UK gains 'adequacy' status on data sharing with EU, but making that stick all depends on how much post-Brexit law diverges
TIGRR threatens to bounce through unacceptable changes to the rules
Updated The European Union has formally voted for proposals to give the UK "adequate" status in its data protection laws, allowing data sharing to continue in the post-Brexit world.
But the move could prove temporary if the UK were to move too far from the principles of the General Data Protection Regulation (GDPR) in its ambition to be a global tech juggernaut.
Voting through the draft "Commission Implementing Decisions on the adequate protection of personal data by the United Kingdom", the Committee on the Protection of Individuals with Regard to the Processing of Personal Data adopted the proposals for data sharing.
In February, the European Commission said that EU law has shaped the UK's data protection regime for decades, unlike other countries with divergent systems. But it emphasised it would need to "future proof" the adequacy finding since the UK was no longer bound by EU privacy rules. Adoption of the draft decision was therefore proposed to be valid for four years.
The Confederation of British Industry (CBI) welcomed the decision. Russell Antram, head of EU negotiations, said: "Securing a positive decision on data adequacy from the EU was a priority for thousands of businesses across the UK. The free flow of data between the UK and the EU is essential for businesses across the economy – from automotive to logistics – playing an important role in everyday trade of goods and services."
- EU court rules in Telenet copyright case: ISPs can be forced to hand over some customer data use details
- Final guidance on Schrems II ruling: Data from EU could be held up if a third country lets authorities access it
- Gov.UK taskforce publishes post-Brexit wish-list: 'TIGRR' pounces on GDPR, metric measures
- UK government bows to pressure, agrees to delay NHS Digital grabbing the data of England's GP patients
Georgina Kon, technology and media partner at law firm Linklaters, said the adequacy decision was "quite unique" in that there was no specific end date or formal review.
She said: "There is an ongoing review of the UK's adequacy. What that means is that if the UK goes too far in liberalising its regime, particularly with respect to international transfers of data – which is something we know that the UK has been interested in doing – the Commission reserves the right to revoke the adequacy. Adequacy doesn't mean it's done and dusted. I think anything that the UK government does to try to make it a much more attractive destination for data would – if it goes too far — get some pushback from the EU."
Where would such an impetus to change UK law come from? Look no further than the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR), a Brexit goon-squad of Tory MPs that produced its report last week, complete with an endorsement from Prime Minister Boris Johnson.
The TIGRR report is damning of Article 5 of GDPR, which states among other things that data should be "collected for specified, explicit and legitimate purposes" and be "adequate, relevant and limited to what is necessary."
"These restrictions limit AI because they prevent AI organisations from collecting new data before they understand its potential value and they also mean that existing data cannot be reused for novel purposes," the report said.
The 130-page document did not mention the phrase "data adequacy" even once, which might be troubling to those in the UK whose businesses depend on being able to access EU personal data.
Kon pointed out that any assault on the principles behind Article 5 in UK laws could spell trouble for the adequacy ruling. "Article 5 is fundamental; it tells you what the key principles for personal data ought to be within the EU. If the UK were to move far away from the existing Article 5 principle that could undermine the adequacy decision," she said.
It is possible the adequacy decision could be challenged in court, with data flows suspended while cases are ongoing.
A blog from the German Federal Ministry of Justice and Consumer Protection has pointed out that a German Supervisory Authority could hold up the sharing of data with the UK and go to a federal court and then the European Court of Justice for a decision.
In any case, the ruling on the UK being an adequate jurisdiction to share data with would be reviewed on an ongoing basis as UK legislation diverges from EU law. ®
Updated to add at 11:37 UTC on 28.06.2021
The Commission formally announced its adoption of adequacy decisions for the UK [PDF] on Monday, 28 June.