UK government under pressure to prove data adequacy to EU

The UK government is coming under increasing pressure to convince Brussels regulators that the country's data protection landscape is fit for EU personal data, amid wider concerns that UK surveillance practices compromise the security of EU standards in the field.

On Tuesday (13 October), the UK's upper chamber, the House of Lords, published a report on the future relationship between the UK and the EU in the business world, highlighting their worry that the country will not be granted a so-called 'adequacy decision' for data transfers. [Shutterstock]

The UK government is coming under increasing pressure to convince Brussels regulators that the country’s data protection landscape is fit for EU personal data, amid wider concerns that UK surveillance practices compromise the security of EU standards.

On Tuesday (13 October), the UK’s upper chamber, the House of Lords, published a report on the future relationship between the UK and the EU in the business world, highlighting their worry that “there is a possibility that the Commission may not grant the UK a data adequacy decision,” for data transfers from the bloc after the Brexit transition period concludes at the end of the year.

“We call on the Government to push for the assessment to be concluded as soon as possible, to give businesses in the UK and EU legal certainty and time to prepare,” the Lords’ report added.

Assessment period ongoing

The EU executive is currently conducting an assessment of the UK’s data protection landscape, in order to determine if EU data can safely be transferred to the UK after Brexit.

Discussions between the EU executive and the UK government on data adequacy have been taking place since March, and the latter has presented a series of explanatory documents to the Commission detailing why it believes the UK is due an adequacy agreement.

However, the Commission is far from certain that an agreement can be hashed out in time, with the EU Vice-President for Values and Transparency Věra Jourová saying that she ‘couldn’t predict’ the outcome of a Commission decision on data adequacy for the UK, because “we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation.”

Her comments came after UK Prime Minister Boris Johnson suggested earlier in the year that the UK would seek to diverge from EU data protection law in pursuit of a more liberal data approach, which has been outlined in the country’s pro-innovation National Data Strategy.

Mass surveillance permitted only for national security concerns, EU court says

EU countries are permitted to carry out the indiscriminate transmission and retention of communications data only when there is a ‘serious threat to national security’, the bloc’s highest court ruled on Tuesday (6 October).

UK Investigatory Powers Act & DPA concerns

Moreover, in wider concerns over the scale of the UK’s surveillance powers outlined in the 2016 Investigatory Powers Act, the European Court of Justice ruled last week that EU member states are only permitted to carry out the indiscriminate transmission and retention of communications data when there is a ‘serious threat to national security,’ in line with EU law.

The Court’s conclusions that the UK’s surveillance powers should have been limited to the provisions outlined in the 2002 ePrivacy directive during the time the country was an EU member, will raise more questions about the extent to which the UK’s snooping powers will diverge from EU data protection law following Brexit.

Civil society groups across the bloc are now starting to protest over the UK’s prospective data adequacy agreement with the EU.

On Monday, the Irish Council for Civil Liberties sent a letter to the European Commission, making the case for why the UK should not be granted such a decision. The group cited the track record of the UK’s data protection authority, the Information Commissioner’s Office, as the prime reason why the country cannot be trusted with EU personal data.

Backup plans

Should the UK not be granted an adequacy deal, its firms would be required to fall back on one of two instruments outlined in the GDPR.

The first option would be for companies to make use of so-called Standard Contractual Clauses – individual agreements designed by the EU executive, which safeguard EU data protection standards between two parties taking part in a transfer.

An alternative would be to commit to a ‘Binding corporate rules’ framework which attempts to facilitate data transfers for one firm with sites on both sides of the channel, or a group of firms. In this type of setup, the relevant EU data protection authority would be required to rubber-stamp the  agreement, resulting in a lengthy process overall.

Without an adequacy decision and required to fall back on one of these two instruments the House of Lords report warned that “smaller operators in the UK remain unprepared for the possibility of no adequacy decision, with some unaware of the potential requirement for standard contractual clauses”.

A ‘fudge’?

Despite the Commission’s recent public gesturing against the certainty of an EU-UK data transfer accord, one EU source close to the matter recently informed EURACTIV that in all likelihood, the EU executive would come to a ‘compromise’ and ‘fudge-out’ an eventual deal.

In Brussels this week, EU leaders are set to gather for a Council summit on Thursday and Friday, where EU-UK trade relations are set to dominate.

In his invitation to EU heads of state, Council President Charles Michel said that a trade agreement between the bloc and the UK is in the interest of both parties but that such an agreement cannot come “at any price.”

UK to diverge from EU data protection rules, Johnson confirms

The United Kingdom will seek to diverge from EU data protection rules and establish their own ‘sovereign’ controls in the field, the UK Prime Minister Boris Johnson said on Monday (3 February). His comments came despite the EU affirming that the UK should “fully respect EU data protection rules.

[Edited by Benjamin Fox]

Subscribe to our newsletters

Subscribe
Contribute