In the wake of the collapse of the Privacy Shield data transfer mechanism, immediate attention focused on how this would impact firms in the European Union and the US. But there’s another aspect for many organizations to take into account and that’s what happens to Brexit Britain in all this.
During the current transition period of withdrawal from the EU, the UK remains subject to the regulatory requirements of membership of the bloc, including as it relates to data protection. But from January next year, that transition phase is over and will end either with a negotiated set of future terms or, as looks increasingly possible, with a so-called ‘no deal’ Brexit with the UK going it alone.
In either eventuality, the UK is going to need a data adequacy regime in place in order to transfer data outside of its borders, a critical part of any trade policy today. For international firms with presence in the UK - and that clearly includes almost every major tech firm - there will need to be assurances that data will not be siloed in-country.
A big problem here is that even before the Privacy Shield ruling, data adequacy was one of the long list of unresolved issues in the Brexit talks and one that was being used as a useful big stick by Brussels. Throw in the uncertainties now created by the Court of Justice of the European Union’s (CJEU) decision to invalidate Privacy Shield and life looks even more complicated.
Julian David, CEO of trade association techUK, sums up the situation thus:
During the transition period the UK is bound by this ruling and therefore UK companies which make use of the Privacy Shield Agreement will be affected. This ruling will also have significant implications for the UK as it seeks to develop its own framework of agreements to enable data flows with both the EU and the US. To a large extent these will now be dependent upon the outcome of further negotiations between to the EU and the US as well as the substance of the UK EU adequacy assessment.
What happens now?
Once the UK becomes a ‘third country’, the impact on data flows from the UK to the EU essentially shouldn’t be noticeable as the UK has already determined that the EU has adequate data protection laws in place. But the EU hasn’t yet returned the compliment. That has serious implications in its own right, as diginomica noted back in February:
As the Information Commissioner’s Office (ICO) put it at a Westminster conference on GDPR last year, crashing out of the EU with no deal or no regulatory equivalence could mean enterprises, charities, and public sector organizations sending their data to the EU, but not getting it back.
The UK currently embraces GDPR, but Prime Minister Boris Johnson told the British legislators that post-Brexit, data protection will be among a range of “separate and independent policies”, all of which must not be subject to the CJEU:
The Government will work hard to achieve a balanced agreement that is in the interests of both sides, reflecting the wide range of shared interests. Any agreement must respect the sovereignty of both parties and the autonomy of our legal orders. It cannot therefore include any regulatory alignment, any jurisdiction for the CJEU over the UK’s laws, or any supranational control in any area, including the UK’s borders and immigration policy.
This points to a suite of agreements of which the main elements would be a comprehensive free trade agreement covering substantially all trade, an agreement on fisheries, and an agreement to cooperate in the area of internal security, together with a number of more technical agreements covering areas such as aviation or civil nuclear cooperation. These should all have governance and dispute settlement arrangements appropriate to a relationship of sovereign equals…The UK will in future develop separate and independent policies in areas such as (but not limited to) the points-based immigration system, competition and subsidy policy, the environment, social policy, procurement, and data protection, maintaining high standards as we do so.
That can be read by Brexit supporters as a starting point for negotiation of course, but if that’s the case then events may have overtaken intent. It's also a marked shift from the position taken by Johnson’s predecessor Theresa May who had committed to adhering to maintaining GDPR in post-Brexit UK law.
With so many unresolved issues, such as fishing rights and so-called level playing fields on state funding, still unresolved, it’s in the interests of the EU to be equivocal about the UK and data adequacy. Late last month as part of the European Commission’s first annual review of GDPR’s progress, Věra Jourová, Vice-President for Values and Transparency, would only say:
I cannot predict now whether it will be so easy and without any further negotiations needed for the possible adequacy decision because we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the General Data Protection Regulation. If the systems are equal or essentially equivalent, of course, the adequacy decision can be taken, but for the UK it is too early to say because there will be a number of talks about this issue.
Can the UK be trusted?
One issue certain to come up in any talks will be the UK’s track record on mass surveillance. The CJEU’s Privacy Shield decision was based in large part on its assessment that EU data was not protected from the likes of the NSA under the existing arrangements.
In reaching post-Privacy Shield accommodation with the EU, Britain’s own surveillance regime and practices will come under scrutiny and the UK has reason to be nervous in this regard. Back in 2018, the European Court of Human Rights (ECHR) ruled that the UK’s "bulk interception regime" violated the right to privacy and freedom of expression, citing "insufficient oversight" over what data UK agencies were collecting.
In a briefing note to clients, lawyers at London law firm Linklaters note:
The UK surveillance regime is markedly different to that in the US. For example, the UK regime, as set out in the Investigatory Powers Act 2016, contains numerous checks and balances. It has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law. In addition, the UK regime does not have the same distinction between UK and foreign nationals made under US law. However, the judgment will undoubtedly make the EU Commission more cautious about finding the UK adequacy given the risk that decision could also be challenged in the CJEU.
Certainly there’s a mood in some parts of the EU not to take anything for granted here and to tie any data adequacy agreement to wider conditions. Back in February, Dutch MEP Sophie in ’t Veld raised concerns in the European Parliament, cautioning EU negotiators not to rush into an adequacy pact with the UK:
We have heard tough language on assuring a level playing field and not lowering our European standards, for example when it comes to food safety or environmental standards, but I do hope that the negotiating team will be just as tough when it comes to data protection standards. I am quite worried to see the eagerness of the European Commission to issue a so-called adequacy decision when it is far from clear that the UK government can be trusted with our data. I refer to recent scandals like the gross abuse of the UK access to the Schengen database.
In addition to discussion of our future relationship, let’s not forget the implementation of what has been agreed so far and in particular citizens rights. I strongly urge the Commission to make sure that the rights of 3.5 millon EU citizens in the UK and a millon and a half British citizens in EU will secured, not just on paper, but also in practice.
And then there’s Trump…
Then of course there will be the need for a data transfer arrangement to be set up between the UK and the US. A possible option might be found in the words of US Secretary of Commerce Wilbur Ross following the CJEU’s Privacy Shield ruling:
The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.
Offering the UK a ‘business as usual’ deal using essentially an avatar of Privacy Shield might be an easy approach and have the political point-scoring appeal of doing a deal with the EU’s dissident breakaway on terms set up by the EU itself.
If the UK did choose to ignore the CJEU concerns about the safety of sending personal data to America, that’s going to be another nail in the coffin of a deal with the EU. But if the US makes a data pact a condition of a trade package with Brexit Britain, up there with chlorinated chicken and hormone-stuffed steaks, which way will the deal-hungry British lean? And what would that mean for the privacy rights of its own citizens?
As with just about everything to do with Brexit, the ultimate outcome is unclear - and that’s just going to lead to more uncertainty for businesses based in the UK or with a significant footprint there. As for UK government ambitions to lure US tech firms and their inward investment money, removing ambiguity about the data regime under which they’ll operate needs to be a top priority, one way or another.
There’s no situation that Brexit can’t make more more complicated…