The UK is a leader in digitally delivered services, estimates from the UK Department of International Trade show that in 2018 the UK exported £190.3bn digitally delivered services (67.1% of total UK services exports) and imported £91.1bn digitally delivered, a trade surplus of £99.2bn.
This trade is underpinned by the ability to transfer personal data between the UK and its trading partners. With the EU, which is UK’s largest trading partner, the UK has enjoyed a free flow of personal data with companies able to exchange data without taking extra steps beyond complying with local data protection laws, which are rooted in the GDPR on both sides of the Channel. This was a benefit of EU membership, however now that the UK has left the EU the default ability to exchange data freely is no longer a given.
As we approach the end of the transition period the UK is currently awaiting the outcome of a data adequacy assessment from the European Commission (you can find an explainer on data, adequacy and the future relationship from techUK here).
If a positive adequacy decision is granted the free flow of personal data will be able to continue largely as it does now. However, this is far from a simple procedure as the EU must assess the UK’s data protection system to ensure it provides equivalent levels of protection to the EU’s own.
There is a lot at stake. The EU is a large market for the UK tech sector, EU businesses and consumers have benefited greatly from access to UK’s world leading digital economy and EU member states value greatly the security partnership that a positive data adequacy decision under the law enforcement directive would underpin.
However, despite this mutual interest the path is fraught with complications and it is not certain that a positive data adequacy decision will be reached, despite its enormous value to both the UK and EU.
If we look at both the UK and EU in turn.
For the UK data adequacy means business continuity. The definition of personal data is extremely broad, defined as any information which is related to an identified or identifiable person, this means a huge number of businesses will engage in personal data transfers without even being aware. If data adequacy is not achieved all these organisations will need to take extra steps to ensure they comply with data protection rules.
Achieving data adequacy would prevent this and reduce the burdens that will be placed on businesses as they adapt to a new trading relationship with the EU on 1 January 2021.
However, adequacy can come with strings attached, for instance the EU may require the UK to make changes to its laws or ask for restrictions on onward transfers of data that contain EU citizens personal information. These conditions could be more stringent on the UK than other countries with which the EU has data adequacy, such as Japan.
If the EU takes a decision to impose more stringent conditions the UK Government may not accept these, or even if it does, it may find that any attempt at reform of UK data protection rules curbed or limited by warnings from Brussels that this could endanger the continuation of data adequacy.
The UK and EU agreed in the political declaration that each party would have different systems, but with equivalent levels of protection. However even at this early stage the UK and EU seem to interpret this differently, with some in the EU viewing this as meaning aligned rules, while the UK puts an emphasis on data protection outcomes for individuals and consumers on the ground, rather than the specifics of the legal regime. Over time this could create tension and may mean adequacy is temporary rather than permanent.
For the EU data adequacy would spare many under prepared EU firms from regulatory risk. Many business organisations and Member States are deeply concerned at the lack of preparation within the EU for a no adequacy outcome.
An adequacy decision under the law enforcement directive, along with separate agreements on security, policing and judicial cooperation would also mean Member States can keep a highly valued security relationship with the UK.
However, case law from the recent Schrems II and Privacy International rulings from ECJ, an active and highly litigious privacy lobby and a general fatigue with Brexit in Brussels mean the Commission is going out on a limb in seeking to grant the UK adequacy.
If it does so the Commission will likely be challenged by some in the European Parliament and likely also in court. Both the UK Government and the European Commission have anticipated this from the beginning.
While adequacy is in the mutual interest of the UK and the EU, it is a fraught process and one that will continue to be a subject of debate even after the end of the transition period whether or not the UK receives a positive decision.
Ultimately despite the legal process, confidence, dialogue and trust between the UK and EU will be vital to secure and sustain data adequacy. While this has been low of late, agreeing a free trade agreement and agreements on security, policing and judicial cooperation will do much to restore this and increase the chances of that mutually beneficial adequacy decision.
You can learn more about Tech UK here.