls in the wrong hands expose

the same people the same law seeks to protect to hackers).

44
to process be obtained in a clear,152 intelligible and accessible

way will thus be violated because there will be no time to

inform an individual that the UK government is requesting

information on said individual. Again UK companies are placed in

a difficult position because there is no way to comply with both

laws without being in violation of either the GDPR or the IPA.

D. Data Protection Requirements Between England and GDPR

Creates a Burden for British Businesses because of the

Diverging Standards in Each Law

For British businesses to share information and provide

services for E.U. consumers, the law must offer the same level

of protection as Europes data protection Regulation.153 The UKs

IPA and the GDPR diverge on the issue of data retention and

152 Top 10 Operational Impacts of the GDPR: Part 3 Consent, The

Privacy Advisor, supra note 68(noting that valid consent can

only occur where a company obtains it through intelligible and

easily accessible form, using clear and plain language).

153 See A Primer on the GDPR: What You Need to Know, supra note

33 (explaining that the GDPR has been designed to protect

individuals privacy rights and ensure that businesses are not

faced with multiple costly legal cases as a result of multiple

strands of legislation, both national and European).

45
purpose limitation for the data being processed.154 When the GDPR

stated that consent is not freely given if there is a clear

imbalance between the data subject and the controller, in

particular where the controller is a public authority, it was

clearly speaking to the broad power that national governments

have to collect data on individuals and due to this capacity the

individual is too often kept in the dark about their capacity to

deny a government authority power to access data.155 Yet this

seems to be a core problem with the IPA, given that the IPA

authorizes such broad governmental access to personal data.156

The IPA takes away the individuals power to limit the

government from looking at his or her personal information. On

the other hand the GDPR makes consent a right not a privilege

which cannot be circumvented by any data controller or

processor, especially if said controller or processor is a

government authority.

154 Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell, supra note 85; GDPR - (New) Rights of the Data Subject,

supra note 106.

155 General Data Protection Regulation, supra note 4, recital 43.

156 Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell, supra note 85.

46
 Furthering the conflict between the IPA and the GDPR is the

IPAs requirement that companies store complete records of web

data for each customer,157 a practice in which Article 5 of the

GDPR addresses as the purpose limitation.158 Data minimization

principles, inherent in the GDPR and reflected in Article 5,

require that individual data be restricted from being diluted

and transferred without any form of restriction to where that

data is being transferred.159 Through the GDPR the E.U. is also

157 The Law We All Thought A Safe Zombie Bill Is Alive Key

Things You Need To Know About The Snoopers Charter, supra note

149.

158 See Chapter 6: Data Protection Principles Unlocking the EU

General Data Protection Regulation, supra note 39 (explaining

that personal data may only be collected for specified,

explicit and legitimate purposes and the consent given for such

data collection should not be further diluted through improper

processing in a manner that is incompatible with those

purposes.).

159 IT Governance Privacy Team, Six Privacy Principles, supra

note 36.

47
trying to minimize the possibility of data breaches160 which are

more likely to occur when data is being retained in large

quantities or for long periods of time. When data is collected

and stored for long periods of times, it becomes a honeypot161

for hackers. Keeping data for indefinite periods of time makes

it possible for hackers easily gain access to sensitive personal

data, a major concern for the E.U.162 because it compromises the

rights of the individual to know with a degree of certainty or

expectation where and when and by whom their personal data is

being processed.

Because UK law creates more data insecurity through its

demands that communication companies collect large data sets of

individuals, and also provide back door access163 to such data

when government agencies deem that access to such data is

necessary, the UK is not likely to obtain certification as an

160 See generally General Data Protection Regulation, supra note

4, art. 4 (emphasizing the unauthorized processing of personal

data where consent is not validly obtained).

161 Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell, supra note 85.

162 Opinion 4/2016 E.U.-US Privacy Shield, supra note 124.

163 See Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell, supra note 85.

48
adequate jurisdiction from the GDPR.164 Data security experts

note that in order to protect personal data from hackers or

mismanagement, personal data must be kept under various layers

of security.165 But the IPA contradicts this principle by

requiring that companies be able to un-encrypt data quickly upon

government request.166 As long as the information sought is to

elaborate on legitimate crime that is occurring and threatening

the well-being of the UK167, there might be a justification for

deploying invasive investigation into communications. However,

the problem is that the justifications as defined in Section

61168 of the IPA are too broad. Almost any justification for

obtaining personal data could be satisfied under the IPAs

public safety or preventing and detecting crime Section 61

definitions.

164 IT Governance Privacy Team, Managing Personal Data

Internationally, supra note 21.

165 Id.

166 The Law We All Thought A Safe Zombie Bill Is Alive Key

Things You Need To Know About The Snoopers Charter, supra note

149.

167 See Investigatory Powers Act, at 61.

168 Id.

49
 IV. Recommendations

A. The GDPRs Procedural Vagueness Will Increase Operational

Costs for Businesses

The GDPR codified169 into law the right to be forgotten,170

but it does not lay out the specific mechanism for enforcing

this right. The procedural vagueness arises from data subjects

inability to appeal to the correct authority.171 The theoretical

possibility of the right to erasure must be communicated to the

public in a meaningful way such that they know exactly where

they can appeal and under what specific circumstances.172

Moreover, the burden for providing all of these services to

individuals falls on companies because they have to take on the

burden of responding to the claim made by the individual to

169 General Data Protection Regulation, supra note 4, art. 15.

170 See generally Google Spain, supra note 26.

171 Koops, The Trouble with European Data Protection Law, supra

note 103.

172 Id. (noting that the government interests in performing data

erasing is unlikely since government interest is maintaining the

data for an unspecified period of time can serve a public safety

purpose).

50
rectify or erase information, and do so at no cost to the

requesting person.173

A major problem will occur in situations where the

information has been shared multiple times. It is unclear if the

originating source, first controller of the data, will be

responsible for sharing all of the information down the chain to

all other data controllers. The GDPR is not clear on what the

best practice is on what level of effort the controller must use

to comply with the Regulation. The bottom line is that it will

take a lot of man power to process these types of requests. It

is not fair to require that companies run with the complete cost

of performing these services. In addition, there might be

businesses in the future that will capitalize on undertaking

these types of erasure services for data subjects, make a profit

and thus undermine the whole purpose of enhancing the data

subjects rights.

B. GDPR Should Have Defined the Process for Obtaining

Consent Explicitly

The GDPR emphasizes consent to personal data being used

from the individual to controllers and data processors174.

173 GDPR - (New) Rights of the Data Subject, supra note 106.

174 Top 10 Operational Impacts of the GDPR: Part 3 Consent,

supra note 68.

51
However, although the drafters had the opportunity to make

consent explicit175 for all personal data, instead they settled

on unambiguous176 for most data and explicit for sensitive

data.177 The problem is that the GDPR does not provide guiding

principles on what is unambiguous assent to consent. The problem

of consent as required by the GDPR is that if a dispute arises

because of lack of consent especially as it relates to age

consent may be problematic because there is so little guidance

on the matter.178

Organizations may not use personal data for a purpose

secondary to that for which this consent was given without

notifying the data subject. The data subject may withdraw

consent and yet the definition of consent is so ambiguous that

the clear line of when the data controller has trespassed on the

initial consent seems like a gray area.179

175 The Final European Union General Data Protection Regulation,

Bloomberg News (Feb. 12, 2016), https://www.bna.com/final-

european-union-n57982067329/.

176 Id.

177 General Data Protection Regulation, supra note 4, art. 4.

178 Top 10 Operational Impacts of the GDPR: Part 3 Consent,

supra note 68.

179 Id.

52
 C. The GDPR Reflects a Strong Commitment to Individual Data

Protection

If the UK withdraws before the GDPR goes into full effect

in 2018, it would still have to broker an agreement with E.U.

that is proportionate in terms of adequacy of protection if it

wants English based companies to be able to work with other E.U.

countries180. The GDPR is adamant in restricting the use and

access of data for limited and specific purposes, and yet the

180 Save the Data: E.U. General Data Protection Regulation to

Apply from 25 May 2018, Herbert Smith Freehills (May 06, 2016),

https://www.herbertsmithfreehills.com/latest-thinking/save-the-

data-eu-general-data-protection-regulation-to-apply-from-25-may-

2018 (The GDPR therefore extends the scope of current data

protection regulation. Technology companies in particular, who

may currently locate their servers outside of the E.U. and

therefore be out of scope of the existing data protection

regime, may now find themselves subject to the GDPR if they are

targeting E.U. customers. Questions remain regarding the

effective enforceability of these new data protection

obligations against non- E.U. controllers, but there is no doubt

that the long arm of E.U. data protection law is seeking to

reach beyond E.U. borders.).

53
IPAs expansive powers181 arguably are the very antithesis of the

principle of limitation. With the IPA still in place, the E.U.

seems unlikely to grant an adequacy decision in favor of

permitting data flows to the UK.182

D. The UK Will Need to Broker a Data Exchange Agreement

Another solution for not following the GDPR and maintaining

the IPA is for the UK to broker its own version of the Data

Privacy Shield183 like the US has done. However, the main

181 UKs Spying Bill Complicates Fate of Data Transfer Deals, L.

360 (Nov. 30, 2016), https://www.law360.com/articles/867495/uk-

s-spying-bill-complicates-fate-of-data-transfer-deals.

182 Jay, Some Reflections on Brexit and the U.K. Data Protection

Regime, supra note 87, at 22.

183 See E.U.-US Privacy Shield-FAQs, Alston & Bird: Privacy &

Data Sec. Blog (July 12, 2016), http://alstonprivacy.com/

faqs-privacy-shield (The core of the [E.U.-US Privacy Shield]

framework are seven Privacy Shield Principles that

participating organizations must comply with when processing

personal data transferred under the program [including] (i)

Notice; (ii) Choice; (iii) Security; (iv) Data Integrity and

Purpose Limitation; (v) Access; (vi) Accountability for Onward

Transfers; and (vii) Recourse, Enforcement and Liability, [which

satisfy] ... the requirements set out by the Court of Justice in

54
obstacle to cross is still to be deemed an adequate

jurisdiction, where the UK certifies that it will provide the

same level of data protection for the information transferred

outside the E.U. as the information would have in any other E.U.

country. If the UK wants to obtain an adequacy decisions even

with the IPA the best example to follow is the US, which

brokered the Data Privacy Shield to allow US businesses to

the Schrems case.); see also Courtney Bowman, Privacy Shield

Adopted, But Uncertainty Remains, Proskauer (Jul. 13, 2016),

http://privacylaw.proskauer.com/2016/07/articles/european-

union/privacy-shield-adopted-but-uncertainty-remains/(explaining

that while the new agreement, known as Privacy Shield, brokered

a legitimatized legal means for businesses to transfer personal

data online to the US from the E.U. without violating any

current data protection laws in the E.U. and the future GDPR,

questions remain as to whether another legal challenge like

Schrems which struck down the previous E.U.-US agreement, known

as Safe Harbor, will also be what sinks this agreement since the

GDPR is more strict on the level of data protection that must be

afforded to each individuals data).

55
engage in data transfers even with the broad surveillance laws

the US has in place.184

V. Conclusion

The operational impact of the GDPR will create a major

overhaul of data protection in the E.U. where the concept of the

subjects rights are valued above government and business

objectives. To date, no other law allows an individual to deny

consent and still retain access to a service provided by a

business. Furthermore, by allowing an individual to seek redress

for any misuse of his or her information, the GDPR is providing

another powerful tool for each E.U. citizen to exercise with

respect to his or her own data privacy rights.

184 See Murgia, EUs Highest Court Declares UK Surveillance

Powers Illegal, supra note 76 (noting that British officials

will be looking at the precedent of the US, which has repeatedly

come up against such rules [yet] this year, officials on both

sides of the Atlantic [cobbled] together a new deal on data

transfers after a previous one itself a result of laborious

negotiation was struck down by the European courts referring

to the now illegal Safe Harbour [sic] provision which was

declared illegal in Schrems).

56
 Initially at least, the UK will have to adopt the GDPR185

because the extrication of the country from the E.U. will take

at least two years from whenever Article 50 is triggered

presumably in March and probably much, much longer.186 The UK

has even said that post-Brexit the UK plans of recognizing the

importance of the GDPR.187 However, the UKs IPA will lead to

inevitable conflict for companies wishing to continue doing

business in the E.U.188

Already there are concerns that see that the IPA and the

GDPR are incompatible legislation.189 Telecommunication companies

185 Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell, supra note 85.

186 Id.

187 See id. (As we leave the E.U., we will seek to maintain the

stability of data transfer between E.U. Member States and the

UK.).

188 Id. (This implies that the UK will broadly speaking

harmonise [sic] its laws with the GDPR. But the bulk data

collection powers granted by the IPA mean the regime is

certainly not equivocal to that in Europe.).

189 Why the UK is Unlikely to Get an Adequacy Determination Post

Brexit, The Reg. (Feb, 09, 2017), https://www.theregister.

57
would be the most affected by the competing demands.190 By

keeping the IPA as it is now, the UK cannot be an adequate

jurisdiction because the transfer of data might be subject to

the government via a warrant to a business and the subject

himself.191 Thus, if the UK enforces the IPA as drafted and

enacted into law, there will likely be many legal challenges and

the UK is not likely to obtain an adequacy decision granting it

Third Party status for the purposes of processing the personal

data from the E.U. by UK businesses.

co.uk/2017/01/09/why_the_uk_is_unlikely_to_get_an_adequacy_deter

mination_post_brexit/.

190 Muncaster, GDPR and Snoopers Charter: A Marriage Made in

Hell, supra note 85(quoting Emily Taylor, the author notes that

the impact of conflicts between the GDPR and our Investigatory

Powers Act may be to hamper the competitiveness of UK tech,

particularly as the GDPR seeks to protect E.U. citizens data

wherever it will be processed.).

191 See, e.g., Why the UK is Unlikely to Get an Adequacy

Determination Post Brexit, supra note 189.

58