The UK is likely to be offered an adequacy agreement by the EU post-Brexit that will ensure continued international data-flow – but it could struggle to keep it, concludes a new study by University College London. Whether or not an agreement is granted is set to shine a light on the “hypocrisy” of EU data standards, according to policy and industry stakeholders interviewed for the report.
The UK government estimates that EU personal data-enabled services exports to the UK were worth approximately £42bn in 2018, and exports from the UK to the EU were worth £85bn. Upon leaving the EU, the UK is seeking an adequacy agreement with the bloc to ensure data can continue to be freely exchanged across borders. To qualify for one, however, the EU has to be satisfied that the UK adheres to the same data standards as the EU.
The UK has argued that it sufficiently mirrors the EU, given it relies on legislation – GDPR and the Data Protection Act 2018 – developed in tandem with the European Commission. One leading lawyer interviewed by the study, Eduardo Ustaran of Hogan Lovells, argued that to question the UK’s adequacy is “nonsensical – the UK is 97% there”, and another called UK adequacy a “no brainer”.
However, UK law enforcement and intelligence agencies’ reliance on mass surveillance practices – unveiled by the Snowden leaks – could be a major sticking point in negotiations, according to the report. It points to the likelihood that even if the UK does manage to secure an adequacy agreement, it’s expected to be challenged by a number of digital rights groups. Privacy International is currently involved in a European Court of Justice (CJEU) case about UK security and intelligence agencies acquisition and use of bulk communications data, for example. Oliver Patel, one of the authors of the reports and manager of the UCL European Institute, says “it’s logical to assume that one of those [cases] ends up in front of the court”.
“Even if the UK gets an adequacy agreement that could be the beginning of what could be a pretty fraught process,” says Patel. The report says that “virtually all lawyers, business leaders and policy makers” interviewed “agreed that invalidation of a UK adequacy agreement due to national security and surveillance legislation would be a strong possibility”.
An instructive example for how this could play out is the data relationship between the US and the EU. The US doesn’t qualify for an adequacy agreement, partly due to a lack of federal data privacy legislation and partly because of its state surveillance practices. The UCL report highlights that the Privacy Shield agreement that currently facilitates data flow between the US and EU is at risk.
In 2013, Austrian lawyer Max Schrems filed a complaint about the insecurity of Facebook data – which the Snowden files revealed was routinely passed from Facebook to the NSA. The case ended in the landmark October 2015 ‘Schrems’ judgement, where the CJEU invalidated the Safe Harbour decision (the data agreement predating the Privacy Shield), arguing that the European Commission hadn’t taken into account US national security laws and practices in its adequacy assessment.
In a new complaint, the outcome of which is due to be announced July 16, Schrems argues that the standard contractual clauses (SCCs) which Facebook uses to transfer data to the US should also be invalidated. SCCs are an alternative legal mechanism which companies use to transfer data from the EU, often used as alternative or backup to Privacy Shield, partly because of the latter’s legal instability.
Despite the updated Privacy Shield agreement currently in use between the US and the EU, the NSA or other US intelligence agencies can still conduct surveillance on EU citizens in a way which contravenes EU law. “Transferred data is not protected from state mass surveillance, irrespective of the legal transfer mechanism,” says the report. This puts the longevity of the arrangement at risk. “This report argues that because of issues with the US system, it’s highly plausible that both of them [SCCs and the Privacy Shield] will be invalidated at some point,” says Patel.
This could have calamitous consequences for commercial data exchange between the US and EU. Business leaders interviewed for the report argue that, “there is no Plan B without Privacy Shield or SCCs”. The report says “Various U.S. experts we interviewed predicted that the response from President Trump could be ugly and could even include sanctions or tariffs. One analyst said that there would be ‘an angry response from the administration”’ with another claiming that ‘Trump will be furious’.” “A lot of the US stakeholders are basically arguing […] ‘good luck getting Trump back to the negotiating table’,” says Patel. “This could just be it, if this is struck down.”
The report highlights the evidence that US technology firms are preparing for this eventuality. For several years, US firms have been investing heavily in European data centres, and Google announced plans to invest $3.3bn in European data centres in 2019. It’s hard to estimate the exact price of the economic disruption that could stem from this. However, the report also notes “the possibility that data transfers would merely continue – even without appropriate legal mechanisms – with firms opting to take the risk of GDPR enforcement action”.
The report highlights that data privacy stakeholders in the US, including government officials, lawyers and academic experts, believe the EU’s approach is hypocritical. This is because the EU does not have competence over member state national security, but assesses the national security legislation of third countries when undertaking data adequacy assessments. The UK is a case in point – what was acceptable when it was a member of the EU might now prevent it from obtaining an adequacy agreement.
In the report, Jim Halpert of DLA Piper argues that “EU member state concerns regarding US surveillance laws are somewhat hypocritical. Several major EU member states have similar surveillance laws to the U.S. For example, France is more of a wild west than is the US in terms of controls on government surveillance.”
On whether the UK can obtain an adequacy agreement, trade negotiations with the US could prove decisive. The US has said it will seek to ‘establish state-of-the-art rules to ensure that the UK does not impose measures that restrict cross-border data flows’. If the UK opts for unrestricted data flows with the US in a future trade agreement, this could seriously undermine its prospects for EU adequacy. Patel believes that on this front, “the UK will probably prioritise the adequacy decision”. Failure to secure one, however, could prove a boon to the US.