For privacy advocates, a no-deal Brexit presents an alluring opportunity: the chance to protect EU citizen data from the worst excesses of Britain’s surveillance apparatus. If the UK crashes out of the EU in March, it will have to secure an adequacy deal to enable data to continue flowing legally between the two regions. Campaigners may take steps to block it from doing so.
Some fear that the Investigatory Powers Act – a far-reaching piece of legislation that enshrines in law the bulk interception of citizens’ data – could play into their hands. The law has faced criticism on the continent and was deemed illegal by the European Court of Justice after it came into effect in 2016. If the government is to secure an adequacy deal, it must prove to the European Commission that EU data stored within the UK is subjected to the same protections as it would be in Europe, and the IP Act could make that a hard sell for the UK.
As the Institute for Government noted in a report last year, the Five Eyes intelligence sharing alliance between the UK, the US, Australia, New Zealand and Canada could also cause problems. “The EU is unlikely to declare the UK adequate if there is a risk that personal data from the EEA could be passed on to countries which do not themselves offer an adequate level of protection,” it warned.
Concerns over privacy are not the only hurdle to the UK securing an adequacy deal. While businesses could put in place agreements enabling them to transfer data between the UK and EU, doing so would be time-consuming and expensive, especially for smaller businesses without the legal expertise required. This would make British suppliers less attractive than their European rivals, which some fear could incentivise the EU to snub the UK’s calls for an adequacy decision.
British politicians, however, appear unconcerned. In a press conference in London yesterday, Jeremy Wright – the digital and culture secretary – sought to reassure businesses. “We’ve been following the EU’s data rules for a number of years and we don’t intend to throw all of those overboard when we leave so our expectation of data adequacy decision is reasonably high,” he said. “But we still need businesses to prepare for the possibility that there may be a gap between the point at which we leave the EU and the point at which the adequacy decision is granted.”
How long that gap could be is a hard to predict. “The government has been enthusiastic about the UK’s chances of securing an adequacy deal in the event of no-deal, but I don’t see that from my European colleagues and counterparts,” says the Data and Marketing Association’s public affairs chief Zach Thornton. It took Japan years to secure the adequacy deal it struck with the EU last month. So far, only a dozen or so countries have achieved the same feat. Even the US, one of the EU’s biggest trading partners, does not have a full adequacy deal. Instead, US businesses have to sign a register pledging to protect European data to EU standards.
The Information Commissioner’s Office published guidance last month advising businesses on how to navigate the potentially complicated legal landscape that lies before them. In a six-step guide, it advises businesses: “Review your data flows and identify where you receive data from the EEA, including from suppliers and processors. Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.
“If you receive data from organisations in the EEA, the sender will need to comply with the transfer provisions of the EU regime. This means the sender needs to make sure there are adequate safeguards in place, or one of the exceptions listed in the GDPR applies.”
If Theresa May wins parliament’s backing for her withdrawal deal, it’s expected the UK will be automatically granted an adequacy deal. But with her party at war over what form Brexit should take, the chances of an orderly exit appear to be dwindling. As such, it’s essential that data transfers form a key part of any business’s no-deal plans.