Elizabeth Denham, the UK’s Information Commissioner, recently gave evidence to the House of Lords EU Home Affairs Sub-Committee. She recommended that the UK apply for a full “adequacy” rating from the European Commission as soon as Article 50 is triggered. Adequacy means that the European Commission is satisfied the non-EU country has adequate data protection measures.
In making this recommendation, Denham is also reflecting the needs of UK industry – unhindered data-flows at the point of Brexit.
UK-EU data-flows in the context of Brexit were also very recently raised in Parliament. When asked, David Davis was clear “that a cliff edge for business or a threat to stability would be in neither side’s interests” and added that “we will be at a point of identity at the point of departure, and will undoubtedly have to agree some regime whereby we maintain equivalence – not identity, but equivalence”.
Note that Davis is not using the term “adequacy”, even if this is what the Information Commissioner and the UK technology industry is asking for. Government may well be keeping its powder dry for the Brexit negotiations, and may well assume that the many alternatives to adequacy will do if adequacy cannot be achieved (or is taken off the table entirely should Brexit negotiations sour).
A not so private shield
Recent developments in the US, such as the Rule 41 amendments and a recent Trump Executive Order that deprives non-US citizens of any privacy rights have shaken Europe’s confidence and trust in Privacy Shield, which is already the subject of legal challenge - as are the EU Model Clauses for data protection.
The alternatives are time consuming and costly to enact. For example, the European Commission has been working with industry for last 3 years to develop a Data Protection Code of Conduct for cloud providers. The code has yet to be adopted, and the compliance costs (funding the code’s governance and undergoing compliance checks) are expected to be very high.
None of the alternatives are SME friendly, and all of them could impede the ability of the UK digital economy to benefit from full access to the European market.
The path to achieving unhindered data-flows between the UK and EU is fraught.
The Investigatory Powers Bill is the elephant in the room. It has already been declared illegal by the European Court of Justice, and we need only look at the root cause of Europe’s mistrust of US companies that handle EU citizen data – unfettered mass surveillance, now anywhere in the world – to see the challenges that lie ahead.
The post-Brexit future is uncertain - none more so than for data-flows. Although the future is global, and data localism is ideologically unpalatable to many, the digital world has seen some seismic shifts over the last year. Peter Thiel, one of the few technology oligarchs that supported Trump’s during his pre-election campaign, recently told a stunned Silicon Valley that “the tide is going out on globalisation”.
Even the European Commission has been thwarted in its desire to remove unnecessary legal barriers to the free flow of data across Europe, and has gone back to the drawing board. David Davis may not want a cliff edge, but that may be exactly what the UK gets. UK companies and organisations will need to think long and hard about where they keep their data because, at least for now, local may be a more certain bet than global.