By Michael Sturrock Head of Public Affairs, DMA (Data and Marketing Association
Cross-border data flows are the veins that feed the modern global economy. The success of data-reliant sectors – such as advanced manufacturing, logistics, financial services, data-analytics, marketing, and IT – are contingent on the UK’s ability to maintain data-flows with the EU.
The UK is an international leader for data flows, which have increased 28 times between 2005 and 2015. The UK currently has the largest data centre market in Europe, worth over £73 billion, with over 75% of UK data transfers going to EU countries.
It is pivotal, then, that the UK and EU agree a deal that will allow the continuation of data flows in order to protect and grow our economy. This means that the UK must maintain EU standards of data protection that it has at present. Sounds easy enough, doesn’t it? Unfortunately, it is very much not.
Earlier this year, the UK Government has deemed EU data protection standards as sufficient and, will permit the transfer of data from the UK to the EU after Brexit. It requires the EU to make that same allowance in order to continue data flows.
However, the EU cannot make the same offer until the UK reaches ‘third country status’ (which it did in January 2020) and has then deemed that the UK’s data protection practices are sufficiently protective to merit ‘adequacy status’.
Adequacy status is a measure in the General Data Protection Regulation (GDPR), which allows the EU Commission to certify that a country has adequate levels of data protection. Once certified, EU member states are allowed to exchange personal data with that country.
The EU and UK began adequacy discussions in June 2020.
Previously, the European Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan. Adequacy talks are ongoing with South Korea.
The UK Government argues that the UK’s unique position of regulatory alignment with the EU means the adequacy process should be relatively straightforward.
Indeed, it is claimed that the UK and EU are now treating the adequacy talks as a technical agreement to be reached rather than a political one, which means reaching this agreement will not be contingent on any political to-and-fro that could usurp other aspects of the post-Brexit deal.
However, the charge has often been levied that the UK’s security service data gathering for surveillance purposes breaches EU human rights law. This was contested however as, while it was a member of the EU, the UK’s security practices were contributing to EU security and therefore were protected. Similarly, specific judgements had not been issued that banned data gathering for surveillance purposes.
That was until 6 October 2020, when the European Court of Justice ruled that EU countries cannot retain citizens’ data in a sustained way for intelligence purposes (unless there is a clear and present danger to national security).
This could be a huge blow for the UK’s hope of securing a data adequacy deal with the EU. If data from an EU citizen gets sent to the UK, the UK’s surveillance services will be able to retain it for surveillance purposes, which the EU has decreed is a breach of human rights. So, if there is a risk that an adequacy agreement could allow the UK to breach EU citizens’ rights, the EU Commission is obligated to prevent the agreement in order to protect those rights.
Furthermore, at a House of Commons Digital, Culture, Media and Sport Committee hearing on 13 October 2020, Dr Jiahong Chen, a Research Fellow in IT Law at Horizon Digital Economy Research at the University of Nottingham, outlined that the Investigatory Powers Act (2018) posed similar problems for data adequacy.
He, and many other academics, argue that the Investigatory Powers Act allows the UK Government to gather and keep personal information on individuals for the purposes of decision making in visa applications. After the EUCJ ruling, this kind of data gathering would also be illegal in the EU.
On top of this, the UK Government’s running down the clock on negotiations means a no-deal Brexit is not unlikely.
While adequacy is being treated as a separate technical issue, in the case of a no-deal Brexit, there would be less impetus to secure an agreement on data protection. Therefore, without alternative arrangements, the processing of personal data of EU citizens in the UK would become illegal.
So, all does not bode well for data adequacy and the continuation of data flows. But there is still time. The UK Government must now do all it can to meet EU criteria for the good of not just its data and digital sector but the wider economy.