Data protection, data flows, data adequacy, and Brexit

Last updated 19 October 2020

The issues of data protection, data flows, and a data adequacy agreement, post-Brexit, are the fundamental questions for the digital and tech sectors.

The issues at hand are about much more than GDPR, which is only one piece of a healthy data protection framework. The UK is not, and has never been, a healthy country by any measure where data protection is concerned. Other issues, including other policies on data as well as the UK’s domestic surveillance strategy, are only beginning to be recognised now that the UK’s tech sector has been taken out of Europe and the Digital Single Market strategy.

This page is divided into seven policy topics which form the full picture for data protection and Brexit:

Latest developments on adequacy

In January 2020 the European Commission published a slide deck and communique setting out the long road to an adequacy agreement. The EU’s full negotiating position, released on 25 February, sets out data protection as one of two critial bases for cooperation, along with core values and rights. It states that “In view of the importance of data flows, the envisaged partnership should affirm the Parties’ commitment to ensuring a high level of personal data protection, and fully respect the Union’s personal data protection rules, including the Union’s decision-making process as regards adequacy decisions. The adoption by the Union of adequacy decisions, if the applicable conditions are met, should be an enabling factor for cooperation and exchange of information, in particular in the area of law enforcement and judicial cooperation in criminal matters.”

However, on the same day the EC issued its January communique, Boris Johnson said that the UK will “restore sovereignty” over data protection, which was clarified in the accompanying written statement as “The UK will in future develop separate and independent policies in areas such as […] data protection.” This context can only mean no data adequacy agreement at all. I would politely note that “we’re going to take our ball and go home” is neither a policy position nor a negotiating stance.

The UK’s negotiating statement, released on 27 February, set out the following positions:

The UK will have an independent policy on data protection at the end of the transition period and will remain committed to high data protection standards.
To maintain the continued free flow of personal data from the EUto the UK, the UK will seek ‘adequacy decisions’ from the EU under both the General Data Protection Regulation and the Law Enforcement Directive before the end of the transition period. These are separate from the wider future relationship and do not formpart of trade agreements. This will allow the continued free flow of personal data from the EEA States to the UK, including for law enforcement purposes. The European Commission has recognised a number of third countries globally as providing adequate levels of data protection.
On a transitional basis, the UK has allowed for the continued free flow of personal data from the UK to the EU. The UK will conduct assessments of the EEA States and other countriesunder an independent international transfer regime.
The UK will also seek appropriate arrangements to allow continued cooperation between the UK Information Commissioner’s Office and EU Member State data protection authorities, and a clear,transparent framework to facilitate dialogue on data protection issues in the future.

As of January 2020, the ICO has a dedicated page containing guidance and resources for organisations to use during the Brexit transition period. It must be remembered that an adequacy agreement is largely out of their hands. That said, growing concerns over their lack of enforcement on major privacy issues such as real-time bidding could contribute to the bizarre situation where the privacy regulator becomes an obstacle to adequacy.

The EU Data Protection Supervisor has also published a detailed opinion on the data adequacy negotiations, which I would not advise reading unless you are a data protection or legal professional. It does advise the UK to work on the assumption that an adequacy agreement will not be reached by the end of the transition period.

In March 2020, government published its explanatory framework for adequacy discussions, and this package is essential reading for anyone involved in these issues.

In June 2020, a Commission leak indicated that Boris’s bluster bombed and that the Commission is holding firm on convergence, not divergence.

In July 2020, the ICO published guidance on data protection at the end of the transition period.

DCMS followed suit in October with guidance on “using personal data at the end of the transition period”. It includes a paragraph called “what personal data is.” If you are working in the tech sector, two months away from the end of the transition period, and you do not know what constitutes personal data, please consider taking up another career in another field.

In September 2020, Euractiv’s Samuel Stolton reported that the Commission is concerned that the UK’s intention to diverge from DPA 2018 in the future may be an obstacle to adequacy. This is partially in response to the UK’s consultation on the forthcoming National Data Strategy, which “aims to take advantage of being an independent, sovereign nation to maximise those strengths domestically, and position ourselves internationally to influence the global approach to data sharing and use, including committing to the creation of an independent international data transfers capability.” In the data context, this can only mean divergence from DPA 2018. The Data Strategy also establishes the UK’s vision to be a third nation doing data in a third way, halfway between the free-for-all American model and the regulatory European model. But there are two fatal flaws in government’s thinking here:
a) precisely no UK digital business, agency, or startup is interested in embarking upon a vast regulatory experiment, for the sake of doing an experiment, in the middle of a pandemic and the imminent collapse of the US and its tech sector;
b) at the moment, the UK is indeed a global influencer, but not in any box it would wish to tick.

It is also worth noting that the UK’s upcoming Digital Strategy will establish data protection adequacy as one of its policy goals. Government cannot have its cake with one strategy and eat it with another.

Additionally, in a move specifically calculated to make tech policy people scream into a pillow, the European Union Committee of the Lords published a report in October expressing their “[alarm] about the lack of an EU decision on the data adequacy of the UK framework.” They said this knowing full well that it is political bluster. For the 800th time, the EU’s evaluation of the UK’s adequacy cannot begin until after the UK is a third country. That means 1 January. You cannot evaluate a third country which is not a third country yet. Any committee, regulator, or politico demanding that the EU issue an adequacy decision before then literally does not know what they are talking about. Or they do, and they just don’t care.

There’s also the small matter of the CJEU court ruling on 5 October that the UK’s mass surveillance programmes must comply with EU privacy law, even in a national security context. That alone will be a deal-breaker in any adequacy decision.

Last but not least, another domestic obstacle to an adequacy agreement is the near-total absence of the data protection regulator, the Information Commissioner’s Office, from its statutory remits for its existing obligations, much less the changing data protection landscape mid-pandemic and post-Schrems II. Throughout 2020, it has fallen to private activist groups enacting private litigation, such as NOYB and Foxglove, to carry out the law enforcement activities which are literally the ICO’s job to do. The ICO, for its own part, has repositioned itself as a child protection think tank, and one which prefers to phone it in from Canada. There is not a single data protection, privacy, or legal professional I know who has any confidence in the ICO whatsoever to safeguard domestic data rights much less international ones. The ICO’s track record will form a major part of the EC’s adequacy evaluation, and in this context, the EC would be mad to grant it.

GDPR and data protection in general

  • In October 2016 the UK government confirmed that the UK will implement GDPR. The UK Information Commissioner subsequently set out how the ICO would support implementation over the next two years.
  • In December 2016 the Commons held a surprisingly rich debate on GDPR post-Brexit.
  • In March 2017 the EU Committee of the House of Lords drew attention to post-Brexit GDPR and data flow issues. The European Scrutiny Committee of the House of Commons also reviewed the issue, and provided yet more background analysis.
  • In spring 2017 UK Gov ran a consultation on the UK’s GDPR implementation, including derogations. The 2017 Queen’s Speech announced the Data Protection Bill, the legislation intended to act as the bridge between GDPR and any post-European data protection regime.
  • In August 2017 UK Gov launched a publicity campaign about the Data Protection Bill, most of which blatantly claimed the changes the UK was receiving anyway under GDPR as the UK’s ideas, and indeed, the work itself as Matt Hancock’s.
  • On 18 August the House of Lords warned of the dangers of hindering data flows after Brexit.
  • On 27 July the House of Commons research service published a useful basic briefing on data protection after Brexit.
  • On 24 August the Department for Exiting the EU released a remarkably flawed white paper on data flow adequacy after Brexit.
  • The European Commission’s advisory note on data protection and Brexit, published in January 2018, reiterated the paperwork burdens ahead for businesses trading with Europe.
  • In her Mansion House speech of 1 March 2018, Theresa May declared:
    Fourth, we will need an arrangement for data protection. I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing the UK’s strong trading and economic links with the EU. That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.
    This revealed several worrying things: first, the audacity of claming the UK’s “exceptionally high standards of data protection” as a domestic achievement when they are in fact European; second, the desire to secure “more than just an adequacy agreement”, a tacit admission that her government knows that there is no way the UK will be granted adequacy based on its own domestic surveillance legislation; third, the desire for an ongoing role for ICO, a suggestion which is impossible under current EUDPB rules; and a discussion of the “one stop shop” mechanism as a non sequitur.In other words, this was the opposite of clarity and assurance.
  • Ahead of its second reading, the House of Commons Library published an excellent summary of progress on the Bill up until March 2018.
  • The Data Protection Act 2018 received royal assent on 23 May 2018.

And so we come to what happens now.

In the event of a “No Deal” Brexit

In September 2018 DCMS published its guidance on what would happen to data protection in the event of a “no deal” Brexit. With the arrogance the sector has come to expect from Government, the report boasted that “[i]n recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”

In other words, “we’re alright, Jack.” That’s not the problem.

Information travelling in the other direction – from the EU to the UK – would become the responsibility of every recipient to create a legal structure to hold in lieu of what we took for granted under the single market. The guidance suggests that until an adequacy agreement is hammered out (assuming it ever is), organisations should look at standard contractual clauses, derogations, or the other commercial mechanisms normally associated with larger businesses and fully staffed legal departments. Writing in the Irish Independent, Maria Farrell advises that it costs a UK company about £10,000 to apply its own EU-acceptable contract clauses.

It goes without saying that this would destroy the ability of small UK digital businesses to work with anyone but other British businesses and to serve anyone but British customers – which would certainly suit some Brexiters down to the ground.

On 13 December two further pieces of advisory information were published on data protection in the event of a “no deal” Brexit. The first, published by DCMS from the policy perspective, listed the seven elements at stake, being the need to:

  • Preserve EU GDPR standards in domestic law
  • Transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue
  • Preserve the effect of existing EU adequacy decisions on a transitional basis
  • Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses
  • Recognise Binding Corporate Rules (BCRs) authorised before Exit day
  • Maintain the extraterritorial scope of the UK data protection framework
  • Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale

More information, so they said, was forthcoming; and that information turned out to be a meaningless press release in January 2019.

The second half of the “no deal” information came from the ICO from the commercial perspective and addresses the areas businesses will need to look at to continue trading as before. They include:

ICO followed that up with a much more user-friendly pdf of steps to take ahead of “no deal” in February 2019.

The last laugh here is on those who thought that voting to leave the European Union would decrease bureaucracy. You still have all of it, and more, just domestically.

Government has also published this advice for UK local authorities on accessing data from the EEU in the event of a no-deal Brexit. Summary: sorry, folks, you’re on your own.

In November 2018 Chris Pounder suggested steps which UK-based data controllers and processors should have taken by the end of the year to prepare for the impact of the likely no deal Brexit on their data flows.

For what it’s worth, an October 2018 research report by the Progressive Policy Institute estimates that the “data wall” which would be created in a “no deal” scenario would slow the development of new technologies in the EU by a year or more, handing the UK’s brittle tech advantage to the US and China.

In February 2019 The Times reported that “senior officials were recently shown documents that revealed dozens of government departments and public sector bodies were still holding personal data on British citizens on EU computer networks, mainly in Ireland. In the event of a no-deal Brexit it will be illegal under European law from March 30 for that data to be transferred to the UK, potentially crippling key government services. Of the 63 public bodies surveyed between October and December, 75 per cent admitted that they relied on data stored or processed in the EU. Of those, 58 per cent admitted that they had no plan to move the data back to UK servers by the end of March. Nearly half (43 per cent) said not having access to the data would have a “high or very high impact on public services”. This is a reminder that government and public sector bodies will be hit just as hard by a no-deal Brexit as the private sector.

In February 2019 the European Data Protection Board published guidance from their side on data transfers in the event of a no-deal Brexit, as well as guidance for companies using BCRs in a no-deal Brexit where ICO is no longer the lead supervisory authority; and in January 2019 Fieldfisher’s always excellent privacy blog published a summary of the workarounds – both potential and impossible – to carry data protection law through a “no deal” scenario.

On the same day that the UK’s first tranche of “no deal” guidance was published in September, the European Court of Human Rights ruled that the UK’s mass data interception and retention programmes – including TEMPORA, a bulk data store of all internet traffic; KARMA POLICE, a catalogue including a web browsing profile for every visible user on the internet; and BLACK HOLE, a repository of over 1 trillion events including internet histories, email and instant messenger records, search engine queries and social media activity – was unlawful and incompatible with the conditions necessary for a democratic society.

This judgement, and the UK’s response to it, will absolutely contribute to the EU’s process of deciding whether it is worthy of a post-Brexit adequacy decision. And so we come to the issues around adequacy.

Data adequacy

In July 2018 the Exiting the EU Committee published a crucial report, The progress of the UK’s negotiations on EU withdrawal: Data, on the UK’s need to secure data adequacy agreements ahead of Brexit. The report made several recommendations based on the unrealistic chances of the UK securing both post-Brexit adequacy status as well as a seat at the proverbial table.

Despite the thoroughness of the report, the Chequers statement on Brexit, published just three days later, stated that “In keeping with our commitments to uphold international standards, the UK and the EU would also agree to maintain high regulatory standards for the environment, climate change, social and employment, and consumer protection“. It also proposed “regulatory flexibility where it matters most for the UK’s services‐based economy, and where the potential trading opportunities outside of the EU are the largest, recognising that the UK and the EU will not have current levels of access to each other’s markets…”

That statement did not mention aligned regulatory standards on data flows, and their importance to the tech and digital sectors, at all. That was not an accidental omission.

In June 2018 DExEU published a technical note (.pdf) on the benefits of a new data protection agreement, continuing their theme/belief/delusion that the UK can continue to be an equal partner at a table it has left. It even closes with the arrogant call to action on “Why the UK should be treated differently”.

In September 2018 Government published its response to the July report (above). As usual, it provided platitudes and talking points completely devoid of factual context.

In August 2018 the LIBE Committee of the European Parliament published a massive research report (.pdf, 132 pages) on options for a future data adequacy agreement. Among the points to note:

  • Whatever adequacy agreement results, it is not possible to assess whether it is adequate or not until the UK has left the EU. Anything before that is assessing a theory and not practice;
  • The UK is a good potential candidate for a relatively straightforward adequacy agreement, however, the UK’s participation in the Five Eyes surveillance system, and its openly racist stance on immigration matters (Windrush anyone?) may hinder that agreement;
  • a Privacy Shield-type model is not feasible for the scope and volume of data exchanges at play, and a general adequacy finding would be a better option;
  • Also unsuited to the task are BCRs, which are only an option for large and well-resourced companies;
  • As are industry codes of conduct in lieu of a legal arrangement, with the committee noting that 23 years of European data protection practice have yielded one industry code of conduct deemed adequate;
  • Regarding the ICO’s future participation, no member state is a contributor to the European data protection framework outside the EDPB and the jurisdiction of the CJEU;
  • Finally, the committee recommends an 18 month “standstill clause”, where data flows would carry on as before, in order for all parties to work towards an adequacy decision.

In November 2018, the draft withdrawal agreement included three pages on data protection and adequacy (pages 127-130 of this 585 page long pdf) clarifying the integrity of data flows during the transition period.

Also in November 2018, the draft Political Declaration setting out the framework for the future relationship between the United Kingdom and the European Union stated that “the Union’s data protection rules provide for a framework allowing the European Commission to recognise a third country’s data protection standards as providing an adequate level of protection, thereby facilitating transfers of personal data to that third country. On the basis of this framework, the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met.”

If the applicable conditions are met: these six words are key.

Those applicable conditions hang on the following issues (list compiled by Chris Pounder):

  • The impact on the UK’s view of the role of Recitals in the GDPR
  • Exemptions in Schedule 2-4 (immigration, confidential refernces which impact on EU nationals in the UK)
  • Conditions in Schedule 1
  • The absence of the implementation of Article 23(2)
  • The impact on Codes of Practice produced by the Secretary of State under the Digital Economy Act 2017
  • The impact of the Framework for Data Processing by Government on ICO independence
  • The Investigatory Powers Act 2016 and bulk personal data collections

In short there is no way that the UK, based on its current standing, would receive an adequacy agreement unless it draws itself closer into alignment with the European data protection framework outside of it than it currently stands inside of it.

Other EU policies and issues related to data protection

Privacy Shield

Council of Europe convention

For those of you who truly want to fall down the adequacy rabbit hole, consider the ESC’s July 2018 review of the recent modernisation of the 1980 Council of Europe convention on the processing of personal data. Would becoming a party to the Convention after Brexit pave the way for an adequacy decision? The September 2018 ESC follow-up indicates that yes, it could.

Data sharing within EU bodies

In November 2017 the ESC looked at the future of data protection within European institutions, which was a headache-inducing reminder that nobody who advocated for Brexit prepared for these questions at all.

In February 2018 the committee returned to the proposal on data protection and the EU institutions, noting that “as third country citizens, UK citizens might have to submit a greater volume of data to the EU to travel and work in the EU when they no longer have the free movement rights of EU citizens. We should clarify therefore that we and our predecessors were not concerned, as the Minister assumes, about different data protection rules applying to the EU institutions depending on whether the data of third country or EU citizens was being processed.”

The ESC has cleared the proposal on a regulation on data protection rules applicable to EU bodies from further scrutiny.

Data flows with non-EU countries

In May 2018 the European Scrutiny Committee examined the EC’s proposal on exchanging data with non-EU countries, an issue which will take on a new urgency once the UK qualifies as the latter.

As such, the Committee recommended that the document be debated in the House of Commons. Ahead of that debate, which has yet to take place, the Committee asked

a)Regardless of press reports, have these horizontal clauses on data flows in trade agreements been discussed informally or formally in Coreper or the Council yet? If so, what is the view of the UK and other Member States? If not, what is the Commission’s intention in producing the clauses?

b)What does Article B achieve, legally-speaking, in terms of personal data flows? Does it provide for data exchange based on mutual trust and mutual recognition by the EU and the third country in question of each other’s data protection standards? If so, would the clause satisfy the UK’s aspirations for a future data-sharing arrangement based on mutual trust as set out in its Future Partnership Paper?17

For further background some of these specific data flow agreements, see Tech UK’s briefing.

In September 2018 the ESC did a masterful job of using the answers given by Government to its May questions to demand further clarity and specificity on the plans for data flows in general; these questions are worth reading.

In February 2019 the ESC’s scrutiny on trade deals and data flows between the EU and third countries turned into a proxy discussion about data flows in a no deal and deal scenario. Some poor staffer even made a 12 page table of Hansard discussions. Isn’t that lovely?

Data flows from the UK to Europe

In October 2020, Minister for Data John Whittingdale told the Commons that “we have legislated so that personal data for general processing can continue to flow freely, on a transitional basis, from the UK to the 30 EEA (European Economic Area) states and the EU Institutions after the end of the transition period.”

That’s not the problem, and it never was.

Because any UK data flowing back into the EU will continue to be treated to European standards as if it were European data.

The problem is the data going in the other direction.