After Brexit, the EU must decide if UK data protection is adequate

No. 3, 25 March 2019 Issue

Data protection is a core part of the European Union’s Digital Single Market strategy. In many ways, the General Data Protection Regulation (GDPR) represents the EU’s entire visionary future: a set of rules governing all Member States in a unified framework that facilitates ever closer operation.

For the United Kingdom (UK), however, it is Brexit rather than harmonised operation that draws ever closer. This brings one particular GDPR issue very much into the spotlight: on whatever basis and on whatever date the UK leaves the EU, an adequacy assessment will be required to maintain data flows. The European Commission will decide whether the UK provides equivalent data protection standards to GDPR and other EU legislation.

The adequacy assessment is going to be a key test of the UK’s data privacy standards and achieving adequacy will be far from straightforward. The UK has committed to maintaining GDPR standards post-Brexit but this is not the whole picture for data protection compliance, and when it comes to the protection of fundamental rights there are difficult questions to be addressed.

First, although the UK theoretically already has a robust data protection framework very much aligned with the EU, there are derogations within the GDPR national implementing law (the Data Protection Act 2018) that may place adequacy at risk. Second, adequacy will scrutinise problematic areas such as national security arrangements that the UK has previously avoided having to defend. Third, the European Commission is not the sole arbiter in this area, and there may be stark differences of opinion between EU institutions that end up analysing the UK data protection regime.

In terms of UK law, the most troubling derogation from GDPR is an exemption from data protection rights where these would “prejudice … effective immigration control”. This immigration exemption has been widely criticised and is currently being challenged in the UK courts. Some critics have already pointed to its potential implications for adequacy, and highlighted that the adequacy assessment could conclude that it threatens fundamental rights to such an extent that it fails to provide “essentially equivalent” standards.

The UK’s record on balancing national security against the right to privacy may also pose a problem for adequacy. The government has been castigated for its poor privacy protection by the European Courts in three significant cases in the past three decades, the most recent finding being late last year when the mass surveillance programmes of government agency GCHQ revealed by Edward Snowden were found to be unlawful. This, together with the government’s data-sharing arrangements between the so-called “Five Eyes”, may hold back an adequacy ruling from the European Commission until necessary changes are made.

The European Commission, however, is not the only voice in the adequacy assessment. Just ask the United States. In 2000, the Safe Harbor framework, a system of rules allowing large data controllers based in the US such as Amazon, Facebook, Google and Microsoft to self-certify as “adequate” was given the green light by the European Commission. This framework was swiftly challenged by privacy advocate Max Schrems in the European Court of Justice, and brought down on the basis that the framework did not in fact provide “essentially equivalent” standards of protection. The lesson the UK should take from this is that even if you smoothly achieve adequacy via the Commission, all it takes is a plucky law student from a Member State to start creating problems.

Data flows are an incredibly important part of the UK’s economy and security and the digital exchanges between the UK and the EU are mutually beneficial. But there’ll be no “free pass” for the UK from the Commission on adequacy. The UK will and should be subjected to the same high level of scrutiny as any third-party country. Failing to do so would set a bad precedent and might lock the process into perennial legal challenges.

Although rhetoric around Brexit has prominently touted the notion of “taking back control”, adequacy ties the UK to EU standards. The UK may constitutionally reject the vision of ever closer operation, but however Brexit pans out, the influence of the Union and its institutions and the standards set by GDPR are going to have to be recognised and responded to by the UK for years to come.


By Open Rights Group