A major international data flow problem just got resolved. But another row is already brewing
The EU has just green-lighted the free flow of personal data with the UK. But if the country now changes its data laws, it could bring an end to the agreement.
Personal data will continue to flow unimpeded from the EU to the UK, the bloc's member states have agreed in a unanimous decision that will relieve many businesses on both sides of the Channel of spending much time and money on complex legal paperwork.
All 27 member states voted in favor of granting the UK an adequacy decision – a special status that recognizes that the country's data laws do as good a job as the European GDPR at protecting personal information.
Countries that are granted adequacy gain the right to receive and process the personal data of EU citizens, which many organizations rely on to do business.
The UK's departure from the EU has meant that the country has ceased to be protected by the GDPR, and instead relies on domestic laws to manage citizens' personal data. Those laws had to be assessed by EU regulators to ensure that they meet the bloc's standards on data protection.
Without an adequacy decision, organizations would have had to design special contracts called Standard Contractual Clauses (SCCs), to ensure that they were lawfully processing the data of European citizens. Economists estimate that the total cost of implementing those new contracts to keep data flowing legally could amount to £1.6 billion ($2.14 billion), with smaller firms hit the hardest.
Achieving adequacy, therefore, was a key part of Brexit negotiations. Earlier this year, the European Commission published a draft document outlining the details of an adequacy decision for the UK, which determined that UK laws do indeed provide a level of data protection that is equivalent to the GDPR.
The decision was approved by the European Data Protection Board (EDPB) in April and has now been green-lighted by member states, meaning that adequacy is on course to be implemented. Unsurprisingly, organisations and businesses across the EU and the UK have welcomed the announcement.
"A positive decision on data adequacy is a huge relief for thousands of businesses across the UK – over half of businesses surveyed by the DMA just before Brexit stated this was important for the future of their business," says Chris Combemale, the CEO of the Data and Marketing Association (DMA). "The government estimated that without adequacy the UK economy could lose up to £85 billion, so this announcement is a significant boost after a challenging year."
The volume of personal data that is exchanged between the UK and the EU is significant and spans virtually all industries – think legal and financial services, but also e-commerce, human resources, and even healthcare.
The Federation of European Academies of Medicine (FEAM), for example, stressed that the delivery of cross-border health and social care for thousands of European citizens relies on data flowing without restrictions with the UK. Health data transfers are also key to advance scientific research.
"With this (adequacy) decision, the EU and the UK can continue to benefit from the continued secure flow of personal data to facilitate the development of new treatments and to improve patient safety and care across Europe," said FEAM in a statement.
While adequacy has been granted to the UK for the time being, however, the decision only applies to UK data law as it is written now. Also known as the "UK GDPR", the country's domestic rules are currently modelled on European law and as such, provide a high level of data protection for citizens. But if that were to change, the EU has made clear that it could re-evaluate the decision and withdraw the agreement.
The issue might become a point of contention. Over the past few months, the UK has repeatedly sent signals that it aims to seize the Brexit opportunity to diverge from the standards set by the bloc's GDPR in an effort to boost growth and innovation.
"Adequacy was received on the basis that the UK would not diverge and not change the level of protection," Estelle Massé, senior policy analyst and data protection lead at digital rights organisation Access Now, tells ZDNet. "If the UK government were to follow through with this, then the whole legal system on which the EU has based its adequacy determination will no longer be in place and will need to be re-evaluated."
Just days before the EU member states voted in favor of adequacy, a government taskforce submitted a report to the UK prime minister with recommendations to reform the country's regulatory landscape – including some changes to the UK GDPR.
Describing the GDPR as "out of date", the taskforce called for the government to leverage its "newfound regulatory freedom" to replace GDPR with a new UK-made framework for data protection.
According to the report, GDPR compliance can cost businesses up to 30 working days-worth of time a year, and as such constitutes a significant barrier to innovation and growth. To create a more business-friendly environment, said the taskforce, the UK should implement data laws that are more proportionate, and place lower compliance burdens on smaller organisations.
In particular, the report's authors called for the removal of a GDPR provision that lets citizens refuse to be subjected to a decision based solely on an automated decision-making system – which means that organisations must always have an alternative, human-based process in place to use as an alternative.
Instead, the taskforce suggested that automated decisions should be subjected to a test determining whether they are in the public's interest, and whether they meet critical fairness and transparency criteria.
The authors also pointed to the GDPR's restrictions on using data for any purposes other than those for which it was collected, and argued that this means that organisations cannot experiment with data to understand its potential value in new applications.
The report's recommendations are yet another red flag for some in the EU. "If this is removed, it could potentially mean that the UK wants to be able to develop the use of automated decision-making systems in the public and private sectors in a way that people couldn't say no," says Massé.
"The UK is completely free to take that path is they find it is more beneficial for them. But there will be consequences: if the UK chooses to diverge a lot from the EU, then it will lose its adequacy, and all the industries that rely on exchanging data between the EU and the UK will be in trouble."
The next few months are likely to reveal how far the UK wishes to go in transforming the country's domestic rules on data protection – and crucially, how much leeway the EU will be willing to give. On both sides, says Massé, the outcome of the strategy is still unclear.
"It's really quite incomprehensible to work so much to secure this adequacy and when just about to get it, to also give indication to the EU that it may change," she says. "It's a really hard diplomacy game – almost as if the UK is testing the limits of the EU."