What is data adequacy?
Data adequacy is a status granted by the European Commission to non-EEA countries who provide a level of personal data protection that is “essentially equivalent” to that provided in European law. It can also be awarded to specified sectors of an economy or international organisations.
Personal data can be transferred freely between EEA member states, which includes all EU countries. But personal data is allowed to leave the EEA only if the Commission judges there to be sufficient protection for this data in the destination country. When a country has been awarded the status, information can pass freely between it and the EEA.
Which countries have been awarded data adequacy?
Currently, the Commission has recognised 12 countries or territories, including Argentina, Israel and New Zealand as providing fully adequate data protection.
The USA and Canada have been deemed to provide only partially adequate protection.
In Canada, only private organisations that use the data for commercial activities have free access to EU data.
Until 2015, data transfers between the USA and EU were covered by the Safe Harbour Agreement. However, in light of information leaked by Edward Snowden, the ECJ found this agreement invalid.
EU–US data sharing is now governed by the 2016 EU–US Privacy Shield.
What does the EU class as personal data?
The EU definition of personal data is any information relating to an identified or identifiable person. This is an intentionally very broad definition. It covers the usual areas like name, address and bank/health records, but it goes further in many areas; for example, car registrations, photographs and satellite images are all classified as personal data.
How does the EU protect personal data?
EU protection of personal data draws upon Article 8 of the European Convention on Human Rights. Currently, personal data within the EU is protected through the 1995 EU Data Protection Directive. The UK meets the directive through the 1998 Data Protection Act.
However, the Data Protection Directive will be superseded by the EU’s 2016 General Data Protection Regulation (GDPR), which provides some additional safeguards around how individuals’ data is used. This aims to harmonise data protection laws across the EEA, as well as updating and expanding the scope of existing data protection regulation, much of which is two decades old. The UK must adhere to the GDPR from May 2018 until at least March 2019 when it leaves the EU.
GDPR is based on a set of seven principles: these are set out in the table below.
Personal data shall:
|Principle 1||Be process fairly and lawfully|
|Principle 2||Be collected for a specified purpose and not be further processed in any matter that is incompatible with that purpose|
|Principle 3||Be adequate, relevant and not excessive in relation to the purpose for which they are processed|
|Principle 4||Be accurate and kept up to date when necessary|
|Principle 5||Not be kept longer than is necessary for the specified purpose|
|Principle 6||Be processed in accordance with the rights of subjects|
|Principle 7||Not be used in unauthorised or unlawful processing. Appropriate measures will be taken against this, and against accidental loss, damage or destruction|
Additional rules protecting citizens’ rights when data is used for criminal law enforcement are set out in a separate directive.
Why is access to data important?
The UK economy is heavily reliant on data flows, with cross-border data flows increasing 28 times from 2005 to 2015. Digitally intensive sectors, such as telecommunications and financial activities, account for 16% of UK output and 24% of total exports.
What impact could Brexit have on data transfers?
When the UK leaves the EU, it will need to demonstrate it protects data adequately. Without this, GDPR will impose restrictions on the transfer of EEA data to the UK after Brexit.
To continue to have access to EU data, the UK needs a decision from the Commission confirming that it meets the standards of data adequacy.
Matt Hancock, Minister of State for Digital, has stated that the Government is “keen to secure the unhindered flow of data between the UK and the EU post-Brexit”. The Government has introduced a new Data Protection Bill which will “apply the EU’s GDPR standards, preparing Britain for Brexit”. This is intended to support business by ensuring that “UK organisations are best placed to continue to exchange information with the EU and international community”. Adopting the GDPR will help make a stronger case for the Commission to deem the UK’s data protection adequate. Hancock confirmed this, saying “an adequacy decision could work.”
However, even if the UK meets the criteria for adequacy, the slow pace of decision making by the Commission means that achieving an agreement could take years. This issue has been highlighted by Elizabeth Denham, the Information Commissioner. She has stated that the UK’s aim of achieving data adequacy on day one of leaving the EU is a challenging one. She suggests that a transitional arrangement to avoid a cliff edge “would be in the interest of everyone.”
What happens if the UK does not secure an adequacy decision?
If the UK does not secure the Commission’s agreement that it meets the standards, transfers would only be permitted subject to additional safeguards.
An example of a possible safeguard is multinational companies who want to transfer EEA data to the UK having to apply a strict set of rules, referred to as binding corporate rules (BCR), throughout their business. These must be authorised by the various data protection authorities of EU and EEA member states. Exemption from the need for additional safeguards would only apply in a small range of specific scenarios, such as if the individual has given informed consent.
The UK will also lose free access to data from any nation which the EU has negotiated an agreement with, such as the EU–US Privacy Shield, until a replacement agreement can be negotiated with each country.
Failure to gain data adequacy after Brexit would also limit the ability of customs authorities in the UK to cooperate with those in the EU, increasing the administrative burden on traders and introducing more friction to supply chains.
What is the UK Government now proposing?
The Government published a “future partnership” paper on the exchange and protection of data on 24 August. In it, the Government acknowledges uncertainty over the future data relationship between the UK and EU and "unnecessary expense and time in contingency planning” to businesses if the UK and the EU failed to negotiate a future data protection arrangement.
The paper makes clear the Government’s intention to “fully implement the most up-to-date EU framework, including the GDPR which comes into force in May 2018. It also calls for an early UK-EU agreement on mutual recognition of data protection frameworks until a more permanent deal comes into force, and seeks assurances that the UK could continue to benefit from the adequacy agreements that the EU has signed with countries such as the US, Canada and New Zealand.
The proposed approach means the UK would avoid the normal route of concluding data adequacy agreements with non-EU countries. Such agreements have previously taken 18 months or more to conclude.
The Government also wants the Information Commissioner – who is responsible for the UK’s rules on data protection – to continue to participate in discussions with EU counterparts after Brexit.
For the future UK-EU relationship, the Government points to the “essential” need for the UK and the EU to agree “arrangements that allow for free flows of data to continue based on mutual trust in each other's high data protection standards”. But, other than stating that the future relationship “could build on the existing adequacy model”, the paper does not include any specific proposals or commitments.
What are the potential effects of losing unrestricted access to data?
A recent House of Lords report raised both economic and security concerns about the loss of unrestricted access to data. It states that “the UK could be put at a competitive disadvantage and the police could lose access to information” which are “vital for UK law enforcement”.
Data on EEA citizens may have to be redirected to avoid the UK, disrupting communication links and data flows. This would act as a barrier to trade, increasing costs and reducing investment, competition and innovation.
Provisional of the additional safeguards required would represent a costly burden for UK and international businesses alike. For example, the application process for the authorisation of a BCR can often take over a year. The impact would be most significant for UK small businesses, which may lack the resources and expertise necessary to comply with such safeguards.
UK organisations that employ EU citizens will also be affected, as will those who use European online services.
Are there any reasons why the European Commission might be reluctant to deem UK data protection adequate?
The ECJ recently ruled a piece of UK legislation, the Investigatory Powers Act, as illegal on the grounds of providing insufficient data protection. If the UK chooses to enforce this act after Brexit, the Commission is less likely to find that the UK offers adequate protection.
The House of Lords report also highlighted a “lax approach” to the future transfer of data to other non-EEA countries as a risk. For example, the UK would no longer be part of the EU–US Privacy Shield, leading to fewer restrictions on the transfer of data from the UK to the USA. It is possible that data could be transferred from the EU to the UK, then passed on to the USA where EU principles could be violated.
If the UK pursued a data sharing agreement with the USA that allowed for this kind of data transfer, it is likely the EU would declare the UK as “not adequate”. This scenario could also occur with other countries, particularly those with which the UK has close security ties, but which do not protect data sufficiently in the Commission’s view, such as Australia and Canada.