When the Brexit transition period ends, UK ministers will have the power to forge new data-sharing arrangements that risk undermining the viability of future data transfers with the European Union
Sebastian Klovig Skelton ,
Published: 02 Oct 2020 13:49
Powers granted to UK ministers under the EU Exit Regulations allow them to determine or revoke data adequacy decisions with little to no parliamentary scrutiny, and could jeopardise the UKâ€™s ability to share data with Europe, experts have told Computer Weekly.
As the UKâ€™s negotiations with the EU continue to be mired in disagreement, concerns are growing over the ability to exchange data freely between the two, which rests on the UK governmentâ€™s ability to secure a data adequacy decision from the EU.
Without such a decision, UK companies could face difficulties in exchanging data with their EU subsidiaries, or with customers and suppliers. Experts fear that UK legislation, if used, could undermine the prospects of such a decision being made.
Introduced in February 2019, the EU Exit Regulations transfer the adequacy decision-making powers of the European Commission (EC) to UK ministers, who, through the use of a statutory instrument, will be able to avoid any serious scrutiny from Parliament.
This is because the instrument (a tool for creating secondary legislation) is subject to the â€śnegative resolution procedureâ€ť, which means once it is signed off by the relevant minister, it becomes law unless it is actively annulled by Parliament within 40 days.
Although any MP can table a motion for annulment (referred to as a â€śprayerâ€ť) within this period, the government is under no obligation to debate it in the House of Commons and, according to the Institute for Government, while the â€śnegative procedure gives Parliament a theoretical veto over secondary legislation, in reality this power is rarely usedâ€ť.
It added: â€śThe last time the House of Commons prayed against secondary legislation was in 1979, while the Lords have not rejected a negative instrument since 2000.â€ť
The regulations say the secretary of state must monitor developments in the adequacy jurisdiction â€śon an ongoing basisâ€ť, and that a review must be carried out â€śat intervals of not more than four yearsâ€ť.
In contrast, under the current legislative framework of the EU, the adoption of an adequacy decision â€“ which determines whether a country outside the EU offers an adequate level of data protection and therefore whether data can be shared with it â€“ requires input from multiple bodies.
This includes an initial proposal from the EC, which is then reviewed by the European Board of Data Protection and voted on by a committee of member state representatives, before going back to the EC for final approval.
At any time, either the European Parliament or Council can request that the EC maintain, amend or withdraw the adequacy decision if they decide it exceeds the ECâ€™s implementing powers.
Lack of accountability
According to Nick Dearden, director of Global Justice Now (GJN), as the government takes on powers previously invested in the EU, â€śthey are not translating the democratic or accountability mechanisms at allâ€ť.
â€śI just find it absolutely extraordinary, given that one of the arguments about the EU was how undemocratic it was, that we find ourselves in a situation where government ministers are able to take sweeping powers that wouldnâ€™t have been possible in the EU,â€ť Dearden told Computer Weekly.
â€śClearly, weâ€™ve got a government here that is not interested in democratic accountability at all. That would be an enormous problem at the best of times, but it is particularly a problem at a time when we are transferring powers from one place to another, ie into their hands, because what it means is theyâ€™re building a whole system which is undemocratic, and we simply donâ€™t have the checks and balances there to rein them in at the moment.â€ť
The Exit Regulations also give ministers power to create new standard contractual clauses (SCCs) that they consider to provide an appropriate level of data protection, which could also be used as the legal basis for data transfers to non-adequate jurisdictions or entities.
In July, a landmark ruling by the European Court of Justice (CJEU) that struck down the US-EU Privacy Shield data-sharing agreement also cast doubt on the legality of using SCCs as the basis for international data transfers, finding that although they were legally valid, companies still have a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.
While various European data protection and privacy regulators are in the process of deciding what appropriate SCCs would look like in the wake of the CJEU ruling (colloquially known as Schrems II after the Austrian lawyer who launched the case), the same negative resolution procedure would apply to UK ministers when creating their own SCCâ€™s, which means they could potentially create their own standards, again without proper parliamentary scrutiny.
Speaking to Computer Weekly, Javier Ruiz Diaz, an independent digital policy consultant who previously worked as the policy and campaign director of the Open Rights Group, said the transfer of power from Brussels to Westminster is â€śnot a like-for-like transferâ€ť, because despite valid criticisms that many have of the EUâ€™s bureaucracy, the checks and balances in place tend to foster higher levels of engagement in the process.
â€śOn the one hand, this model is detached from ordinary citizens, but on the other, because of that detachment, they have many [more] formal processes of engagement than you have in the UK,â€ť said Ruiz Diaz, adding that there are concerns that the UK is more interested in prioritising data flows and trade over data protection.
â€śFrom everything we know from the government, they really want to have this new cutting-edge, algorithmic, AI, data-driven UK,â€ť he said.
In its recently published National Data Strategy, the government pledged to eliminate the â€śreal and perceived legal and security risks of sharing dataâ€ť, which it claimed would help to deliver a â€śradical transformation of how the government understands and unlocks the value of its own dataâ€ť.
According to reports in The Guardian, EU sources said the data strategy had exacerbated existing concerns over the UKâ€™s approach at the end of the transition period.
â€śWe will also facilitate cross-border data flows by removing unnecessary barriers to international data transfers that promote growth and innovation,â€ť said a consultation paper accompanying the data strategy, which also asks respondents which countries are priorities for future UK data adequacy arrangements.
Echoing Ruiz Diaz, Dearden said: â€śThere is a particular worry when it comes to data protection because we know this is an area that the British government wants to move on, potentially watering down standards.â€ť
While ministers do have the possibility of making new adequacy decisions or SCCs, doing so would make it harder to be deemed adequate by the EU itself.
Phil Lee, a partner in law firm Fieldfisherâ€™s privacy, security and information group, told Computer Weekly that after the transition period ends, the UK will no longer be subject to EU law, and once the General Data Protection Regulation (GDPR) is copied into the UK statute books, it is up to the government how it develops from there.
â€śBecause we will be sovereign, we can choose which countries we want to bestow adequacy upon,â€ť he said. â€śFor those reasons, we could choose to bestow adequacy on entirely different countries from those that the EU has recognised as adequate.
â€śBut if we do that, it will inevitably impact our standing with the EU and whether the EU considers us safe to receive EU data, because the concern would be that you can simply transfer data to the UK, and then onward transfer it from the UK to countries that the UK would consider adequate, but the EU doesnâ€™t.â€ť
Although it is already uncertain whether the UK will be deemed adequate by the EU, largely because of its intrusive surveillance laws, such as the Investigatory Powers Act and membership of the Five Eyes Alliance, Ruiz Diaz said he is hearing concerns that some in government â€śrealise that European adequacy from the EU may not be worth it from their point of viewâ€ť.
He added: â€śIf you read between the lines on the governmentâ€™s stated data ambitions, a lot of it isnâ€™t compatible with an adequacy decision.â€ť
GJNâ€™s Dearden added that maintaining the same GDPR standards, and therefore adequacy with the EU, â€śis something theyâ€™re potentially going to compromise in order to get an American trade deal, or a trade deal with various other countriesâ€ť.
â€śThat will make it harder for us to trade with the EU, but as far as I can see, thatâ€™s the path theyâ€™re most likely to go down,â€ť he said. â€śFor them, the whole point of getting out of the EU was to get out of the standards and protections that have been negotiated over the years by that bloc.
â€śThe standard the British government are looking at is one that benefits the big-tech private sector â€“ and they are prepared to forgo the relationship with the EU and the trade networks that have been built up over time to get that.â€ť
Referring to the US-UK trade documents leaked in November 2019, Ruiz Diaz said: â€śThe US is quite openly hoping to use the UK to weaken European data protection.â€ť He added that this should all be considered in the context of a â€śgeopolitical battle over the global digital economyâ€ť between the regulatory models of Europe, the US and China.
But he also said the EU and the UK were essentially locked in a game of regulatory chicken, a situation of â€śwho moves firstâ€ť.
â€śSay the UK gets adequacy itself â€“ and thatâ€™s a big if at the moment â€“ that would tie the UK governmentâ€™s hands in terms of what it could do,â€ť said Ruiz Diaz, while also agreeing with Lee that should the UK start making adequacy decisions elsewhere, it would tie the EUâ€™s hands too.
Content Continues Below
Read more on IT governance
How Schrems II will impact data sharing between the UK and the US
By: Eleonor Â Duhs
UK-US data deal puts Brexit data adequacy pact at risk
By: AlexÂ Scroxton
MPs warn of data adequacy hole in no-deal Brexit
By: CliffÂ Saran
Brexit and data protection: Whatâ€™s next?