What will UK data protection look like post-Brexit?

Iain Bourne Iain Bourne

Post-Brexit the UK could become an ‘inadequate third country’, which will have implications on data collection from the EU.

Many UK businesses are worried about supply chains post-Brexit - but have you considered how new rules may affect data collection, handling and storage? On leaving the EU, depending on the nature of the deal/what deal?/no deal issue, the UK could become an ‘inadequate third country’ and, if so, data flows to UK firms from their EU partner organisations may be affected.  

In EU data protection, the theory goes like this...

The EU has the best data protection law in the world, meaning that wherever personal information is processed within the EU, it remains protected to the highest of standards and can be transferred from Timisoara to Manchester, or wherever, without restriction. Outside the EU, “here be data-dragons” – lawless interlopers who will gobble up EU data and use it for nasty, malicious purposes, undermining Europeans’ fundamental rights and freedoms, and precipitating information Armageddon. In classical EU data protection demography, these dragons are believed to inhabit the treacherous waters far west across the Atlantic Ocean. 

However, even if a country is not in the EU (okay, technically the EEA, plus Switzerland) all is not lost. EU data can still be transferred freely to a place that the European Commission (EC) has determined to be ‘adequate’. So far, Andorra, Argentina, private sector organisations in Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and Privacy Shield signatories in the USA are all ‘adequate’. South Korea should join the list soon but its northerly namesake may have to wait a while. What have all those countries got in common? Who knows!

The EC adequacy process is a rather opaque and political one. I spent a while working at ILITA – the Israeli data protection agency – when Israel was applying for adequacy. It achieved this despite, I understand – protests from the Irish. They were concerned about the apparent existence of Irish passports that had been issued through the Irish Passport Service but not by the Irish Passport Service. I also understand the Spanish government lobbied hard for Argentina and Uruguay to be deemed adequate due to their cultural links. The future political atmosphere between the EU and the UK could well be a strong influence on any future UK adequacy decision, and UK adequacy is by no means a given.

The point is that adequacy is not just about the adequacy of a country’s data protection law. It involves a much wider assessment of factors including:

“the rule of law, respect for human rights and fundamental freedoms, relevant legislation… including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred”. 

This means that even if the UK replicates the GDPR as far as is possible after it leaves the EU, and even if it implements European Data Protection Board and European court judgements – issues fraught with political difficulty – the EC could still decide that the UK is ‘inadequate’.

Would it make any difference whether the UK achieves adequacy or not? Will there be a data famine? Even the most hardened defenders of EU data transfer rules must secretly concede that the system is anachronistic and does not fit into a networked world. (Regrettably the Russians and Chinese seem keen on constructing a similar system.)

Just after the Safe Harbor was struck down, I heard a representative of a German data protection agency saying that the wires under the Atlantic had to be cut. He made a snipping gesture with his fingers. Really. Despite the rhetoric, I suspect that the GDPR’s data transfer rules are largely misunderstood, ignored and go unpoliced by EU data protection authorities. In my many years at the ICO I cannot remember the (old) Eighth data protection principle ever being enforced. Yet, the law says what it says and the free movement of data within the EU, and restriction on its transfer outside the EU, is a basic part of its system and will remain a key part of EU data protection law for the foreseeable future.

It is true that if the UK achieves adequacy, this would make data transfers from the EU to the UK easier and would minimise disruption for businesses in the UK and the EU – obviously that is good. However, we cannot count on achieving adequacy either at the point of leaving the EU or any time soon after that. Apparently the Australians spent over 10 years preparing for adequacy and then gave up right at the end of the process. It’s not clear why. This begs the question, though, of whether ‘adequacy’ really means that much. Australia is inadequate. New Zealand is adequate. Is it really more difficult for a business in London or Frankfurt to transfer personal information to New Zealand than to Australia? I suspect not and suggest that businesses generally approach this issue as one of governance and third party information sharing, rather than of compliance with international transfer rules.

So if the UK becomes an ‘inadequate third country’, what should UK businesses do to minimise the disruption of data flows to and from their partner organisations in the EU?

Losing adequacy will make no difference to UK to EU data flows and post-EU, data flows from the UK to ‘inadequate’ countries will be easier (unless an inadequate UK decides to replicate EU adequacy rules, which would seem odd). UK businesses that receive personal information from organisations in the EU should concentrate on making sure that the necessary contractual and other governance measures are in place so that wherever personal information is located in a geographical sense it remains adequately protected. This is primarily a matter for the data-exporting organisations in the EU, but clearly it is in the interests of data-importing organisations in the UK to work with their partner organisations to put the necessary governance in place.

Then, whatever happens in terms of UK adequacy and the big politics of Europe, there will be a good story to tell in terms of demonstrating to regulators that you have done what you can, to make sure that personal information for which you or your partner organisations are legally responsible remains properly protected wherever it is located. That is probably the best you can do.

It will be interesting to see if regulators in the EU start policing the GDPR’s data transfer rules more rigorously than they have done so far under the GDPR, or than they did under the former Data Protection Directive. Some data protection authorities in the EU are set up to be much more like government departments than independent regulators. In some countries the head of the authority is a political appointment, something like a Minister of State. This means that some data protection authorities’ agendas are closely aligned with those of their national governments, and ultimately those of the EC itself.

Therefore there is a risk that if the EC wants to make things tough for a Brexited UK then this could be reflected in the regulatory agendas of some of the more EC-aligned data protection authorities. This could mean, for example, that data flows from EU financial institutions to UK ones could come under greater scrutiny and could even be prevented. I find that unlikely but it is certainly a risk, and one that UK data importers and their corresponding EU data exporters need to work together to mitigate.

To discuss data protection issues further, contact Iain Bourne.