The UK’s services-oriented economy is heavily reliant on data. According to techUK, ‘digitally intensive’ sectors, such as telecommunications and financial services, account for 16% of UK output and 24% of total exports. Volumes of data entering and leaving the country increased 28 times between 2005 and 2015, and three-quarters of these data transfers are with EU countries. Any restriction placed on data flows would act as a barrier to trade, putting UK businesses at a competitive disadvantage.
Free flows of data are also increasingly important for police and prosecutors trying to tackle cross-border crime. EU member states have developed a range of tools to enable greater collaboration between them, many of which are dependent on the ability to transfer data freely. The significance of these tools is covered in detail in our report, Negotiating Brexit: policing and criminal justice.
Personal data can be transferred freely between European Economic Area (EEA) member states, which includes all EU countries. As a third country, the UK will no longer automatically benefit from this free flow of data after Brexit.
The EU has very high standards for the protection of personal data. It only allows data to flow freely to a third country if the European Commission decides that the country offers a level of protection for personal data comparable to the EU’s own. This is known as an ‘adequacy decision’.
Currently, the Commission has recognised 11 countries or territories, including Argentina, Israel, New Zealand and most recently Japan, as providing fully adequate data protection.
The USA and Canada have been deemed to provide only partially adequate protection. In Canada, only private organisations that use the data for commercial activities have free access to EU data. Data transfers between the USA and EU were covered by the Safe Harbour Agreement, until the European Court of Justice (ECJ) found this agreement invalid in 2015 in light of information leaked by Edward Snowden. EU–US data sharing is now governed by the 2016 EU–US Privacy Shield.
Data adequacy can also be awarded to specified sectors of an economy, or international organisations.
The EU definition of personal data is any information relating to an identified or identifiable person. This is an intentionally broad definition. It covers the usual areas like name, address and bank and health records, but also extends to car registrations, photographs and satellite images, for example.
EU protection of personal data draws upon Article 8 of the EU Charter of Fundamental Rights (CFR). Since May 2018, personal data within the EU has been protected through the General Data Protection Regulation (GDPR). GDPR aims to harmonise data protection laws across the EEA, as well as updating and expanding the scope of existing data protection regulation, much of which is two decades old. The UK meets the directive through the 2018 Data Protection Act.
Additional rules protecting citizens’ rights when data is used for criminal law enforcement are set out separately in the 2016 Law Enforcement Directive, which is also implemented in the Data Protection Act.
The UK has proposed a new agreement on data protection, building on but going beyond an adequacy decision. This would underpin the entirety of the future UK-EU relationship – including the proposed economic and security partnerships. Under this agreement, UK and EU data protection authorities would co-operate on the development and enforcement of data protection regulation, and collaborate in resolving any disputes. Much of this was reiterated in the Government’s July 2018 Brexit white paper.
The UK Government says such an agreement would better reflect the breadth and depth of the UK-EU relationship, avoiding unnecessary costs or complexity for businesses and citizens on both sides. It would also remove the uncertainty inherent in the EU’s current approach to dealing with non-members’ data protection regimes, in which the European Commission can unilaterally decide to end data sharing.
In a May 2018 speech, the EU’s Chief Negotiator for Brexit, Michel Barnier, responded to the UK’s proposal for something beyond adequacy, saying that “the only possibility for the EU to protect personal data is through an adequacy decision”. To accept the UK’s proposal, he said, would be to “abandon our decision-making autonomy” – something that the EU ”cannot, and will not” do.
Despite the UK’s implementation of GDPR and the Law Enforcement Directive in the 2018 Data Protection Act, there is no guarantee the UK will be awarded an adequacy decision.
The ECJ, which can strike down any adequacy decision approved by the Commission, has already ruled twice that the UK’s handling of personal data is not in line with EU law. One of these judgments was in response to a legal challenge originally brought by David Davis, before he was appointed Secretary of State for Exiting the EU.
The ECJ judgments relate to the UK’s handling of data under the Investigatory Powers Act 2016 (the so-called ‘Snoopers’ Charter’). This is especially with respect to data retention and the bulk collection of data by the security services, which arguably contravene fundamental rights as enshrined in the CFR.
The UK’s new 2018 Data Protection Act could also cause problems. A January 2018 report from the Joint Committee on Human Rights questioned whether the Act (then a bill) “offers protection that is equivalent to Article 8” of the CFR. The Act also waives data protection rights in areas relating to immigration control, again in apparent contravention of EU fundamental rights protections, as the Home Affairs Committee pointed out in March 2018.
The onward transfer of data from the UK to close security partners such as the USA, Australia or Canada is another contentious area. The EU is unlikely to declare the UK adequate if there is a risk that personal data from the EEA could be passed on to countries which do not themselves offer an adequate level of protection.
Even if the UK meets the criteria for adequacy, it may be difficult to guarantee that a decision is reached in time for Brexit. The proposed 21-month transition period between March 2019 and December 2020 should offer sufficient time – the fastest adequacy assessment so far, for Argentina, took 18 months. But other assessments have taken up to five years.
Without an adequacy decision, or any alternative, transfers of EEA data to the UK after Brexit would only be permitted subject to additional safeguards.
This would place the onus on individual businesses. Standard Contractual Clauses (SCCs) are the most commonly used safeguard, but they would prove a costly burden for UK and international businesses alike, with written agreement required between the company sending data and the company receiving it in every case. SCCs are also currently subject to legal challenge before the ECJ.
Another option for multinational companies who want to transfer EEA data to the UK would be to apply a strict set of rules, referred to as binding corporate rules (BCR), throughout their business. This would allow them to transfer data between countries, provided it stays within the same corporate group. But this, too, would be complicated. BCRs need to be authorised by the various data protection authorities of EU and EEA member states – a process that could take a year even for ‘a straightforward application’, according to the Information Commissioner’s Office.
Regardless of approach, the impact of putting safeguards in place would be most significant for small businesses, which may lack the necessary resources and expertise. BCRs are not even an option if you do not have an EU establishment.
An adequacy decision is also a prerequisite for connection to any EU policing or judicial database (although it by no means guarantees it). Without an adequacy decision, the UK would lose access to information crucial at every stage in the criminal process.
Failure to gain data adequacy after Brexit would limit the ability of customs authorities in the UK to co-operate with those in the EU, too, increasing the administrative burden on traders and introducing more friction to supply chains. UK organisations that employ EU citizens will also be affected – as will individuals who use European online services.
EEA data aside, the UK would lose free access to data from any nation which the EU has negotiated an agreement with, such as the US, until it negotiated replacement agreements.
If no deal is reached on the terms of the UK’s withdrawal from the EU, the Commission has made it clear that it will treat the UK as it does any other third country without an adequacy decision. It will end the free flow of EEA data to the UK – at least until any future adequacy decision is reached.
The UK Government, by contrast, has said that it will continue to recognise EU data protection standards even in a no deal scenario, and will allow UK data to flow freely to the continent in an attempt to minimise disruption. The Government intends to keep this policy under review.
The UK Government is also ready to begin discussions on an adequacy assessment now, while still a member state, in the hope of securing a decision as soon as possible to minimise (or ideally avoid) any interruption in data flows immediately after exit. According to the UK’s no deal guidance, the Commission “has not yet indicated a timetable for this and have [sic] stated that the decision on adequacy cannot be taken until [the UK is] a third country”.