Data Protection - adequacy and the Brexit dimension

Most countries are looking to stabilise their economies in the COVID era and (to use an over-familiar phrase) build back better in 2021. Cautious optimism about this is growing: a clutch of effective vaccines has been developed in record time. But one country is determined to inflict yet another economic shock upon itself in the depths of this global pandemic: the UK, which finally leaves the EU as 2021 dawns, after a year's transition period. 

While much debate has centred on unit-based trade, freedom of movement, immigration, and fears that Kent is set to become the world's lorry park, data and the digital world ought to have been much bigger concerns. As the UK's Information Commissioner's Office (ICO) has been warning since the referendum, No Deal on trade also means No Deal on data - in the absence of a data adequacy agreement. For a service economy, that's no minor concern.

With many UK organisations unaware that some or all of their data is almost certainly processed, stored, or hosted in EU data centres at least some of the time, or transferred to or from member states, the implications of no data adequacy could be catastrophic (see diginomica, passim). Blame Californian cloud marketers for convincing a generation of business leaders that their data is floating in the sky, rather than sitting in servers on land in low-cost industrial estates.

In theory, there's no reason why the UK shouldn't be granted a data adequacy agreement immediately, as it is the only country that starts from a position of equivalence with the EU, having implemented the latter's rules under the Data Protection Act (2018), et al. So the lack of concord to date suggests that data has become yet another political bargaining chip in the quest for a trade deal. All the ons and offs of the binary world seem increasingly reliant on the UK's on/off relationship with Brussels.

Mixed signals from Whitehall about regulatory divergence haven't helped matters, and neither has the fact that GDPR is seen by many organisations as a necessary irritant. Too often GDPR manifests itself as demands for consent to Ts & Cs that nobody reads, while its deeper value in areas such as accountability and privacy by design is often ignored. 

However, some countries are increasingly looking to GDPR in their own moves to rebalance the digital economy in the consumer's interest against the power of FAMGA (Facebook, Amazon, Microsoft, Google, and Apple). Rafi Azim-Khan is Head of IP/IT and Data Privacy for legal practice Pillsbury Law. He explains:

The UK is in a very interesting spot. There has been a global tsunami of GDPR-esque laws around the world, if you look at what's been happening in South Africa, the law in Brazil, the new proposals in Dubai, and even what's happening in the United States - not just with the CCPA, but also what's proposed in Washington State. We've gone from ‘What are they smoking in Europe?' to many countries now looking at the GDPR and, while not taking it wholesale, certainly being inspired by it. 

But I think it's equally important for businesses to understand that the UK may shift slightly. We may be in a situation where Europe, obviously, has restrictions on data transfers to third countries, and the UK will technically be a third country unless we get that adequacy agreement. 

And so we're in that interesting scenario of what's happening with transfers from Europe to the UK, but also from the UK to Europe. And, interestingly, all transfers from the UK out to the US, which may be out of step with the European model.

So the UK might find itself with a degree of flex in terms of how the ICO operates going forward and how the law is interpreted. That flex might be good or bad. It might be an opportunity, because it could be perceived that the UK is an easier jurisdiction to do business in from a data point of view, but it could also be a threat in terms of how the Europeans might perceive it.

In other words, the US might use the UK to circumvent EU restrictions - almost as a backdoor to Europe, in fact. But Brussels would not take kindly to that. In the medium term, the UK, which has long been a cultural and economic bridge between the US and the EU, might find it is a bridge that is burning at both ends.

MAGA by FAMGA?

As one part of FAMGA, Google likes to position itself as the consumer's friend via the many options for data privacy that are embedded in its products. But at the same time it has racked up an impressive number of antitrust actions against itself in the US (at federal and state level), Europe, and elsewhere. William Malcolm - a Brit - is Google's Legal Director, Privacy, and so must be a busy man. But he seems optimistic about the UK's future role:

The UK has the potential to be well placed in 2021 to continue to lead the world on the regulation of data. We see a strong UK ICO with the rulings that they've handed down, but they've also, it's important to say, invested in regulatory innovation through their own privacy sandbox initiative and through ensuring that they understand the technologies and can engage in dialogue with the public sector and with industry. 

It's challenging to figure out global rules, no one's saying it's not, but it's important we get it right to deliver on the promise that the internet has today and on the promise of important technologies like AI. From our standpoint, it's important that we promote responsible innovation and invest in strong programme standards internally, so that we can deliver on the promise of GDPR and other laws to create better technology and opportunities for individuals.

Promises, promises... but aside from these bland, politically neutral reassurances, what is happening in the real world of Brexit? Eleonor Duhs, Director of Technology, Outsourcing and Privacy at European law firm Fieldfisher, explains:

At the end of the transition period, EU law is saved into domestic law and any domestic law that implements EU obligations will also be saved. So those two elements together will form a new body of law in the UK called Retained EU Law. So what's going to happen in terms of the data protection landscape? GDPR, which is going to be saved at the end of the transition period into UK law and renamed the UK GDPR, will initially look very much like its EU counterpart. 

But there are some issues to think about here in terms of its interpretation. Case law, which interprets the GDPR, will also be saved into UK law, so that creates continuity. But I put a question mark here, because there are some regulations going through the House at the moment that would allow lower appeal courts to depart from past Court of Justice cases, where it's right to do so. 

That's the innovation that was brought about by the EU Withdrawal Agreement. So it could it be that the meaning of UK GDPR starts to move away quite quickly from the meaning of the EU GDPR, if I can call it that, at the end of the transition period.

In other words, GDPR itself may begin to fragment: into the UK version as it evolves, the EU original, and a fast-expanding grey area between them, which has roots in case law. All of this adds complexity. 

So what is happening in terms of the adequacy decision? 

The UK is currently negotiating an adequacy decision to allow data to continue to flow freely. The Guardian announced recently that a deal was close, but there's since been a pullback from that position. But this may just be the sound and fury of the final stages of the deal-making process.

This matters because the impact of no adequacy is really significant. There's been some recent research from UCL which puts the financial cost to UK firms of no adequacy as enormous. But there's also the context of security. If the EU and the UK are no longer able to collaborate in terms of data sharing for law enforcement purposes, for the prevention of serious criminal activity and terrorism, there will be a security implication in that. 

What also happens if we don't get adequacy - this hasn't been written about much - is that there is a provision in the Withdrawal Agreement which is essentially the EU's insurance policy on data that came from the EU to the UK during membership or during the transition period. That pool of data is to be protected in accordance with the GDPR. [...] If there is no adequacy, that is what the Withdrawal Agreement does, it provides protection for EU data, which is being processed in the UK.

But data moving the other way may not be protected in the same way. There are also strategic complications, she warns:

The UK appears, potentially - according to the National Data strategy - to be going in a slightly different direction to the EU, because we're seeing with EU standards and recent guidance some really onerous requirements on controllers and processors. That's potentially something that the UK wouldn't want to follow. 

So the question is, are companies going to be looking towards EU standards or UK standards? If you've got business in both, you may not be able to follow a more flexible UK regulatory framework, because it's just not cost-effective to have a different regime for your EU-facing business to your UK- and other world-facing business.

My take

Remember when Brexit promised an end to bureaucratic complexity? With the US being the UK's largest national trading partner, but the EU being easily its biggest partner as a bloc of 27 countries, that element of Brexit was always a pipe dream. 

Far from being an important bridge between two giant economies, the UK may be left increasingly isolated between them. Neither part of one nor the other... not ruling the waves, merely making them for its partners.