Data adequacy is a status granted by the European Commission to countries outside the European Economic Area (EEA) who provide a level of personal data protection comparable to that provided in European law. When a country has been awarded the status, information can pass freely between it and the EEA without further safeguards being required.
Data adequacy can also be awarded to specified sectors of an economy or international organisations.
The EU defines personal data as any information relating to an identified or identifiable person. This broad definition covers the usual areas like name, address and bank or health records, while extending to car registrations and photographs. The protection of this data is enshrined in the EU’s Charter of Fundamental Rights.
Since May 2018, personal data within the EU has been protected through the General Data Protection Regulation (GDPR). GDPR aims to harmonise data protection laws across the EEA, as well as updating and expanding the scope of existing regulation. The UK meets GDPR through the 2018 Data Protection Act.
Additional rules and exemptions apply when data is used for law enforcement – individuals do not have a right to ‘erase’ personal data being used in criminal investigations or proceedings, for instance – and are set out in the 2016 Law Enforcement Directive, which is also implemented in the UK’s Data Protection Act.
Trade is increasingly facilitated by cross-border data flows, with businesses reliant on the ability to transfer personal data about their customers or workforce to offer goods and services, and to run even basic internal processes such as cloud-based email or file storage. This is especially true of ‘digitally intensive’ sectors – telecommunications and financial services account for 16% of UK economic output and 24% of total exports according to techUK – and the UK’s burgeoning tech sector.
Volumes of data entering and leaving the UK increased 28 times between 2005 and 2015, and three-quarters of these data transfers are with EU countries. Any restriction placed on data flows would act as a barrier to trade, putting UK businesses at a competitive disadvantage.
Free flows of data are also increasingly important for police and prosecutors trying to tackle cross-border crime. EU member states have developed a range of tools to enable greater collaboration between them, many of which are dependent on the ability to freely transfer data. The significance of these tools is covered in detail in our report, Negotiating Brexit: policing and criminal justice.
The ability to share personal data is also fundamental for supporting medical safety and academic research, as highlighted by the Exiting the EU Committee.
Personal data can be transferred freely between EEA member states, which includes all EU countries. As a third country after Brexit, the UK will no longer automatically benefit from this free flow of data.
The best way of ensuring that data flows continue after Brexit is by securing an adequacy decision. The Commission has recognised 11 countries or territories, including Argentina, Israel, New Zealand and most recently Japan, as providing fully adequate data protection. The USA and Canada have been deemed to provide partially adequate protection – EEA data can be transferred, under certain conditions, to some organisations in these countries.
Even without an adequacy decision, data flows would continue as now during any transition period agreed as part of a withdrawal deal. The Commission would seek to make an adequacy assessment before the end of that period – in the non-binding political declaration, the Commission said that it would aim to reach a decision on the UK’s status before the then-proposed transition period ended in December 2020.
But there is no guarantee that a transition period would be long enough. The fastest adequacy assessment so far, for Argentina, took 18 months. Other assessments have taken up to five years. This means that, even with a deal, data flows could be interrupted for a period.
The UK is ready to begin discussions on data adequacy now, while still a member state, but the Commission has been reluctant to start before the terms of the UK’s withdrawal are settled. Either way, a decision on adequacy cannot be taken until the UK is a third country.
If no deal is reached on the terms of the UK’s withdrawal from the EU, the UK Government has said that it will allow UK data to flow freely to the continent in an attempt to minimise disruption (although it would keep this policy under review).
The Commission has made it clear that it will not reciprocate. It will treat the UK as it does any other third country, ending the free flow of EEA data to the UK – at least until any future adequacy decision is reached.
Transfers of EEA data to the UK would still be possible, but only where additional legal safeguards had been put in place. This takes time and money, putting the onus on individual businesses in both the UK and the EU. Standard Contractual Clauses (SCCs) are the most commonly used safeguard, but implementing these is a costly legal process which requires written agreement between the companies sending and receiving data. SCCs are also currently subject to legal challenge before the European Court of Justice, so may no longer be valid in future. Some EU companies may choose to stop doing business with UK counterparts on account of the additional resource burden and legal uncertainty.
The CBI notes that some UK companies have started putting safeguards in place, but awareness of the impact of no deal on data is low among smaller firms. Those that are aware often lack the expertise to prepare effectively, or are reluctant to invest in preparations for no deal until they know that is the Brexit outcome. Some disruption is inevitable.
An adequacy decision is also a prerequisite, though no guarantee, for connection to any EU policing or judicial database. Border Force would no longer be alerted automatically any time a wanted individual tried to enter the country from the EU, and UK authorities would lose access to information which is crucial at every stage in the criminal process.
With no deal, the UK would also be shut out of EU medicines databases. Currently, drugs are scanned and checked against an EU database before they are dispensed to make sure they are safe. The database is updated if a drug is found to be unsafe, which has the effect of immediately removing the drug from European supply chains. Without access to this database, drugs that are found to have problems elsewhere in the EU may continue to be prescribed in the UK for a period. This could potentially put patient safety at risk.
The UK has negotiated deals with other non-EEA countries that have adequacy agreements with the EU, including the USA, Canada and Japan. Some of these are temporary, but data flows between the UK and these countries will continue at least in the immediate aftermath of a no-deal exit.
Despite the UK’s application of GDPR and implementation of the Law Enforcement Directive in the 2018 Data Protection Act, there is no guarantee the UK will be awarded an adequacy decision – with or without a deal.
The European Court of Justice, which can strike down any adequacy decision approved by the Commission, has already ruled twice that the UK’s handling of personal data is not in line with EU law. One of these judgments was in response to a legal challenge originally brought by David Davis, before he was appointed Secretary of State for Exiting the EU.
The ECJ judgments relate to the UK’s handling of data under the Investigatory Powers Act 2016 (the so-called ‘Snoopers’ Charter’). This is with particular respect to data retention and the bulk collection of data by the security services which, according to the Court, contravene fundamental rights as enshrined in the Charter of Fundamental Rights (CFR).
The UK’s new 2018 Data Protection Act could also cause problems. A January 2018 report from the Joint Committee on Human Rights questioned whether the Act (then a bill) “offers protection that is equivalent to” the CFR. The Act also waives data protection rights in areas relating to immigration control. This could well be in contravention of EU fundamental rights protections, as the Home Affairs Committee pointed out in March 2018.
The onward transfer of data from the UK to close security partners such as Australia, which does not have an adequacy agreement with the EU, is another contentious area. The EU is unlikely to declare UK data protection standards ‘adequate’ if there is a risk that personal data from the EEA could be passed on to countries which do not themselves offer an adequate level of protection.