Data adequacy is granted when the European Commission feels that a territory that is not part of the EU has data protection laws and practices that are aligned to the EU’s high standards. Currently ten countries have been granted the status, including Israel and New Zealand. The USA and Canada have only been deemed to be partially adequate, and the data sharing with the USA is governed by the 2016 Privacy Shield agreement.
The British government has been warned that it faces a ‘cliff edge’ on data exchange with the EU after March 2019, when it officially withdraw from the European Union. Whilst the UK has committed to complying with the EU’s upcoming General Data Protection Regulation (GDPR), this is no guarantee that it will gain adequacy status upon exit.
The government has issued its own paper on plans for a data sharing agreement with the EU, stating that because it already complies with EU data protection laws, being part of the EU currently, it is started from an “unprecedented position” and that “the future deep and special partnership between the UK and the EU could productively build on the existing adequacy model”.
Deputy director-general of influential business group CBI, Josh Hardie, will underline the importance of a rapid agreement during his keynote speech at the CBI’s National Cyber Security Conference today in London. He will say:
Data is the currency of our modern economy. So it’s great to see British businesses across all sectors putting data at the heart of their work.
The UK Government has taken the right steps by introducing the new Data Protection Bill and committing to the EU General Data Protection Regulation (GDPR).
But in the long-term, we need an ‘adequacy decision’ with the EU, where the UK can prove our data laws and business environment meet EU standards.
Adequacy is the gold standard for data flows and is proof that a country has a business environment that really protects data. But unless the Brexit negotiations find another way, getting such a deal would mean first becoming a ‘third country’. In other words, we’d need to leave the EU before that process could even begin.
The last major data deal between the EU and a third country was with New Zealand and that took four years. We don’t have four years. We can’t afford to wait for that deal to be made because businesses are facing decisions today.
The UK’s proposal
The government’s Brexit data policy paper outlines how the UK is a significant player in global data flows. It estimates that around 43 per cent of all large EU digital companies are started in the UK, and that 75 per cent of the UK’s cross-border data flows are with EU countries.
It adds that the UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population. As a result, the paper states, “any disruption in cross-border data flows would therefore be economically costly to both the UK and the EU”.
The British government has outlined three things that it is hoping to achieve, when pushing for a data sharing arrangement with the EU:
- The UK’s data protection law fully implements the EU framework, and this will remain the case at the point of our exit from the EU. On this basis, the Government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.
- Early certainty around how current provisions could be extended, alongside an agreed negotiating timeline for longer-term arrangements, should assuage business concerns on both sides and should be possible given the current alignment of both data protection frameworks, it argues.
- As well as ensuring that data flows between the UK and the EU can continue freely, the UK also wants to make sure that flows of data between the UK and third countries (such as the USA) with existing EU adequacy decisions can continue on the same basis after the UK’s withdrawal, given such transfers could conceivably include EU data.
However, as diginomica has previously outlined, potential problems in securing adequacy status could lie ahead. For example, the ECJ recently ruled that the UK’s Investigatory Powers Act is illegal on the grounds of providing insufficient data protection - if the UK enforces this act after Brexit, the European Commission is less likely to offer the UK the adequacy status it so desperately needs.
Commenting on the need for a transition deal post-Brexit and then a quick decision on adequacy, CBI director general Josh Hardie will say:
Without a firm legal basis for data processing, we risk leaving business leaders scratching their heads, facing fines on one hand and extra costs to comply on the other. Trying hard to plan beyond Brexit but not knowing what to expect.
Without this vital bridge, firms risk being left with no legal certainty when transferring and processing data. We can’t let that happen. Because the people this will impact the hardest are the people running small and medium-sized firms, who are already finding the transition tough.
This isn’t just an academic argument. It really will affect jobs, growth and prosperity across the UK. But if we can get the right transition deal in place, we can protect our data-driven businesses and the £240 billion they bring to our economy.
And more than that. We can give our digital businesses and their world-leading talent the chance to excel in the digital economy.
Business stands ready to do what it can to make that happen. Now we’re calling on the UK Government to do the same.
Time is running out. And as the CBI notes, the UK and its business community cannot afford to wait 4 years for adequacy status if a transitional deal is not in place. With Brexit negotiations bordering on shambolic, this needs to be a top priority for the UK government.