Data adequacy: Outstanding issues from the EU-UK agreement
Brussels is expected to agree to data flows between the EU and the UK in an important settlement. Some questions remain.
The European Commission is reported to be on the brink of approving 'data adequacy' between the UK and the EU in a key post-Brexit settlement. The approval would meant that the UK has passed the test in showing its data protection and privacy standards match those of the EU's flagship GDPR, albeit the issue has been a key negotiating chip so far. As a result, the EU agrees that data from the EU/EEA can be stored and processed in the UK.
The General Data Protection Regulation (GDPR) is emblematic of the EU's developing status as a regulatory standards-setter. The bloc has increasingly been seen as the world's regulator, with its data protection requirements making even Silicon Valley's largest operators take heed. The European market includes 450 million of the world's wealthiest consumers and is difficult for the likes of Facebook, Google and Apple to ignore. Non-compliance with aspects of GDPR has similarly led to large tech companies facing fines imposed by regulators across Europe, particularly in France. That sway is perhaps the EU's number one geopolitical asset so it's no surprise to see it take prime place in its emerging geostrategy. This applies equally to the long tail of Brexit.
Britain's advantage in negotiating with the EU, as many of the pro-Brexit camp have noted, was that the two were starting from a position of near-total regulatory alignment. Indeed, pre-Brexit the UK's regulator had actually supplied much of the man power requireds to drive the development of data protection law within Europe. It shouldn't be difficult for them to recognise each other's regulatory regimes across a wide number of sectors. That's why this 'data adequacy' ruling has been widely expected - it is mutually beneficial. It's also why, contrary to appearances, most of the Brexit negotiations were fairly straightforward - it was only a few crucial sticking points that caused the Deal to go down to the wire.
As a piece of direct EU legislation, the EU's GDPR has simply become what's known as 'Retained EU Law'. This is legislation that was kept on as part of the sweeping EU (Withdrawal) Act 2018. It sits alongside the UK's Data Protection Act 2018 to create a new 'UK GDPR'. UK GDPR is effectively the same as the EU GDPR, with a few technical changes so that it applies in a UK context.
Areas of risk
A crucial question therefore is: what happens in the future? If the EU is happy with the UK's data protection arrangements, as appears to be the case for now, how long will that last? UK GDPR is explicitly not subject to EU legislative or executive changes. That is, if the EU changes its rules, the UK doesn't have to. That opens up a risk that the EU will see sufficient divergence to revoke the data adequacy approval.
Similarly, the UK could decide to evolve the data rules in its own direction. The most obvious reason for doing so would be to improve trade with others, especially the USA. The US is obviously a data and digital powerhouse but its privacy rules are considered to be more lax than those in Europe. We hear a lot about data class actions in the US, but a look at those cases often reveals a situation weighed against data subjects. As two major court cases brought by Austrian campaigner Maximillian Schrems have shown, there is a clash between EU privacy law and US surveillance law. His successful cases - known as Schrems I and Schrems II - led to the collapse of the US-EU data sharing deal, Privacy Shield. This removed the USA from the European Commission's list of countries with 'data adequacy'.
For now, the UK appears to be in a better position because its data regulations are all but identical to those of the EU. However, last February the Prime Minister stated that:
"the UK would see the EU’s assessment processes on ... data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit."
However, in the same statement he said that the UK intends to pursue 'separate and independent" policies on data. This is consistent with his government's broader negotiating strategy on Brexit, which put the need for regulatory divergence (aka sovereignty) at its heart, but it creates a key risk for the future.
The Schrems II ruling in July 2020 had already put the prospect of a data adequacy agreement at risk. There are fears that British intelligence services may be entitled to access EU-originated data (an issue made more likely by the UK losing automatic access rights to certain EU crime databases). The UK's membership of the 'Five Eyes' intelligence-sharing network with other major Anglophones is an additional worry.
If the UK government decides to pursue its own data policies, perhaps as part of a deal with the USA, then there is a clear risk of a Schrems III, with the UK finding itself legally cut out of the EU's approved data list. This is both a legal threat and a political one. Vera Jourova, the EU's vice-president for values and transparency, has said that the EU-UK data agreement must be 'future proof', adding that "We will need to be very vigilant that such developments [e.g. regulatory divergence] do not undermine the level of protection we would have found to be adequate."
That sounds like a threat - intended or not - that the current regulatory alignment on data will form a bargaining chip in future EU-UK relations. Brexit has a long tail, with much still to be decided and plenty that could change over coming years. A back-up option is no doubt under consideration in London and Washington: standard contractual clauses (SCCs), which are effectively case-by-case assurances on data security. SCCs are considered acceptable in principle under Schrems II and could form a basis for looser data relations with less rigid alignment. That would appear to be unnecessary for the UK in the European context for now, but as things develop it may become a far more important tool as the UK seeks to break from the EU's trade and regulatory orbit and build stronger relations elsewhere.
Lawyers frequently note that the GDPR is one of the most unwieldy pieces of legislation to emerge from the EU and is in dire need of simplification. That makes reforms - and therefore divergence in London and in Brussels - far more likely.
The settlement of the data adequacy rules therefore offers some confidence to UK and EU companies handling data across borders, but it doesn't settle the political risk factors completely.
To discuss your organisation's political risk priorities, please contact Helmsley Partners.