JOHN THYS/AFP via Getty Images
show image

Laurie Clarke


UK publishes framework for post-Brexit EU data adequacy agreement 

The UK government has published a number of documents championing the country’s scrupulous data protection standards, in order to convince the EU Commission to agree to a post-Brexit data adequacy agreement that will ensure the continued free flow of data between the two.

In his statement of 3 February 2020, Boris Johnson expressed the UK’s intention to secure an adequacy decision. One of the documents underlines the economic incentive for doing so: “EU personal data-enabled services exports to the UK were worth approximately £42bn (€47bn) in 2018, and exports from the UK to the EU were worth £85bn (€96bn).” 

Adequacy agreements between the EU and third countries cover data flows under GDPR for general and commercial purposes, and data flows under the Law Enforcement Directive for law enforcement purposes. To qualify, countries hoping to secure an agreement have to provide assurance to the European Commission that their data protection standards are ‘essentially equivalent’ to those of the European Union.

The UK’s key appeal for this ‘essential equivalence’ rests on the fact that two of its key pillars of data legislation were developed in tandem with the European Commission: “The key legislative elements of our framework at the end of the transition period will be the Data Protection Act 2018 (DPA 2018), and the ​UK GDPR,” the government writes. 

However, a potential sticking point remains in the newly published framework – that of British surveillance laws, which European courts have repeatedly ruled breach privacy rights. Right now, the UK’s Investigatory Powers Act (IPA) – also known as the “Snooper’s Charter” – is being challenged at the Court of Justice of the European Union over its mass-surveillance measures. 

Johannes Caspar, head of the data protection authority in Hamburg – who will advise the Commission on its decision – said the following to NS Tech in a statement: “I appreciate the general spirit of the future national data protection law in the UK. The text is clearly inspired by the GDPR and aims to hold up the core principles of our traditional EU data protection law. This is why the European Commission aims to adopt an adequacy decision for the UK’s data protection level by the end of this year. Nevertheless, a well-intentioned data protection law cannot come to full effect if sector specific law as well as the processing practices within the country do not completely share its spirit.”

He continued: “When assessing the adequacy level, the crucial point will be the UK’s surveillance activities and their participation in the “Five Eyes” network…If the UK continues its large-scaled surveillance practice, it is doubtful whether the Commission can adopt an adequacy decision. We had a similar discussion at the time when the UK was part of the EU. Many critical voices raised this issue to document a deep contradiction between the adequacy mechanism of the EU and the factual situation especially in the UK as the activities of the GCHQ were part of the revelations of Edward Snowden.”

Whilst the UK was in the EU, this wasn’t as much of a problem, because EU member states are free to concoct independent national security policies. But the same policies can suddenly present an issue for countries outside the EU.

The recently published UK government framework shows no sign of making amendments to the problematic legislation. It reads: “The UK’s data protection legislation provides unprecedented independent oversight of the activities and conduct of the UK’s law enforcement framework, national security framework, and investigatory powers.”

And continues: “The processing of personal data by law enforcement agencies, as well as the security and intelligence agencies, is governed by Parts 3 and 4 respectively of the DPA 2018, while a comprehensive legislative framework applies to their use of investigative powers including the Investigatory Powers Act 2016.”

This could render the UK unable to secure an adequacy agreement. The US is also ineligible (for similar reasons), and instead adheres to the bespoke Privacy Shield solution – a version of which might look likely for the UK in the event it doesn’t qualify. 

Update: This piece has been updated to include comment from Johannes Caspar