In a speech delivered last week, John Whittingdale MP, the United Kingdom’s Minister of State for Media and Data, told a conference of Privacy Laws & Business that he welcomed:
… the European Commission’s February publication of draft data adequacy decisions for the UK, which rightly reflect our high data protection standards and paves the way for their formal approval.
The draft decisions will now be shared with the European Data Protection Board for a non-binding opinion and the European Parliament before being presented to Member States for formal approval. I urge the EU to fulfil its commitment in the agreed declaration and complete the process promptly.
Whittingdale’s comments came at the end of a speech in which he talked about the UK’s plans to use data to drive economic development. He also talked about the UK’s plans to expand the list of countries to which the UK will grant a “data adequacy” decision, which means that personal data can be seamlessly transferred to such countries from the UK.
He noted that currently UK law treats as adequate the EU and EEA Member States, as well as the following 13 countries: Andorra, Argentina, Canada, the Faroe Islands, Gibraltar, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay. In other words, those countries to which the EU has itself already given an adequacy decision. The minister went on to say:
We intend to expand the list of adequate destinations in line with our global ambitions and commitment to high standards of data protection. Doing so will provide both UK organisations and our international partners with more straightforward and safe mechanisms for international data transfers.
Of course, as a “sovereign, independent state” the UK is free to do as it chooses. The whole point of Brexit was to enable the UK to break free from European laws and make its own way in the world, free of European Union constraints.
But this leaves the U.K. with a large data elephant in the room. What happens if the UK awards an adequacy decision to a country which does not have an adequacy decision with the EU? Would the EU be content to have the personal data of EU citizens transferred to the UK under the terms of an EU/UK adequacy decision if that data could then be transferred on to a third country to which the UK had granted an adequacy decision? For example, where would matters stand if the UK granted an adequacy decision to the US?
The UK does not appear to have an answer to this question. As Oliver Patel, Head of Inbound Data Flows – UK Department for Digital, Culture, Media and Sport (DCMS) posted on LinkedIn (here) in answer to a comment on Whittingdale’s speech that wondered if UK decisions favouring third countries would jeopardise the UK’s own status under EU GDPR:
We do not think that the UK granting adequacy decisions in respect of new countries should cause problems for EU adequacy in respect of the UK. Any future UK adequacy decisions will only be granted to jurisdictions which, following a rigorous assessment, are found to have high data protection standards and robust enforcement, as well as respect for fundamental freedoms and human rights. The European Commission reviewed the UK’s international data transfers legislation and framework as part of its comprehensive assessment of the UK, and they have provided details of why it is ‘adequate’ in their draft decisions.
But this response does not specifically address the issue raised. What the UK thinks the EU should think about UK actions is neither here nor there. The EU will “think” what is in its own best interests.
This is not just idle speculation on our part. Lexology reports that members of the European Parliament are already concerned about the proposed UK data adequacy decision. The report notes:
At a hearing of the parliament’s civil liberties, justice and home affairs committee on 16 March, MEPs levelled heavy criticism at Commissioner Didier Reynders, who leads the European Commission department that issued the UK adequacy decisions in February.
Dutch ALDE MEP Sophie in ‘t Veld claimed the commission’s verdict on the UK’s data protection regime “looks very much like a political decision”. Adequacy decisions are supposed to be made independently of political and trade negotiations, decided purely on the basis of a country’s data protection practices.
Responding to questions about onward data transfers (from the UK) to countries that the EU has not marked as adequate, Reynders said the commission:
“…will not accept a situation where data is sent to the UK under an adequacy decision and then transferred to a third country”.
“But that’s not how the UK system is currently set up,” he said. “The rules on transfers in the UK are exactly the same as those in the EU.”
But Whittingdale’s speech says that this is exactly what the UK plans to do. To give adequacy decision to “third countries” which the EU considers as “inadequate”. And, once the UK does that, the EU data adequacy decision is at extreme risk, as the above quotes illustrate.
Losing an EU data adequacy decision would be costly for the UK, and extremely disruptive for businesses and individuals. As a November 2020 report from University College London notes:
New modelling prepared for this report estimates that the aggregate cost to UK firms of no adequacy decision would likely be between £1 billion and £1.6 billion. This extra cost stems from the additional compliance obligations – such as setting up standard contractual clauses (SCCs) – on companies that want to continue transferring data from the EU to the UK. We believe our modelling is a relatively conservative estimate as it is underpinned by moderate assumptions about the firm-level cost and number of companies affected.
We estimate that the average compliance costs for a business that is affected would be:
- £3,000 for a micro business
- £10,000 for a small business
- £19,555 for a medium business
- £162,790 for a large business
This overall figure of between £1 billion and £1.6 billion represents money that companies would have been free to spend to meet the requirements of the business by, for instance, investing in new equipment, staff, or processes, but are now required to channel into compliance activities or additional costs for goods and services, due to EU-UK data flows disruption.
No adequacy decision would also have a range of other economic implications, including:
- Increased risk of GDPR fines, due to the new compliance requirements
- Reduction in EU-UK trade, especially digital trade
- Reduced investment (both domestic and international)
- Relocation of business functions, infrastructure, and personnel outside the UK
The UK is confronted with what we might call a “data dilemma”. If it wants an adequacy decision from the EU then it cannot afford to become a “data transfer hub”, taking data from the EU and sending on to third countries.
But if it wants to strike data deals with third countries then it risks losing the EU adequacy decision.
It is perfectly reasonable to take the view that the EU’s data protection regime is overly restrictive and has, to some extent, fallen captive to what we have previously called “privacy fundamentalists”.
There is a case to be made that the EU needs to rethink the balance between data privacy and the needs of an economy increasingly built on creative data usage. We do not believe that over restrictive “data borders” are in Europe’s long-term interests.
But, for now, the law is as it is. Which leaves the UK with a “data dilemma”.
|NB: This BEERG Brexit Blog has addressed the issue of data transfers and data adequacy decisions many times over the past few years. You will find past commentaries here: category/data-protection/|