Businesses in the UK will be able to continue to exchange data with Europe following a long-awaited decision that the UK’s data protection regime is compatible with Europe’s data protection rules.
John Foster, director general of policy for employers’ group the CBI, described the agreement as a breakthrough. “The free flow of data is the bedrock of the modern economy and essential for firms across all sectors – from automotive to logistics – playing an important role in everyday trade of goods and services,” he said.
The decision comes with a four-year sunset clause and “strong safeguards” that allow the EU to revoke adequacy if the UK’s data protection laws diverge significantly from the EU’s in the future.
Conservative ministers and back benchers have proposed watering down the UK’s data protection regime as part of a move to cut red tape and boost the competitive position of the UK following Brexit.
“We are talking about a fundamental right of EU citizens that we have a duty to protect,” said Věra Jourová, vice-president for values and transparency at the EC. “This is why we have significant safeguards, and if anything changes on the UK side, we will intervene.”
Věra Jourová, European Commission
MEPs had put pressure on the European Commission to take a tougher line over exemptions in UK data protection regulation for national security and immigration.
One area of concern was that UK law allows government agencies to access and retain bulk data on individuals who are not under suspicion – a practice they said was inconsistent with GDPR.
They had also argued that data sharing between GCHQ and the US National Security Agency “would not protect EU citizens or residents”.
But the European Commission said on 28 June 2021 that the UK had strong safeguards in place to protect the privacy of citizens data from use by the intelligence services.
These include, in principle, prior authorisation by an independent judicial body, the right to appeal against unlawful surveillance to the Investigatory Powers Tribunal and the European Court of Human Rights.
The European Commission has also excluded data transfers for UK immigration control form the GDPR adequacy decision following a judgment by the Court of Appeal that found UK policy unlawful.
The immigration exemption allowed the Home Office and other organisations or companies to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”.
The EC said it would reassess the need for the exclusion once the situation has been remedied under UK law.
High data protection standards
Jourová said the European Commission had “listened very carefully” to concerns expressed by the European Parliament, Member States and the European Data Protection Board on the “possibility of future divergence from our standards in the EU privacy framework”.
Following the EU decision, the UK’s Department for Digital, Culture, Media and Sport said the government planned to promote the free flow of personal data through trade deals and data adequacy agreements with other countries.
The secretary of state for digital, Oliver Dowden, said: “After more than a year of constructive talks, it is right that the European Union has formally recognised the UK’s high data protection standards. We will now focus on unlocking the power of data to drive innovation and boost the economy while making sure we protect people’s safety and privacy.”
Julian David, CEO of trade body TechUK, said the agreements were vital to UK-EU trade. “The data adequacy decision also provides a basis for the UK and the EU to work together on global routes for the free flow of data,” he said.
Conservative backbenchers are pressing the government to relax the UK’s data protection regime post-Brexit. The Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), set up by Downing Street, is recommending replacing the UK Data Protection Regulation 2018 with a “more proportionate framework of citizen data rights”.
Didier Reynders, European Commission
The group proposes removing Article 22 of GDPR to permit automatic decision-making and to promote the sharing of healthcare data.
Writing in the Financial Times in February, Dowden indicated that the UK should take a different approach to data protection in future. “Right now, too many businesses and organisations are reluctant to use data – either because they don’t understand the rules, or are afraid of inadvertently breaking them,” he wrote.
He said the next information commissioner would have a wider remit than privacy and would be asked to ensure people can use data “to achieve economic and social goals”.
UK adequacy will be under close watch
The EC’s commissioner for justice, Didier Reynders, said the EU would intervene if the UK did not maintain its compatibility with EU data protection law. “The commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
The European Commission appears to be moving in a direction where adequacy decisions, rather than being a binary decision, contain exceptions and are kept under continuous review, said Ben Rapp, privacy expert and principle at Securys. “Businesses are going to have to pay more attention to their data transfers even under adequacy agreements,” he said.
Dai Davis, a data protection lawyer, said the sunset clause would provide the European Commission with political leverage. “There is genuine concern that the UK could depart from GDPR,” he said.
Rapp said he expected the UK adequacy decision to face a legal challenge before the end of the year. A successful legal challenge could, for example, lead to restrictions between EU and UK internet service providers, telecoms companies and cloud service providers.
These organisations may be subject to orders to share their customers’ data with intelligence and law enforcement under the Investigatory Powers Act 2016.
The EU-UK adequacy agreements could set a template for a revised EU-US data sharing agreement, after the EU struck down Privacy Shield in July 2020.
A replacement for Privacy Shield could include exemptions for data transfers that might be subject to US surveillance laws, suggested Rapp.
A total of 12 adequacy decisions have been made under the GDPR since it came into effect in May 2018, covering Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The EU began data adequacy talks with the Republic of South Korea in March.