No matter the legal reasoning, an "adequacy" decision to let data flow between the UK and the EU will hinge on the ups and downs of the wider Brexit negotiations, which are entering a tense final phase.
It was once almost a foregone conclusion that the UK would comply with EU data protection law enshrined in GDPR after the Brexit transition agreement ends on 31 December 2020. But recent reports about the EU's reaction to the UK's "National Data Strategy" have cast some doubt on that assumption.
The strategy was published in early September, it is a consultation document that runs for 12 weeks and centres on how the UK can "improve data use and control across the public and private sectors".
According to The Guardian, EU sources have expressed concern over the UK government's game plan, adding to existing worries over the UK's approach at the end of the transition period.
The EU's focus was on the strategy's commitment to remove "legal barriers (real and perceived)" to data use, the issue of sharing data across borders, and the proposed "radical transformation" of government data use.
At the end of the Brexit transition period, when business-as-usual trading with the EU will come to an end and the UK begins dealing with the world's largest trading bloc on new terms, the EU will need to decide whether the new UK data rules are sufficiently aligned with GDPR and allow the uninterrupted transfer of personal data from the EU to the UK.
Such a decision of "adequacy" in the relationship with EU data law is said to be important to the UK working as a successful digital economy.
Other factors that may have a bearing on the EU's decision could be the UK's move to allow ministers to change data protection rules without going through Parliament, as set out in a written answer from Prime Minister Boris Johnson in February, according to Chris Pounder, director of data compliance training firm Amberhawk.
"If the EU is looking to see if the UK is adequate in terms of its data protection law, and the next day a minister can change it, the EU might have to place restrictions on data transfer to the UK," he told us.
Pounder also pointed out that EU officials looking for safeguards will not be reassured by the possibility that the UK could depart the European Convention on Human Rights, article 8 of which deals with rights around data.
The EU, however, may have bigger fish to fry in terms of the broader trade deal with the UK.
"The deal is a political deal, not one about data protection. If the EU wants a deal, it will fudge the decision for the 'adequacy' of UK data law," Pounder claimed.
Ultimately, the strength of that fudge might only be tested if someone is prepared to bring a case, as with Austrian privacy activist Max Schrems, he said. The Schrems case has just seen the European Court of Justice strike down the so-called Privacy Shield data protection arrangements between the political bloc and the US.
How do you solve a problem like Privacy Shield? US and EU policymakers kick off discussionsREAD MORE
Georgina Kon, technology and media partner at law firm Linklaters, agreed that the EU's decision on the UK's data protection status would hinge on more than the law.
"It shouldn't be a political football, but it probably will become a political football," she said. "We are sort of partly held hostage to the overall [Brexit] process and data at the moment is not necessarily the biggest issue on everybody's mind, and there are things like the Irish [border] questions which are attracting a lot more attention."
Should the EU and the UK fail to make a deal, there could still be some strong arguments for adequacy in that the UK's Information Commissioner's Office has historically been one of the most active members of the EU's regulatory community and helped draft the guidance around GDPR.
Of the legal reason for blocking an adequacy decision, government surveillance of personal data and the rules governing the transfer of data to another jurisdiction would be the most important, Kon said.
The UK's strategy may be guided behind the scenes by the Prime Minister's chief advisor, Dominic Cummings, a divisive figure pushing for a radical "pro-tech" economy who sees GDPR as a hindrance to that cause. It might not help that he was held in contempt of Parliament for refusing to appear before a committee investigating data breaches during his role in the Vote Leave Brexit referendum campaign.
But it looks like there are more important factors at play than Dominic Cummings – for once. ®