Ian Cooper (DCU Brexit Institute)
On 16 September 2021, the DCU Brexit Institute hosted an event on “Cross-Border Data Protection After Brexit”, convened in cooperation with the DCU Law Research Centre and the Cross Border Data Protection Network, funded under the ESCR-IRC UK-Ireland Networking Grant.
After an introduction by Prof. Federico Fabbrini, Director of the DCU Brexit Institute, the event was kicked off by a Keynote Speech by Viviane Reding, former Vice President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship. Ms. Reding was the chief architect of the landmark EU legislation, the General Data Protection Regulation (GDPR). She began by noting that the EU was built on values, but at the beginning the construction was more about nations than individual citizens. Two key turning points were the creation of the Single Market, which recognized the free movement of citizens, and the Treaty of Lisbon, which included the Charter of Fundamental Rights that explicitly recognized the rights of individuals to their personal data. The previous legislation in this area, the Data Privacy directive, dated back to 1995, which she called the “Digital Stone Age.” By the 2010s it had become apparent that EU citizens were not just concerned about government surveillance but also the misuse of their data by private companies. In 2012 she introduced new legislation that sought to avoid a piecemeal approach (i.e. a directive) but instead to establish a stronger system that would apply uniformly to all persons and all companies on EU territory. Initially this legislation faced heavy lobbying against it coming from the US. But EU lawmakers were galvanized in 2013 by the Edward Snowden revelations showing that telecommunications companies were secretly sharing their customers’ data with the US government. The GDPR was adopted in 2016 and became enforceable in 2018. Ms. Reding thought that the enforcement of the GDPR was initially too lax against the largest tech firms, but lately national regulators have gotten tougher, imposing large fines.
Ms. Reding emphasized that an Adequacy Decision, a finding that a third country has a similar date protection regime as the EU, is entirely a Commission decision, and these are relatively rare. The Commission made an Adequacy Decision with respect to the post-Brexit UK – which was not surprising given that the UK had applied the GDPR when it was a member state – but such a decision could be reversed if circumstances changed and the UK opted to loosen data protections to facilitate trade. She emphasized the importance of ethical regulations regarding Artificial Intelligence which maintain human control of algorithms. Regarding the US, she expressed her concern at the lack of any coherent data protection regime at the federal level, which puts companies that operate both in the EU and the US in an uncomfortable position. She insisted that the best way forward would be to establish a new data deal between the EU and the US that would set joint rules for both.
The keynote was followed by a high-level roundtable moderated by Karlin Lillington (The Irish Times). All the panelists made reference to a recent UK government consultative document, “Data: A New Direction,” which explored various ways in which the UK might reform its data protection regime but did not actually state a change in policy. Mike Harris (Grant Thornton), who advises organizations about privacy and security issues, discussed the potential changes in the UK due to Brexit. He said that organizations that process data will need to be careful to understand their data flows, where their customers are, and what third parties they are dealing with. Orla Lynskey (London School of Economics) continued the discussion by questioning the sustainability of the UK’s adequacy decision. Overall, the adequacy framework implies a degree of flexibility of means, in that different states can structure their data protection regimes in different ways, so long as they achieve the same ends, i.e. a standard of data protection that is similar to the EU regime. Yet it is unclear how much flexibility will be allowed in practice. She also raised concerns about national security and the independence of the UK regulator. Finally, Edoardo Celeste (DCU), also questioned the aim of the UK’s policy, arguing that if it truly wants to take its regime in “a new direction” then this necessarily adds a new layer of instability to the UK adequacy decision. If the UK departs from the common standards, data privacy actors could challenge the UK law. In conclusion, he endorsed Ms. Reding’s idea that the US and the EU should join forces in a new transatlantic data deal.
You can find the video of the event here.