Cyber Week: what now for the UK’s data-protection regime?
The EU may have granted its former member state adequacy, but there will be many more issues to resolve in the coming years
Credit: Adobe Stock
“This will be welcome news to businesses, support continued cooperation between the UK and the EU, and help law enforcement authorities keep people safe.”
This was how digital secretary Oliver Dowden greeted news at the end of last month that the European Commission had – “after more than a year” of discussions, the cabinet minister admitted – granted data adequacy status to the UK.
The decision, which allows data to flow between organisations in this country and the remaining 27 EU member states, ratifies that the UK’s laws “ensure a level of protection for personal data… that is essentially equivalent” to the EU.
Although approval took longer than many had hoped – coming six months after the end of the Brexit transition period – it is perhaps no surprise that the UK received the green light in the end. A UK version of the EU General Data Protection Regulation has been signed into domestic law, alongside the Data Protection Act, which offers similar assurances.
Jon Baines, senior data protection specialist at business law firm Mishcon de Reya, tells PublicTechnology that, for organisations moving data between the EU and the UK, the continued absence of an adequacy decision would have meant every transfer would have come with “a need for contractual arrangements… [and] every time you would have to add in a list of clauses”.
“It would have added significant costs in terms of time,” he says.
"There have been a number of developments from the government in terms of policy aspirations which use the type of language that suggests that the UK wants to be ‘innovative’ in how data is used... It is possible that there might be some pushing of the boundaries which might just give European legislators pause for thought."
Jon Baines, Mishcon de Reya
Indeed, a November 2020 report from the New Economics Foundation and UCL European Institute – to which Baines contributed – estimated that the collective cost to UK businesses of failing to obtain adequacy would be as much as £1.6bn.
Last month’s decision means that data can now flow in both directions, in the certainty that the legal protection it receives in this country matches and complies with that of any other nation in the union.
Although Baines – who is not a lawyer himself, but rather a specialist adviser, as well as a former public-sector data protection officer – says that the way the use of data is typically described is somewhat misleading. It is not sent across borders, and subject to customs checks or quarantine, but it is simply accessed from any connected location.
“A lot of people talk about transfers and movement and the flow of data – and those can sometimes be useful terms but, really with modern digital technology, people are simply accessing data across borders, and that data is plugging into services,” he says. “The language of transfers and flows of data make you think about it being packaged up and sent – but we are really talking about the access of data.”
Whatever terminology is used, one form of data uses that is not covered by the adequacy decisions is the processing and transfer of information for the purposes of immigration control or enforcement.
This is because, in those cases, the UK Data Protection Act, effectively, provides an exemption that means personal data does not enjoy the same rights and protections as when it is being used for other business, public-service, or law-enforcement purposes.
The EC’s decision to exclude immigration data from the adequacy framework – which marked a diversion from the draft decision the commission published earlier this year – came in light of a legal challenge to the DPA’s immigration exemption.
The challenge, launched by campaign organisations the Open Rights Group and the 3million, was upheld by the UK Court of Appeal in May – reversing a decision taken by the High Court two years earlier. The appeal court ruled that the exemption is incompatible with UK law; the EC took note of this decision.
“Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area,” the EC said, when granting the adequacy decision. “The commission will reassess the need for this exclusion once the situation has been remedied under UK law.”
'It is not just what the laws look like on the page'
Outside of this exception, general personal data and law-enforcement data is now free to move between business and public bodies throughout the EU and those in the bloc’s one former member.
But, even with this approval now granted, there are important caveats to bear in mind.
Most obviously, there is a “sunset clause”, stipulating that the decision applies for only four years, before it requires review and renewal.
Even during those 48 months, European legislators will be keeping close eye on the UK.
“It is not just what the laws look like on the page – they will look at the enforcement,” Baines says. “The right to the protection of personal data is seen by the EU as a fundamental right, and they will look at whether the UK has respect for this. And they will look at it in the round.”
Beyond how existing law is interpreted and enforced by the Information Commissioner’s Office, there is also the issue of how the UK chooses to interact with other countries, and the boundaries its sets for data transfers with the rest of the world.
The UK became the 13th addition to the list of countries or territories that have been, at least in part, been granted EU adequacy. It joins: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Israel; Isle of Man; Japan; Jersey; New Zealand; Switzerland; and Uruguay. South Korea is in the process of obtaining adequacy.
Among those not on the list are Australia, India, Brazil, Russia, China, the whole of Africa and, perhaps most notably, the US.
While the UK government has often trumpeted the UK’s new-found ability to set its own laws, untethered from the framework of European legislation, the importance of maintaining adequacy is such that making any significant variance from the EU data protection framework could be a very tricky move to pull off.
The respective relationships with the US will be an area that is watched particularly closely; between 2016 and July last year, data transfers between EU countries and the US were covered by the Privacy Shield agreement which enabled US processors to self-certify their compliance with European data law.
But that arrangement has now been struck down by the Court of Justice of the EU, which found that Privacy Shield, and the wider US data-protection regime, do not provide protections for citizens’ data sufficient to comply with European law.
In 2015 the same court had, for essentially the same reasons, struck down Privacy Shield’s predecessor, a similar framework known as the Safe Harbor agreement. It is perhaps little surprise that the replacement vehicle met with the same fate; the US’s stance on data protection did not, it is fair to say, get any less hawkish under the premiership of Donald Trump than it was under Barack Obama (pictured together, right).
For both the UK and the EU, the US remains a third-part country which, like another 150-plus nations around the world, is not considered to have adequate protections for personal data.
But now, for the first time, the UK has the ability – in theory, at least – to take a more permissive approach to transatlantic data transfers.
“Where it gets interesting is whether there will be a divergence between the UK and the EU,” Baines says. “It is possible that the UK could take a bold decision on the US to make data transfers easier. But that would almost certainly present a risk for the EU adequacy decision."
He adds: “For all third-party countries around the world, the government has said that we going to look at our own adequacy assessments. And each of those is going to be scrutinised by the EU. While we have some freedom to set our own data laws and apply our own data regime, none of this is going to happen in a vacuum.”
Since Brexit was formalised earlier this year, there have not yet been any significant changes in the UK’s data-protection landscape. But there has been a shift in the tone adopted by politicians when discussing the matter.
“There have been a number of developments from the government in terms of policy aspirations which use the type of language that suggests that the UK wants to be ‘innovative’ in how data is used and wants to promote the data economy,” Baines says. “It is possible that there might be some pushing of the boundaries which might just give European legislators pause for thought.”
“There is so much politicking going on,” he adds. “It wouldn’t surprise me to hear [in the next few years] that the commission is concerned by developments in the UK – then there will probably be a little bit of rowing back, and then there will be an announcement then another [counter] announcement.”
After five years of Brexit, parties on both sides should, at least be quite used to that.
Communications regulator will examine whether the current market conditions stymie innovation and opportunities for smaller players
Departmental report reveals use of technology and data to help identify possible shortfalls
Annual reports of HM Revenue and Customs, Home Office and DWP discuss risks from cyber security, data protection and specific projects
Government CIO says assault on both public bodies and commercial firms went ‘largely unnoticed’