The UK’s pursuit of a data adequacy agreement with the European Union hit a roadblock last week when the European Parliament voted against the European Commission’s draft decision to facilitate data flows to post-Brexit Britain. Although the final decision rests in the hands of the Commission, the vote carries considerable political weight. Combined with critiques from the expert advisory European Data Protection Board (EDPB), it signals choppy waters ahead for securing and maintaining commercial data flows between the UK and the EU.
The EU granted the UK preliminary approval for data adequacy in February, but the decision is not yet ratified – meaning there’s a chance the process could still be blown off course. The central contention is whether the UK offers “essentially equivalent” data protections to the EU. The UK argues that by complying with GDPR – some of the most stringent data protection legislation in the world – and the accompanying Law Enforcement Directive, it does. But many MEPs have concerns about the country’s extensive surveillance practices.
Last Friday, the European Parliament narrowly voted in favour of a resolution asking the Commission to change its draft decisions on UK data adequacy (344 votes in favour, 311 against and 28 abstaining). While the resolution acknowledged the UK’s data protection framework is similar to the EU, it expressed concerns about the breadth of the UK’s immigration exemption, the unwieldy bulk data retention powers for national security reasons, and the possibility of onward transfers to other countries with fewer safeguards on data protection – particularly the US. These challenges were also highlighted by the EPBD, which although broadly in favour of the UK being granted adequacy, said such issues should undergo more scrutiny before the final decision is reached.
The resolution demands the Commission ask the UK to change its law and practices before agreeing to data adequacy. If the data adequacy agreement goes through in its current form, the resolution advises that national data protection authorities suspend transfers of personal data to the UK where indiscriminate access to personal data would be possible.
A failure to agree data adequacy with Europe would have big implications for UK businesses. Tech London Advocates founder Russ Shaw told Tech Monitor in January that some companies could go under without a data deal being struck.
Tensions within the EU on data protection
“What we are seeing playing out is tension between different institutions of the EU because of their different roles and objectives,” says Dr Karen Mc Cullagh, lecturer in IT, IP and media law at the University of East Anglia. “The European Parliament is prioritising human rights considerations, whereas the Commission is focusing on EU-UK trade objectives, and on ensuring maximal free flow of personal data to facilitate trade.”
The UK’s Data Protection Act 2018 offers the same protections for personal data and the rights of data subjects as the EU. However, the UK has said it will not incorporate the Charter of Fundamental Rights of the EU – articles seven and eight of which constitute fundamental privacy rights and data protection rights that are the basis for the GDPR. A major concern is that the Court of Justice of the European Union (CJEU) will strike down any adequacy decision approved by the Commission, given it has already ruled twice that the UK’s handling of personal data is not in line with EU law.
“While I, like many in the Parliament, would have wished it were otherwise, MEPs had no option this week but to vote against the decision to grant the UK an adequacy decision,” said Clare Daly, an Irish MEP who is a member of The Left in the European Parliament, GUE/NGL. “The risk of interference in the privacy of citizens’ data shared with the UK given its mass surveillance operations as revealed by Edward Snowden; the lack of oversight of those surveillance powers; and the risk of onward transfers to the US NSA, amongst other things, is just too great.”
MEPs have just voted on a resolution on the Privacy Shield, the US-EU data transfer mechanism that was struck down by the CJEU because of mass surveillance operations in the states. This would have made it “hypocritical” to vote in favour of a UK data-sharing agreement, when the UK has many of the same problems with mass surveillance, said Daly.
The EU Commission is aware that the UK data adequacy is flawed, but chooses to pick a fight with the European Parliament and the CJEU, rather than with the UK and the US, said Sophie in’t Veld, Dutch MEP of the Democrats 66 party and a member of the progressive Renew Europe group. “For as long as I can remember, the Commission has allowed data transfers in violation of EU law, for reasons of political expediency,” she said. “It is a shame that the Commission feels more obliged to third-country governments than to its own citizens and to EU law.”
MEPs on the other side of the divide make the case for pragmatism and the economic benefits of free-flowing data. “We need to take these crucial adequacy decisions to avoid disruption of data exchanges between law enforcement authorities, legal uncertainty for businesses and the risk of hundreds of millions of increased costs to do business,” MEP Tom Vandenkendelaere, a member of the right-leaning EPP Group, said in a statement.
EU-UK data adequacy: what happens next?
What happens now? It remains to be seen whether the Commission will ask the UK to change its laws as a condition of securing a data adequacy agreement. One solution would be for the EU and UK to agree that the UK make changes within a specified period, and the EU agrees to issue an adequacy decision pending review at that point. However, that would risk merely delaying dealing with the issue, says Mc Cullagh.
“If the adequacy decision is adopted unchanged then we may well see a repeat of the Max Schrems litigation which saw two different EU-US partial adequacy decisions, Safe Harbour and its replacement, Privacy Shield, being struck down by the CJEU,” says Mc Cullagh. If this were to happen to the UK-EU data-sharing agreement too, “it would require data processors to rely on more complex, burdensome and expensive transfer mechanisms”.
Even if the data adequacy agreement is adopted in its current form, the EU is concerned that the UK’s data protection regime may degrade further over time. This is why the draft adequacy agreement includes a stipulation that it will have to be renewed every four years based on a satisfactory review.
“The government wants to promote the use and reuse of data as a lever for economic growth and digital innovation,” says Subhajit Basu, associate professor of information technology law at the University of Leeds. “There are strong, Brexit-fuelled, de-regulatory hints in the strategy document — with lines like: ‘we will promote domestic best practice and work with international partners to ensure data is not inappropriately constrained by national borders and fragmented regulatory regimes so that it can be used to its full potential.'”
He adds: “There is clear evidence of tension between the UK government’s desire to slash barriers to data sharing as a strategy to drive economic growth and, at the same time, the UK government’s desire also to operate as a ‘trusted’ data regime.”