Adam Bowering, Policy Adviser in the European Parliament, discusses the European Parliament’s objection to the UK being granted data adequacy and what this means for the future of data transfers in the long-term.
Almost two weeks ago, the European Parliament took the step of objecting to the European Commission’s decision to grant the UK data adequacy.
Far from being a reactionary move against a former member state, the Parliament’s resolution highlights flaws in the UK’s data protection regime, which will have serious consequences for citizens’ rights and could lead to legal uncertainty for businesses in future.
The European Parliament’s resolution will not block adequacy (that decision is for the European Commission in the next month), but it nevertheless sends a significant political signal, particularly in the wake of two major court cases last week, which have found the UK’s exemption of immigration from data protection laws to be unlawful and that UK mass surveillance laws violated privacy rights.
There was always the danger that UK adequacy could be used as a political football during the Brexit negotiations, but, while it is no longer a political pawn, the prospect that business and law enforcement may not be able to continue to benefit from the unimpeded flow of personal data from the EU to the UK has not gone away.
But we look the same on paper
Having largely implemented the EU data protection acquis, UK law is similar to that of the EU on paper, but there are discrepancies, and MEPs raise particular concerns with the application of the law in practice. One major issue is the fact that the UK’s implementation of the GDPR does not grant the same rights to those subject to an immigration procedure, a concern that was vindicated last week when the Court of Appeal ruled such exemptions to be unlawful.
The evaluation of UK adequacy is inextricably linked to that of the US, a fact which was brought into sharp relief by another landmark decision last week, this time from the European Court of Human Rights.
In a case that followed the Snowden revelations which proved that US surveillance programmes had been conducted by GCHQ, the Court ruled in favour of Privacy International finding that UK mass surveillance had violated privacy and freedom of expression rights.
All this comes at a time when the European Commission is also negotiating a new adequacy agreement with the US, following the invalidation of both prior agreements (Safe Harbor and Privacy Shield) by the Schrems I and II judgements.
In light of this, a second resolution adopted last week by MEPs on the Schrems II case urges the Commission to monitor the use of mass surveillance in the US and other third countries, including the UK, and not to adopt an adequacy decision with the US unless meaningful reforms to surveillance programmes are introduced.
While UK surveillance laws were reformed in 2016 to enable judicial oversight, the practice of bulk data collection and retention is still allowed. This mass surveillance, in addition to other factors such as onward transfers, the immigration exemption, and poor enforcement of the GDPR, could make it challenging for the UK to meet the conditions of adequacy defined in the Schrems I and Schrems II judgments.
Some of these issues were a concern even prior to Brexit. Now that the UK needs to undergo an adequacy assessment however, these problems will not only affect citizens’ rights but legal certainty for businesses as well, with the price of failing to obtain an adequacy decision for UK business estimated at up to £1.6bn in compliance alone.
GDP-aaarRgh? It’s not EU, it’s all of us
As an EU member, the UK was regularly accused of poor enforcement of the GDPR, not least for failing to regulate the adtech industry’s high velocity background trading of personal data.
It was far from being the only EU state called out for these practices, however. Three years after the application of the GDPR, EU Member States’ implementation of the Regulation was recently described as “nothing but hot air”, as Data Protection Authorities (DPAs) across the EU were found to be suffering from insufficient financial resources and staffing leading to substantial discrepancies in enforcement.
Ireland in particular has often faced criticism for its poor record of dealing with complaints brought against tech giants with European headquarters in the country. This has not been overlooked by the EU, with the European Parliament’s Schrems II resolution calling on the Commission to launch infringement proceedings against the Irish Data Protection Commissioner for failing to reach a decision on a number of these cases.
But, despite its poor enforcement, EU data protection law has nevertheless established a framework within which there is potential to increase resources for DPAs and further harmonise the application of rules to prevent abuse.
As a third country, the UK meanwhile is of course free to pursue a different path.
The UK Minister for the Daprtment of Digital, Culture, Media and Sport, recently asserted that international data partnerships would be used as a “multibillion-pound opportunity” to boost trade with fast-growing third countries. The likely problem with such ambitions, however, is that the UK will run into similar difficulties to the US, jeopardising its free flowing data agreements with the EU due to the potential undermining of GDPR protections.
Whatever the adequacy verdict of the European Commission, if the UK’s future departure from EU data protection law is not carried out with robust safeguards and enforcement, it is likely to only further increase uncertainty surrounding UK data transfers in the longer term.
While any potential legal challenges would certainly be a long way off, with the hindsight of Schrems I and II, it’s unsurprising that compliance experts are already advising businesses to have a back-up plan in case the UK’s adequacy aspirations go awry.
This article was first published on the Register and was reposted with permission.
Photo is by TheDigitalArtist on Pixabay.
Note: The views expressed in this post are those of the author, and not of the UCL European Institute, nor of UCL.