Whilst the 2016 referendum campaign on the UK’s membership of the European Union featured intense debate on many issues, one topic that received little attention from politicians or voters was the question of data. Nevertheless, data protection and the free flow of data would become a key issue for Brexit negotiators on both sides.
The Impact of Brexit on Data Flows
Following the UK’s decision to leave the EU, worries about data began to mount for many industry figures, particularly when the threat of a potential no-deal Brexit loomed on the horizon. In the event that the UK had crashed out of the EU without a withdrawal agreement, it would have been likely that data transfers from the EU to the UK would have relied on a plethora of legal paperwork carried out by businesses themselves.
This would have raised costs for many types of business and been disastrous for British SMEs with neither the necessary resources nor expertise to tackle such Brexit-induced red tape. A report published by the New Economics Foundation estimated that extra data protection compliance requirements would likely cost British businesses a total of between £1 billion and £1.6 billion per year.
As it turned out, British businesses can rest easy because UK and EU negotiators did eventually hammer out an agreement at the last minute. Following the withdrawal agreement between the two sides, the free flow of data continued unchanged throughout the transition period, and this was further extended by six months at the end of 2020. This extension was due to expire at the end of June but had attracted much less attention that the ongoing UK-EU “sausage wars”. The uncertainty around data flows ended on 28th June when the European Commission announced that it had adopted an adequacy decision for the transfer of personal data from the EU to the UK.
Reaching Data Adequacy: A Sigh of Relief
This adoption of a data adequacy decision meets the requirements of both the Law Enforcement Directive and the General Data Protection Regulation (GDPR). The Law Enforcement Directive allows the processing and transfer of data for law enforcement purposes, further facilitating the cooperation between national police and judicial authorities as foreseen within the EU-UK Trade and Cooperation Agreement. More important for business, however, is the adequacy decision under the GDPR which covers all personal data processing outside of law enforcement matters.
In brief, a data adequacy decision is an acknowledgement by the European Commission that the level of data protection within a third country is at least equal to what is guaranteed under EU law, thereby allowing personal data to flow freely from the EU into the specified country. The Commission arrives at a decision following a supporting opinion from the European Data Protection Board and approval from Member States. Along with the UK, the EU has adopted adequacy decisions for 12 other countries: notably including Japan, Israel, and New Zealand.
Without this adequacy decision, UK businesses may have been left with the unenviable task of implementing costly additional legal safeguards or even having to decide that they cannot process data originating from the EU. These safeguards often take the form of contracts known as Standard Contractual Clauses (SCC) which are costly and require specific expertise. UK businesses would also have been at increased risk of GDPR fines for non-compliance.
The UK government was able to secure this decision as it has effectively rolled over the EU’s GDPR into its post-Brexit national legislation, creatively dubbing it the ‘UK GDPR’. The retention of the EU’s data protection regulation within UK law has undoubtedly facilitated the Commission’s decision to allow data flows to continue uninterrupted, reflecting the regulatory advantage of implementing existing EU legislation into British national law to avoid unnecessary disruption following the end of the transition period.
When Politics and Regulation Collide
However, this decision may irritate those politicians looking to decouple the UK from any regulation with a hint of European influence. Indeed, UK Culture Secretary Oliver Dowden has hinted that the government may at some point look to amend its existing data protection legislation as it could provide an “opportunity to boost trade”. He has argued that other countries, such as Uruguay, benefit from EU data adequacy without necessarily copying EU rules into their own national legislation.
Nevertheless, any such move by the British government to change its data protection rules may throw the recent data adequacy decision into jeopardy. The European Commission has been keen to note that it has the authority to withdraw its decision and will intervene if British standards falter. Furthermore, a “sunset clause” limits the adequacy decision to four years, meaning it is due to be reviewed in 2025.
The GDPR itself is often flaunted by EU officials as the ‘gold standard’ of data protection legislation. Since the Regulation was adopted in 2016, some third countries have looked to rewrite their own data protection rules in the hope simplifying the transfer of data from EU citizens, thereby extending the EU’s regulatory reach. The Japanese government added supplementary rules to its data protection legislation before gaining an EU data adequacy decision in 2019. As the UK looks to fulfill its potential as “Global Britain” through fresh trade deals, it may find that data protection norms in any major market have a decidedly European flavour.
British policymakers are therefore left with a fundamental dilemma. The rolling over of the GDPR into British law has kept industry figures happy and avoided a post-Brexit data disaster. However, it provides little political benefit for politicians looking to tout the wonders of the UK’s freedom from Brussels’ regulatory reach. Would any be willing to risk the free flow of data in the future in order to diverge from EU standards and be able to claim data sovereignty?
The Whitehouse Communications team are experts in providing public affairs advice and political analysis to a wide range of clients who seek to engage with policy makers in the EU institutions, but also with the member states of the European Union and beyond. For more information, please contact Viviana Spaghetti, at firstname.lastname@example.org.