Written by: Rachel Bucklow
Whilst trade and fishing rights have been the main battleground of Brexit negotiations, the state of the UK’s data protection laws post-Brexit have scarcely been considered in the media. Globalisation and the digital revolution have made cross-border data sharing an essential component to international trade. If the ability to share data with European Economic Area (EEA) jurisdictions is impeded, the UK’s justice and financial frameworks will inevitably be destabilised, potentially resulting in a nationwide security crisis.
Since May 2018, personal data transferred within the EU has been protected by the General Data Protection Regulation (GDPR). This regulation aimed to harmonise data protection laws across the EEA, and provide the global gold standard of safeguarding frameworks for personal data. GDPR was enshrined in UK law through the Data Protection Act 2018. As an EU Member State abiding by GDPR principles, the UK has been able to transfer and receive data throughout the EEA without restrictions. However on the 31st December 2020, when the Brexit transition period ends, the UK will become a third country, meaning that it will no longer have an intrinsic entitlement to transfer data with EU countries. If no deal is reached between the EU and UK about the fate of cross-border data transfer, the UK public and private sectors could each face potentially crippling consequences.
If a deal is not reached, UK authorities may lose access to EU-wide criminal databases. This will make collaborating with EU police services more difficult, making it harder to extradite dangerous criminals from the UK and potentially reduce the number of criminals brought back to the UK to face justice.[1] Additionally, without being able to share data with initiatives such as Europol, the UK Border Force may not be automatically informed when a wanted individual tries to enter the UK from the EEA.
No deal could also have serious implications for the NHS, as it could mean that the UK is unable to receive critical updates about health threats and medical research.[2] Additionally, data transfer is critical to UK business. According to Tech UK, in 2020 11.5% of global cross-border data flowed through the UK, 75% of this which passed between the UK and the EU.[3] Without an ability to freely transfer data between the EU and UK, EEA businesses may go elsewhere when looking to build lucrative business partnerships.
What are the options for the UK government?
Adequacy decision
In order to best facilitate the future exchange of data, the UK will need to secure an adequacy decision. An adequacy decision is made when the European Commission establishes that a non-EU country offers an adequate level of protection of their personal data. If such a decision is granted, the non-EU country is able to freely trade data with all EU and EEA member countries without any further safeguards being put in place. To date, Japan is the only country to have received a full adequacy decision[4], whilst ten other countries have been granted partial agreements, meaning that the free trade of data is restricted to particular industries. Whilst Paul Gaskell, the Deputy Director at the EU Exit Data Protection Negotiation Hub is confident that the European Commission (EC) will grant the UK an adequacy decision before the end of the transition period;[5] as the 1st January 2021 fast approaches, this is becoming an increasingly unlikely possibility. If no decision is granted before the end of the year, the UK government has assured businesses that they can continue to freely send data to EU and EEA member countries. However, the EC have made it clear that they will not return the favour.
What is the likelihood of an adequacy decision being granted?
Although the UK has adopted the comprehensive GDPR framework, the EC may deem its’ far-reaching surveillance laws incompatible with European data protection principles. This conclusion became more likely after the Court of Justice of the European Union (CJEU) deemed the UK’s bulk data collection regime illegal under EU law in October this year.[6] In its decision, the CJEU said that legislation such as Britain’s Investigatory Powers Act, which gives local national security agencies significant powers to gather personal data, does not meet the standards of EU proportionality thresholds in respect of an individual’s right to privacy, data protection, and freedom of expression.[7]
Whilst countries within the EU may be granted more leniency to harvest personal data, countries seeking an adequacy agreement are expected to conform to more stringent standards regarding bulk data collection for national security purposes.[8] In July 2020 during the Schrems II case, this strict approach resulted in the CJEU striking down an adequacy decision between the US and EU, known as the Privacy Shield, because of overly intrusive surveillance laws. This judgement will loom over the UK government, as they await the EC’s decision.
In addition to the EU’s scepticism over UK surveillance regimes, the UK government has been pushing their luck further by announcing ambitions to create a ‘world-leading data economy’ post-Brexit.[9] In a statement made in a document outlining the UK’s National Data Strategy, Digital Secretary Oliver Dowden vowed to be ‘unashamedly pro-tech.’[10] In doing so, he hinted at the possibility of the UK watering down its commitment to GDPR in a bid to establish itself as a global technology hub.[11] Ross McKenzie, a Partner at Addleshaw Goddard described the UK as ‘walking a data tightrope.’[12]
Alternative options
If no adequacy decision is granted, the GDPR provides other options that the UK may rely upon.
Standard Contractual Clauses
As recently clarified in the Schrems II judgment, Standard Contractual Clauses (SCC) enable the transfer of data from EEA states to countries deemed by the EC to offer an inadequate level of protection of personal data, provided that the level of protection afforded to the transferred data is adequate.[13] These individual agreements are made between the data importer and data exporter, and must comply with the standard clauses adopted by the EC. Individuals whose personal data is transferred, can directly enforce their rights against the importer or exporter if their data is not adequately protected.
Whilst a popular means for enabling data transfer, SCCs are costly. These clauses require careful drafting and due diligence, which is burdensome on resources. Whilst the costs could easily be weathered by multinational conglomerates; smaller businesses and companies in the embryonic stages of development, may not be able to afford the additional costs, which could stifle the growth of UK business. Additionally, the Schrems II judgment concluded that businesses relying on SCCs for personal data transfers would have to firstly consider if the clauses are in conflict with local laws. Given the recent CJEU ruling on the illegality of UK surveillance policies, there is a chance that EEA businesses will avoid entering into SSCs with UK companies in order to avoid potential complications arising from these agreements being struck down in the future.
Binding Corporate Rules
Binding Corporate Rules enable the transfer of personal data from EEA states to non-EEA entities within the same corporate group with relative ease. This will enable multi-national corporations to continue transferring personal data without restrictions or the hassle of having to put additional safeguards in place.
Derogations
Article 49 GDPR allows for the transfer of data from EEA states to non-EU countries in one-off special situations. These include situations where the transfer is necessary for reasons of important public interest, or where the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks.[14]
Whilst the EC assesses the UK’s case for data adequacy, UK businesses must prepare for all potential Brexit-related scenarios. Given the alternative options if data adequacy is not granted, UK-EU data transfers are not going to stop in their entirety anytime soon. However, the future of the simplicity of these arrangements is at stake, which could result in huge additional expenditure for the UK business and public sectors. A decision from the EC is expected by the end of the year. Whilst the Commission contemplates their decision, the UK government continues to consult on their ambitious data-expansion plan.