The UK and Europe’s data sharing is about to get messy. Brexit means the EU and UK need to agree how to keep data flowing, but government surveillance and political posturing may mean British companies face mountains of paperwork and higher costs, the government loses access to policing data, and startups instead headquarter themselves on the continent.
Before Brexit, when the UK was part of the EU, data sharing wasn’t a problem. When the current limbo state is over at the end of this transition year, the UK has two options to keep data flowing: agreeing data protection contracts company-by-company, or a country-wide deal called an adequacy decision. “When it [the EU] says a country has adequacy, it means that it’s a safe place for data to flow to,” says Oliver Patel, a researcher at University College London’s European Institute. “It’s basically the EU saying a country has robust enough data protection, enforcement system, and human rights, so it’s safe for companies in the EU to transfer data to the country… so you can transfer data without any restrictions.”
Adequacy decisions are made with a recommendation by the European Commission, but approved by member countries and can be struck down by the European Court of Justice (ECJ). So far, 13 countries and territories have adequacy agreements with the EU – including Switzerland, Argentina, and Japan, as well as the Isle of Man – but that doesn’t mean such approval is easy to win. The process itself is long and drawn out. Korea has been working on convincing the EU for five years, while Japan took just shy of two years, though backroom discussions were happening much earlier, and required legislative changes for the country.
In short, this could take some time. Daragh O Brien, managing director at consultancy Castlebridge, says he’s hearing that initial discussions are already happening, with a formal request to begin the adequacy procedure set to be made in March. “There seems to be, from a political perspective, a belief that this is a quick and easy deal that will be done in a matter of months – it won’t,” he says.
Despite only recently departing the EU, there’s no guarantee the UK will be approved. One challenge is surveillance, notably bulk collection of data by the UK security services, as well as sharing intelligence data with five-eyes partners, notably the US. That’s not new – but EU members don’t have to explain their national security to each other. Now that the UK is no longer part of Europe, these aspects are up for scrutiny. “When the EU does an adequacy agreement, it also considers wider factors such as national security, surveillance and human rights – and there are a few problems with that for the UK,” Patel says. “The irony here is that things which are not a problem for the UK as a member state may become a problem for the UK as a third country, because the EU is then at liberty to assess whatever it wants about the UK,” says Patel.
One particular issue is the Investigatory Powers Act, the so-called Snoopers’ Charter that enshrines bulk-data collection into UK law. It could be seen as incompatible with the EU’s human rights law – the ECJ has already ruled that bulk collection is unlawful, and the US has faced a similar battle.
“Bulk collection of data by UK security services under Investigatory Powers Act a big issue,” says Lewis Lloyd, a researcher at Institute for Government, a think tank. “UK got away with this as an EU member because national security is a national competence (so not up to the EU). But more scrutiny will be applied to this now the UK has left, and could scupper an adequacy agreement.” The UK government has consistently said the Investigatory Powers Act has strong oversight, which controls how powers within the Act can be used.
Read more: What is GDPR? The summary guide to GDPR compliance in the UK
But there’s another hurdle. To get an adequacy agreement with the EU, a country must comply with the Charter of Fundamental Rights, an EU-wide document that sets out rights for people living across the continent. The UK hasn’t incorporated it into local law, and the UK Data Protection Act falls short of meeting the Charter when it comes to immigrants. “Even pre-Brexit, the provision in the UK Data Protection Act excluding people in immigration processes from data protection would be potentially extremely problematic in the context of an adequacy decision,” O Brien adds. The EU may also be wary of comments from the new Attorney General, Suella Braverman, who called for parliament to “take back control” from courts – in particular around the Human Rights Act. “None of that sends particularly warm mood music to the European Commission or their stakeholders,” O Brien says.
That said, the UK has plenty in its favour, notably that it already follows GDPR. However, some potential changes to how the UK pulls GDPR into its own laws have already been outlined, while a pledge in parliament from prime minister Boris Johnson that the UK will develop “separate and independent policies” in data protection also doesn’t help matters. “Regulatory divergence is the antithesis of what we’re trying to achieve with an adequacy decision,” says O Brien, suggesting those changes should be as limited.
Still, there are other points in the positive column. The UK has a robust judicial system and enforcement, says Patel, adding that the Information Commissioner’s Office “is widely seen as one of the best data protection regulators in Europe”. Plus, it’s in the EU’s interest to make it easy to share data with the UK. “We’re one of the bloc’s closest trading partners, and much of that trade is underpinned by the ability to move data freely,” says Lloyd. “They won’t want to lose that.”
If the UK doesn’t win an adequacy decision, or if it takes years to get through the process, there are alternative methods to keep data moving. This includes a framework called a Standard Contractual Clause (SCC), and larger companies can use a similar system called binding corporate rules. SCCs are standard terms that a company agrees to, taking on obligations to protect EU citizen data above and beyond what’s required by the country’s own home laws – essentially, it means the parties sharing the data between them need to follow EU data laws. SCCs not only take time and money, but the whole framework is currently being challenged before the European Court of Justice, via the so-called “Schrems 2” case.
However, the lack of an adequacy decision could have knock-on effects in other agreements. “An adequacy decision is necessary, but not sufficient, for UK participation in EU policing and criminal justice systems and databases,” Lloyd says. “That access will be subject to further negotiation.”
There’s another alternative, a sort of half-way house between a full adequacy decision and none at all. Canada’s adequacy decision is limited to commercial companies, for example, because its data protection laws don’t apply in the same way to the federal government agencies. The adequacy agreement with the US, meanwhile, is limited to companies that fall under the Privacy Shield, a set of rules designed to protect personal data of European citizens from American public authorities. While that arrangement is also being challenged in courts, it suggests the UK may be able to carve out its own exceptions. “What we can learn from the US case is that Commission can be flexible when it needs to be,” says Patel. “There’s no inherent reason why something it’s done for the US, it can’t do for the UK.”
Right now, it’s unclear how this will play out. If the UK is stuck using SCCs for a few years or permanently, it’s not going to mean no data can flow. It’ll simply cost more. And that’s going to hit smaller companies harder than larger larger firms that have the legal and administrative capacity to manage the extra bureaucracy, says Patel.
“It’s bad for the economy and it’s particularly bad for smaller firms, for SMEs and startups, as they can’t really take on a massive additional compliance bill – that’s all this really means,” says Patel. “If you’re a tech startup and you have this extra hurdle to setting up in the UK and you have to spend all this money to transfer data, they’ll just set up in Amsterdam instead.” He adds: “That’s why countries like Japan are willing to rewrite their laws to get one, because it’s really good.”
Digital Society is a digital magazine exploring how technology is changing society. It's produced as a publishing partnership with Vontobel, but all content is editorially independent. Visit Vontobel Impact for more stories on how technology is shaping the future of society.
This article was originally published by WIRED UK
