The UK and the European Union (EU) may have pulled a Brexit deal out of the hat at the eleventh hour, but the vexed question of a crucial data adequacy agreement has simply been kicked down the road a few months after no resolution was found.
In a PR-friendly festive miracle - and after weeks of being caught in the net of disputed fishing rights, climaxing in final days of brinkmanship when all involved agreed a deal was doomed - an agreement in principle on the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”) was unwrapped on Christmas Eve and subsequently signed off by both parties shortly before the end of the year.
It’s a deal that inevitably fully satisfies no-one, but it is a deal and one that avoids the immediate negative consequences of ‘no deal’ in terms of trade. Bones of contention will undoubtedly emerge over the coming months, but for now two major matters remain to be tackled, firstly aspects of financial services and secondly with regard to data adequacy.
As diginomica has noted on many occasions, the lack of a data adequacy agreement to allow for the free flow of data between the UK and the EU would strike a major blow to the digital economy of both parties and beyond. From the UK’s perspective alone, 11.5% of global cross-border data flows go through the country, with three-quarters of that heading to and from the EU. This matters to both sides - and beyond. As Julian David, CEO of trade association techUK CEO, sums up the situation:
Data adequacy is so important, not just because of the economic costs of failing to reach an agreement, estimated to be around £1.6 billion to the UK economy, but because of the high level of integration between UK and EU tech companies, a partnership which [in 2020] has helped achieve a record $41 billion invested in UK and European companies.
When the UK was part of the EU, it was a signatory to data protection rules that covered all members states as well as European Economic Area (EEA) countries. But since 31 December, the UK has become a ‘third country’ and as such the automatic right to transfer data freely is no longer the case.
While the UK has committed to maintaining data protection standards that are on a par with those of the EU and is ready to accept data coming from Europe as before Brexit, Brussels has not, to date, reciprocated this position. Until the European Commission (EC) agrees that the UK’s data regulation regime is adequate and that decision in turn passes scrutiny by the European Data Protection Board (EDPB) and then the European Parliament, nothing is guaranteed.
That doesn’t mean that data now crashes to a halt at Dover or Calais or sits unloved in a Folkestone lorry park. As predicted last month, a transition period of six months has been agreed as a band aid for now, kicking the need for a final decision down the road until June. If an adequacy deal is not struck by then, companies in the UK which wish to transfer data to the EU would need to resort to alternative mechanisms, such as Standard Contractual Clauses.
So what are the sticking points to the UK being granted an adequacy agreement such as those already enjoyed by the likes of Argentina? On the face of it, there seems to be little to get in the way. The UK has stated it will continue to uphold GDPR (General Data Protection Regulation) and, as noted above, is already compliant with EU privacy and protection standards. The Trade Agreement already includes commitments by the UK and the EU not to enact measures that would restrict cross-border data flows between the two or impose data localization requirements.
What is problematic is EU suspicion of the UK’s current and possible future surveillance regulations and their impact on personal privacy. Brussel’s antipathy to the US security regime in this respect are well known and there are fears that a non-EU UK will adopt a similar tack, citing the country’s Regulation of Investigatory Powers (RIP) Act as a reason to be concerned about what might develop. A number of MEPs (Members of the European Parliament) have already been highly vocal - and highly critical of the UK - on this subject and it can be assumed this will continue during the transition period.
That said, politics aside, it’s clearly in the interests of both the UK and the EU not to have barriers in the way of data flows, particularly with the transatlantic Privacy Shield mechanism for safe data transfers with the US lying in pieces on the floor. Additional inhibitors to the global movement of data through the digital economy is the last thing that enterprises around the world need.
But while the negotiations between London and Brussels lumber on, what should organizations be doing to future-proof their business models? First up - don’t panic. The transition agreement is there for a reason and provides a grace period during which there’s no need to resort to SCCs, although the Information Commissioner's Office in the UK advises that businesses should work with EU and EEA organizations which transfer personal data to them to get to grips with alternative transfer mechanisms. For its part, the UK Government has published its own guidelines on what the requirements are for the moment.
There are signs in the Trade Agreement to suggest that both sides are not that far apart in coming to an understanding, most notably the creation of a digital trade chapter which already covers a ban on data localisation and prevents requests from one party to see source code from another as a pre-requisite to doing business. It is to be hoped that legislators and officials in London and Brussels remain aware of their responsibilities and what's at stake here - and that no new 'get tough' posturing on the part of the British Home Office and its increasingly bellicose Home Secretary get in the way.
From the UK’s perspective, the transition period does have one clear downside. While it ensures that data keeps moving to and from EU states for the time being, the terms of the current arrangement mean the UK cannot come up with an independent data transfer deal with the US at this point, unless such a deal gets the nod from Brussels. (Taking back sovereignty, huh?)
Such a nod, for now, looks highly unlikely, with no sign of a successor to Privacy Shield on the horizon. European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski warned shortly before Christmas that, six months after the framework was struck down by the Court of Justice of the EU, there’s no news of a replacement - and the arrival of a new US administration brings fresh complications to the process:
I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system, without a Privacy Shield-like solution, will last for a while….If you ask me what will be the attitude of the new administration towards the possible changes in American law on national security, that is first of all a question of our American friends and I don’t know if the Biden administration will take this topic as the most important.
Spoiler alert - it won't!