Karen Mc Cullagh (University of East Anglia)
The UK economy is predominantly service based (in 2019, the service industries accounted for 80% of total UK economic output (Gross Value Added)), and most of its trade in services is with the EU and the US. As many of these service industries, including digital technology businesses, generate and rely upon huge volumes of personal data in their operations in the form of customer records, behavioural, profile, and transactional data, the UK government is keen to ensure that personal data continues to flow freely from both.
Accordingly, this blog post considers the implications of Brexit for EU-UK transfers before considering whether the UK will have any post-transition regulatory leverage regarding data protection law to use as a bargaining chip in respect of trade negotiations with the US as it has been suggested that the UK will diverge from the EU standard and offer a lower level of data protection to secure a trade deal with the US. Indeed, the UK Prime Minister’s former chief adviser, Mr Dominic Cummings, has claimed that “The GDPR legislation is horrific. One of the many advantages of Brexit is we will soon be able to bin such idiotic laws. We will be able to navigate between America’s poor protection of privacy and the EU’s hostility to technology and entrepreneurs.” I will explain that although the UK will struggle to secure an adequacy decision to facilitate EU-UK data transfers, lowering the UK’s standard of protection is not in the UK’s best interests either.
The ‘adequacy’ challenge
In an attempt to ensure unimpeded data transfers from the EU to the UK once the transition periods end on 31st December 2020, the UK government has asked the European Commission to commence assessment of the adequacy of UK laws and procedures to satisfy itself that the UK affords “essentially equivalent” protection to personal data.
Mr John Whittingdale (the Minister of State in the UK’s Department for Digital, Culture, Media and Sport ) has asserted that “we see the EU’s assessment process on data adequacy as technical and confirmatory of the reality that the UK is operating the same regulatory frameworks as the EU,” and that it will be granted by the end of the transition period because “it is self-evidently in the interest of both sides to have adequacy decisions in place by the end of the year.” The government has cited the UK’s implementation of the GDPR and decision to retain the GDPR in UK law once the transition period ends as confirmation that: “Protecting personal data is and will continue to be a priority for the UK,” and assuage any concerns the EU might have regarding continued alignment.
However, there are a number of potential obstacles to a finding of adequacy, the most problematic of which is the UK’s extensive surveillance and bulk data collection laws (found in the Investigatory Powers Act 2016). The EU Commission assessment will examine not just that legislation, but also the means of redress available to individuals in the EU seeking to complain that their data protection and privacy rights have been infringed. Despite assurances from the UK government that “UK legislation provides for unprecedented oversight of the operation of the UK’s national security and investigatory powers framework,” three elements of the IPA 2016, namely: targeted acquisition and retention powers, bulk warrant powers, and onward transfers to Five Eyes Alliance partners will give the Commission cause for concern and may impede a finding of adequacy.
The Government has therefore recommended that UK-based companies immediately prepare to use alternative transfer mechanisms such as Binding Corporate Rules, Standard Contractual Clauses and consent to ensure that personal data can be legally transferred from the EU to the UK in the absence of an adequacy decision. As the alternative transfer mechanisms will increase the compliance burden for UK-established businesses that process personal data a few commentators have suggested that the UK should instead seek to diverge from the GDPR standards.
An illusory opportunity to diverge?
In my view, those calling for divergence are prioritising political aspirations over economic and legal reality. Whilst it might be politically attractive to position post-Brexit Britain as a low-regulation, ‘rule-making not rule-taking’, light-touch environment for data processing, it overlooks needs of businesses, specifically, the need for seamless global transfers of personal data with as few variations in legal obligations as possible to minimise compliance burdens.
Claims that divergence from the EU standard would improve business relations with the US overlook the fact that many US-based companies that process personal data have already taken steps to ensure compliance with the GDPR, and have also lobbied for the US government to replace the recently struck down adequacy decision (known as Privacy Shield) to facilitate EU-US transfers, because multiple standards of data protection are not welcomed by data controllers operating on a multi-national basis. This point was emphasised by Antony Walker of TechUK in evidence to the House of Lords Select committee on the European Union: “we have to remember the size of the UK market versus the size of the European market”, which means that “we will have to do that very much in partnership with the European Union, rather than simply boldly striking out by ourselves and hoping others will follow.” Divergence could increase the compliance burden of some data controllers such that they might decide not to transfer personal data to the UK for processing and the UK could become a less attractive business destination.
In sum, although the UK and US are likely to continue to complain about the EU GDPR, calls for the UK to diverge from the EU data protection framework are not likely to be loud or pressing while the EU remains the UK’s largest trading partner, which is predicted to be the case for many years to come. Whilst Brexiteers are likely to be disappointed by the UK’s continued alignment with EU data protection laws, data protection advocates will frame it as evidence of the influence of the GDPR and its effectiveness in in ensuring high standards of data protection in third countries around the world.
Karen Mc Cullagh is Lecturer in IT, IP and Media law, and Course Director for the LLM in Media Law, Policy & Practice at the University of East Anglia