The great data protection gamble – could the UK’s post-Brexit stance mean the end of EU data adequacy?

The UK’s departure from the EU has not been a smooth journey. However, away from the protracted saga that was the conclusion of the EU-UK Trade Cooperation Agreement, there has been a singular apparent oasis of calm – data protection regulation. To date, UK and European businesses have been spared any disruption concerning the transfer of personal data. The UK government has retained the EU’s General Data Protection Regulation (GDPR) in law meaning that such transfers can occur freely – at least for now.

The retention of this status quo regarding personal data transfers is rooted in the European Commission’s adequacy decision in July 2021, where it established that the UK’s regulatory framework was sufficient to guarantee privacy safeguards comparable to EU standards. This was hardly surprising given that the UK had only just left the EU, but it is worth noting that this decision is far from permanent and sits on very shaky foundations.

The current adequacy decision is expected to last until June 2025 after which it would need to be extended by the European Commission. However, this extension is no certainty and, particularly with the UK government signaling intent to relax its regulatory framework, it may only be a matter of time before EU-UK personal data transfers become significantly more difficult.

How the EU establishes adequacy

Before looking at why the UK’s adequacy is in jeopardy, it is worth establishing how the EU makes such decisions. The adoption of any adequacy decision involves a series of steps, including 1) a proposal from the European Commission; 2) an opinion from the European Data Protection board; 3) an approval from EU members’ representatives; and finally, 4) the adoption of the decision by the European Commission.

Two observations immediately spring from this. Firstly, this is a very involved process with input needed from three distinct institutions. The result is that there is no guarantee that gaining adequacy is a swift process. In fact, the shortest timeframe for an adequacy decision to be made thus far is 18 months (in the case of Argentina) – meaning that if the UK was ever cast adrift, regaining adequacy would be far from immediate.

The second point to note is that the European Commission plays a pivotal role in this process. Article 45 of the GDPR outlines the elements that the Commission must take into account concerning awarding adequacy to a non-EU country, namely:

  1. the rule of law, respect for human rights and fundamental freedoms, relevant legislation implemented by the country in question – including, data protection rules, professional rules, and security measures, including rules for the onward transfer of personal data to another third country or international organisation;
  2. the existence and effective functioning of one or more independent supervisory authorities; and,
  3. any international commitments or legally binding conventions the third party being assessed for adequacy has entered into.

Clearly, this is a wide remit for considerations and goes significantly beyond a country seeking adequacy having a strong data protection regime – which goes a long way to explaining why the UK’s status is so under threat.

The potential consequences of the UK’s bullish data protection strategy

In March 2023, Michelle Donelan, the Secretary of State for Science, Innovation and Technology, re-introduced the Data Protection and Digital Information Bill in UK parliament. This bill is the centerpiece of the UK government’s new data protection strategy, which seeks to keep many of the fundamental aspects of the GDPR whilst being a “business-friendly” framework.

Key points introduced by the bill include:

  • Changes to consent requirements to facilitate scientific research;
  • Simplifying ‘legitimate interest’ as a basis for processing by introducing a list of “recognised legitimate interests”;
  • Increased fines for improper direct marketing;
  • Replacing the Data Protection Officer (DPO) with a Senior Responsible Individual (“SRI”);
  • Continuity regarding international transfers;
  • Relaxing rules on cookies to ‘cut red tape’; and,
  • Abolishing the Information Commissioner’s Office (ICO), the UK regulator, to be replaced by an Information Commission.

The end goal, ultimately, is to make life simpler and cheaper for businesses (the UK government predicts that these changes, by lessening the administrative burden, will save businesses £4.7 billion) while preserving data subjects’ rights. This sounds perfect in theory – but big questions remain over whether this idyllic vision will be realised quite so effectively in practice.

The EU expressed concern about the UK’s data protection regime before the Data Protection and Digital Information Bill was even a notion. In 2016, for instance, the European Court of Justice ruled that the UK’s Data Retention and Investigatory Powers Act actually breached EU law by allowing “general and indiscriminate” retention of individuals’ data by law enforcement agencies. A similar ruling in 2017 also critcised the UK government’s approach to gathering large volumes of data in investigations, recommending that the UK be “more careful” and justify its requirements for doing so.

Bearing in mind this concern over government surveillance, combined with fears about what the proposed divergence in law outlined above might lead to with regards to data subject rights, it is no surprise that the UK’s adequacy decision might not find too many proponents in European circles. This is without even considering the UK’s legislative strategy in other areas – such as threats to withdraw from the European Convention on Human Rights to facilitate the deportation of asylum seekers to Rwanda or the introduction of the potentially invasive Online Safety Bill – introduce more divergence in the areas of human rights, a factor which is considered when assessing adequacy by the EU.

Scenarios for the UK losing adequacy

Considering all of this, it is worth examining the scenarios that could lead to adequacy being removed. The following represent the most likely avenues of this occurring:

  1. Legal challenges by privacy activists. There is certainly precedent for the EU to make a ruling on adequacy only for individuals to challenge this in the courts and have it overturned. As things stand, the status quo serves the EU well, given there is an economic benefit to making data flows between the EU and UK restriction-free. However, this economic rationale would go out of the window if someone like Max Schrems, the Austrian privacy campaigner who has twice successfully challenged the legitimacy of EU-US transfer mechanisms, was to make a formal case to the European Court of Justice (ECJ).

    It is worth remembering that US adequacy was annulled due to concerns that private citizens’ data could end up in the hands of US security services. Considering UK national security laws have had similar concerns raised about them (see above), it is not hard to imagine that a complaint could be made against the UK in the not-too-distant future.
  2. The UK diverges too far. The EU may have a certain tolerance for the UK’s data protection – particularly while there is an economic and political benefit to keeping relations strong and data flows simple – but there is a point at which the UK could go too far. If the EU deems that UK legislation is too far from the standard required, adequacy could be removed very quickly.

    Both the European Parliament and the Council of Ministers can ask the European Commission to amend, or withdraw, an adequacy decision at any time if they feel the UK has lowered its privacy standards and put EU data subjects’ rights at risk.
  1. The UK tries to circumvent EU rules. The UK may simply push things too far by trying to placate its global partners by allowing free cross-border transfers with the likes of Australia and the US – countries the EU does not consider adequate. The EU is likely to take a dim view if EU citizens’ data ends up being transferred to a ‘non-safe’ third party country just because the UK wants to realise its global ambitions.

The other point to make here is that data privacy could be used simply as political leverage. It does not take much of a leap of imagination to conjure an instance where the EU might want to exert some pressure on the UK, for instance with regards to Northern Ireland, and may choose adequacy as a tool to achieve this. The UK has robust privacy laws (much more so than currently ‘adequate’ New Zealand, for example) but that may not be enough for the EU to consider the UK government a ‘reliable partner’ in the sphere of data protection.

Consequences for UK-European business

The final and most pertinent question around adequacy remains however – why should anyone care? Sure, the UK might not be able to send data back and forth between the EU quite so easily, but is this really such a problem?

It is possible that, for a business that has no dealings with EU clients, this will have relatively little direct impact. However, for the many organisations who do interact with EU nationals and entities, the effects will be profound. Losing adequacy will likely mean a) an increased cost of doing business, involving more compliance and contractual measures over data transfers; b) a reduction in trade; c) reduced investment; d) relocation of businesses out of the UK; and e) a risk of increased GDPR finds by EU regulators.

It is hard to quantify what this disruption would mean for businesses. The UCL European Institute published a report in November 2020 where it estimated that compliance costs alone could be as much as £3,000 for a micro-business, £10,000 for a small business, £19,555 for a medium business and £162,790 for a large business – costing an aggregate of around £1-1.6 billion. This, however, is without considering the wider economic impact on the UK.

Losing adequacy is both highly possible and highly damaging for the UK. Businesses should brace for negative impacts and costs if this happens and start contingency planning now. Ensuring that you have the requisite data privacy and protection program in place – with suitable Data Privacy Impact Assessments, Transfer Impact Assessments, and facility to include contractual safeguards (such as Standard Contractual Clauses) in any agreements concerning the transfer of EU data – and the right personnel and processes to manage it, will go a long way to preparing for the worst.

Single organisations cannot do much about the EU’s adequacy decision – and even the UK government maintaining a world-class data protection schema and retaining alignment with the EU GDPR might not be enough. However, preparation can at least soften the blow.

How we can help?

If you would like to understand more about data privacy and protection, get in touch to arrange a free consultation with one of our experts today.