As January 1st creeps closer, the UK is continuing to legislate for changes in data privacy and regulation as they exit the EU’s GDPR framework. This is making many things, including the next two paragraphs, very complicated — so bear with me.
In a Delegated Legislation Committee last month, the Minister for Media and Data brought forward a draft amendment on Data Protection Privacy and Electronic Communications for the EU Exit Regulations 2020. While appearing highly technical and somewhat complex, it boils down to one thing: Ensuring the UK has the necessary data protection legislation in place once GDPR is revoked. In the Minister’s words, ensuring “there will be no data cliff edges”. While it may seem a little late in the day to be drafting this legislation, data has been a significant, if at times largely overlooked, part of the EU Withdrawal Agreement. GDPR will be largely retained through the EU Withdrawal Act 2018. This retention was amended in 2019 with the Data Protection Privacy and Electronic Communications Amendment, designed to ensure that “UK data protection law would continue to operate on exit day”. The most recent amendment put forward makes limited changes to the first — primarily changing exit day references to “IP completion day”. This kind of change is not uncommon in Parliament — often made as much for party political reasons as legal.
What is most interesting about this amendment is the attention it pays to data transfer between the UK and EU. Currently, the UK can transfer data between the EU freely, much like a digital freedom of movement. The UK is waiting on EU unilateral decisions to determine how data transfer will operate come January 1st. The EU must deem the UK’s consequent data regime to be “adequate” for things to continue moving. If they do, the UK can continue to transfer data between the EU as they do now. If the EU rules the UK data regime “inadequate”, then the UK will have to fall back on more complicated Standard Contractual Clauses (SCCs) — these require written agreement between companies sharing data. The Schremms II case, discussed in last month’s Policy Update, have made the standards for SCCs comprehensively high, requiring they ensure protection effectively equivalent to EU GDPR regulations. Many large companies have already created alternative SCCs to cover their data transfer operations, but many smaller companies are unable to invest in these measures, or simply do not have the means to prepare. The EU is set to make its decision on the UK’s data adequacy by 31st December — just in time for the January 1st deadline.
The US lends another complex dimension to this dynamic policy space. The Schremms II case prevented data transfers to the US without SCCs. In doing so, it revoked the powers of the US Privacy Shield, which allowed much simpler transatlantic data transfers. The EU are strengthening their data regime, beefing up SCCs and sending strong messages to the US, especially to big tech companies like Amazon, Google, and Facebook. This may be representative of an increasing distrust of US data practices not just in the EU but UK as well. A coalition of digital marketing companies have filed a complaint against Google’s ‘Privacy Sandbox’ initiative with the Competition and Markets Authority (CMA). This is one of a whole host of cases brought against US tech companies — something covered in October’s Policy Blog.
While the EU may be leading globally on renewed data governance measures and initiatives, it has little influence beyond its own data. The complexity of data after Brexit and its disjointed relationship with the US impacted Schremms II case stems from the lack of an international or global data governance framework.
The EU are keen to lead in this arena, drafting a further Data Governance Act. Key among its objectives is to allow “public sector data available for re-use”, a bolstering of strengths supporting individuals to exercise their rights under GDPR and increased data sharing practice. While the EU is most active on an international level, it may struggle to establish a comprehensive standardised system that stretches beyond Europe and its immediate neighbours. The US and China are the world’s biggest data players who draft their own rules and may seek to establish an alternative agenda to Europe’s protection heavy regime. This area will only become more complicated and more active as business, Government and civil society continue to digitise. With national economies investing and integrating technology into critical infrastructure at an increasing rate, this is certainly an area to watch.
This story was written as part of a monthly policy update for Digital Bucket Company, leading Big data and AI consultancy. Finn Mohrasri explores the latest issues in the AI, Big Data and Cyber Security Industry.