While the question of whether the UK gets a post-Brexit data adequacy deal with the European Union (EU) remains up in the air as of today (Monday 7th December), there are other aspects of the debate around future data arrangements and regimes that are posing some challenging questions.
One of the most uncomfortable of these might well be around the impact of GDPR (General Data Protection Regulation) as a problematic factor. That’s hugely counter-intuitive as the party line around GDPR is that it’s an EU regulatory success story that has set a high bar around personal data rights that other countries, most notably the US, cannot match, despite high-profile calls for a national GDPR avatar to be put in place.
But maybe GDPR is also a sticking point in the Brexit negotiations. The big question is whose problem is this, suggests Anthony Walker, Deputy CEO at trade association techUK, speaking at an Institute for Government-chaired debate:
I think that the EU is facing a really significant challenge that, if it can't find a way through to find legal mechanisms that are sustainable and durable for international data transfers, then what's the alternative? The alternative is to go back down the route of more current data localization. From the view of trading ethos, for years the EU has been arguing precisely against localization. So if the EU wants to export its regulatory approach towards data protection and it also wants to support global digital trade in which it could be a significant participant and winner in many ways, then it needs to find a way forward.
This is where GDPR presents some real problems for the EU because it appears to set some standards, particularly in relation to the impact of national security legislation, that its own member states don't have to meet. So you have to ask yourself the question, ‘Why is it that the UK can be adequately and fully a safe place to transfer data on the 31st December, but it's not on the 1st of January? What is substantially changeable?’.
What's changed is that, suddenly, the impact of UK security legislation becomes relevant when it wasn't relevant before. That's kind of fundamental. The US election result is going to be quite crucial here, because I think the EU will be looking for a much more positive and constructive dialogue with the Biden administration about how they can fix the challenges of Privacy Shield [the former transatlantic data transfer framework that collapsed earlier this year] to make sure that it is adequate as a mechanism.
It may also be that while attention (and blame) has been focused on the UK’s regulations around surveillance and suspicion thereof by EU authorities, that’s not the real problem, he adds:
In terms of the UK EU relationship, from day one the UK has been fully cognizant of the implications of of its own security legislation and the Regulation of Investigative Powers Act and the need to be able to talk through those issues with the EU. So it looked hard at the work that had been done in the US under the Obama years in terms of how they negotiated and they did a lot of work in making sure that the UK security services were engaged in the debate about how to secure adequacy. So in terms of some of that detail, there are ways in which you can address those issues. I'm sure that the UK and the EU has been very focused on that. I'm not sure that the Investigatory Powers Act necessarily has been a big blocker. I think the bigger issue is, does GDPR really enable a global framework for international data flows?
Jenny Tennyson, Vice President and Chief Strategy advisor at the Open Data Institute, which works with companies and governments to build an open and trustworthy data ecosystem, also sees GDPR-related factors in play:
There's obviously some concern on the part of government around around whether GDPR has has placed too much burden on, in particular, small businesses. At least one narrative is saying that we need to relax some of GDPR in order to make things easier for those small businesses. Indications that they might even consider that is one of the reasons why we're having these issues around getting an adequacy decision [from the EU], because the direction that the UK takes its data protection laws is is a big indication about what what that might look like in the future. The EU doesn't want to grant data adequacy only for us to change our regime a little down the line and it needs to withdraw it again.
So do we need to re-think policy around personal data protections? Tennyson argues:
There are some some strong opportunities, in particular around framing the way that we think about data protection, not in the kind of narrow way that we that we have been, that GDPR does around individual data rights, but much more broadly. There's a larger kind of good data governance for the good of everyone. What we've been seeing recently in data governance conversations at international level is a real recognition that new types of data processing - Big Data, AI, machine learning - all these things lead to population level effects, not just individual level effects. So the population level effects that we have [are] things like biases that come out where our automated processes are affecting particular sub-groups. Often the most dis-advantaged subgroups in society need to be addressed through a broader kind of data governance regime than the one that we have that is focused on individuals.
The Schrems factor
For his part, Jay Scott Marcus, Senior Fellow at Bruegel, an independent European think tank which aims to improve the quality of economic policy, picks up on another aspect of the debate in the form of the outcome of the Schrems II ruling against Facebook in the European Court of Justice this year, the trigger for bringing down Privacy Shield:
This decision, I think, is very widely misunderstood. It was not about commercial privacy at all. It was entirely about excessive US government surveillance for purposes of national security. So the fact that the UK has very good conformance with GDPR says really nothing about the adequacy decision. What Schrems II says is that companies have to worry about this, national data protection authorities have to worry about this and the Commission has to worry about this when they grant adequacy decisions.
A follow-on issue here is how individuals can get redress in court actions if they feel they have been surveilled excessively and their data privacy/protection rights have been breached, he adds:
For anybody to get redress is tough, but the GDPR says that it has to be there. The Schrems decision says it has to be there. I don't think they [the EU] can back away from that. So there are a lot of uncertainties. But there's also some rather large risks, because basically, if there's no adequacy decision, at least on a temporary basis, it's not just about SCCs [Standard Contractual Clauses], it means substantial changes to business practice. It may mean encryption, it may mean moving affiliates offshore into the EU, it may mean very complicated and expensive things.
In all this, GDPR and its requirements aren't helping, he concludes:
I think GDPR is a somewhat rigid framework... I think there's a bit of an impasse here. There's not a mechanism there to take economic hardship or economic costs into account in making legal decisions...I genuinely do not think that the EU, the European institution, wants to see trade break down, I think quite the opposite. So there will be a constructive search for solutions, but the manoeuvring room is less than I would ideally like.
A bugger’s muddle and the clock is ticking down rapidly. At this point, there seem to be more problems than answers. If there is an 11th hour ‘in one bound they were free’ wider Brexit deal between the UK and the EU pulled dramatically out of a hat, then all this might be moot. The danger however is that both sides head into 2021 on bad terms, but with an issue hanging over them that has to be addressed in the pragmatic interests of everyone. Keep watching for that white smoke coming out of the Downing Street chimney…