For detail on what was agreed on data in the UK–EU Trade and Cooperation Agreement, please read our analysis of the deal.
Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required.
Data adequacy can also be awarded to specified sectors of an economy or international organisations.
The EU defines personal data as any information relating to an identified or identifiable person. This broad definition covers the usual areas like name, address and bank or health records, while extending to car registrations and photographs. The protection of this data is enshrined in the EU’s Charter of Fundamental Rights.
Since May 2018, personal data within the EU has been protected through the General Data Protection Regulation (GDPR). GDPR aims to harmonise data protection laws across the EEA, as well as updating and expanding the scope of existing regulation. The UK meets GDPR through the 2018 Data Protection Act.
Additional rules and exemptions apply when data is used for law enforcement – individuals do not have a right to ‘erase’ personal data being used in criminal investigations or proceedings, for instance – and are set out in the 2016 Law Enforcement Directive, which is also implemented in the UK’s Data Protection Act.
Trade is increasingly facilitated by cross-border data flows, with businesses reliant on the ability to transfer personal data about their customers or workforce to offer goods and services, and to run even basic internal processes such as cloud-based email or file storage. This is especially true of ‘digitally intensive’ sectors – telecommunications and financial services account for 16% of UK economic output and 24% of total exports according to techUK – and the UK’s burgeoning tech sector.
Volumes of data entering and leaving the UK increased 28 times between 2005 and 2015, and three-quarters of these data transfers are with EU countries. Any restriction placed on data flows would act as a barrier to trade, putting UK businesses at a competitive disadvantage.
Free flows of data are increasingly important for police and prosecutors trying to tackle cross-border crime. EU member states have developed a range of tools to enable greater collaboration between them, many of which are dependent on the ability to freely transfer data. The significance of these tools is covered in detail in our report, Negotiating Brexit: policing and criminal justice.
The ability to share personal data is also fundamental for supporting medical safety and academic research, as highlighted by the Exiting the EU Committee.
During the transition period, the EU will continue to treat the UK as if it were a member state. This means that data will continue to flow between the UK and the EEA. When the transition period ends, the UK will no longer automatically benefit from this free flow of data.
The best way of ensuring that data flows continue after transition is by securing an adequacy decision. The Commission has recognised 11 countries or territories, including Argentina, Israel, New Zealand and most recently Japan, as providing fully adequate data protection. The USA and Canada have been deemed to provide partially adequate protection – EEA data can be transferred, under certain conditions, to some organisations in these countries.
The Commission will seek to make an adequacy assessment for the UK before the end of the transition period – the Political Declaration suggests the end of December 2020 as the intended timescale.
But there is no guarantee that the transition period will be long enough to complete the adequacy assessment. The fastest adequacy assessment so far, for Argentina, took 18 months. Other assessments have taken up to five years. The transition period is currently due to end at the end of 2020 since UK and EU did not decide to agree an extension.
When preparing for a no-deal exit, the UK government said that it would allow UK data to flow freely to the continent in an attempt to minimise disruption (although it would keep this policy under review). The Commission made it clear that it would not reciprocate. It would treat the UK as it does any other third country until an adequacy decision has been reached. The Commission might do the same if an adequacy decision is not reached by the end of the transition period.
Transfers of EEA data to the UK would still be possible, but only where additional legal safeguards had been put in place. This takes time and money, putting the onus on individual businesses in both the UK and the EU. Standard Contractual Clauses (SCCs) are the most commonly used safeguard, but implementing these is a costly legal process which requires written agreement between the companies sending and receiving data. SCCs are also currently subject to legal challenge before the European Court of Justice, so may no longer be valid in future. Some EU companies may choose to stop doing business with UK counterparts on account of the additional resource burden and legal uncertainty.
An adequacy decision is also a prerequisite, though no guarantee, for connection to any EU policing or judicial database. Border Force would no longer be alerted automatically any time a wanted individual tried to enter the country from the EU, and UK authorities would lose access to information which is crucial at every stage in the criminal process.
Despite the UK’s application of GDPR and implementation of the Law Enforcement Directive under the 2018 Data Protection Act, there is no guarantee it will be awarded an adequacy decision.
The European Court of Justice, which can strike down any adequacy decision approved by the Commission, has already ruled twice that the UK’s handling of personal data is not in line with EU law. One of these judgments was in response to a legal challenge originally brought by David Davis, before he was appointed Secretary of State for Exiting the EU.
The ECJ judgments relate to the UK’s handling of data under the Investigatory Powers Act 2016 (the so-called ‘Snoopers’ Charter’) – and in particular data collection and retention by the security services which, according to the ECJ, contravened fundamental rights as enshrined in the Charter of Fundamental Rights (CFR).
The UK has also been accused of “deliberate violations and abuse” of the Schengen Information System. This has led several member states, notably the Netherlands, to question whether the UK should be awarded data adequacy after Brexit.
The UK’s 2018 Data Protection Act could also cause problems. A January 2018 report from the Joint Committee on Human Rights questioned whether the Act (then a bill) “offers protection that is equivalent to” the CFR. The Act also waives data protection rights in areas relating to immigration control. This could well be in contravention of EU fundamental rights protections, as the Home Affairs Committee pointed out in March 2018.
The onward transfer of data from the UK to close security partners such as Australia, which does not have an adequacy agreement with the EU, is another contentious area. The EU is unlikely to declare UK data protection standards ‘adequate’ if there is a risk that personal data from the EEA could be passed on to countries which do not themselves offer an adequate level of protection.