Data protection post-Brexit
In 2013, Max Schrems, an Austrian privacy campaigner, launched a campaign against the Safe Harbor agreement between the US and EU, which governed data flows between the two continental powers. After the Edward Snowden NSA revelations, Schrems wanted to limit the further transfer of data from Facebook to the USA in light of the mass surveillance program being conducted, called PRISM. In short order, the European Court of Justice ruled that the Safe Harbor agreement was no longer valid or compatible to protect EU citizen data, which in turn led to the renegotiation of a new data protection agreement in 2016 called Privacy Shield.
The Schrems case was a demonstration of how data and digital privacy has become a priority concern for not just the EU, but globally. Estimates posit that up to 2.5 trillion MB of data are created by human beings every day and expected global annual estimates are meant to balloon from 1.2 Zetabytes in 2010 to 35 Zetabytes in 2020. Data is big not only in the sense of the scale and size of the datasets now being combed over by algorithms; Data is also big in terms of the issues and problems it now presents to governments whose citizens expect them to guarantee a certain level of security and privacy. In the UK, the Government is discovering how tough it is to set up a co-operative and meaningful data relationship with the EU post-Brexit.
In her Mansion House Speech, the Prime Minister listed data protection as one of the five foundations upon which to base the future trading relationship with the EU. But as a recently published Exiting the EU Committee report on Data Protection details, there are fundamental disagreements on what form the future data sharing relationship should take.
The European Commission is fairly set on the idea of an ‘adequacy’ decision being in place after Brexit. This is a framework which says that a third country meets the equivalent EU data protection and legislative requirements to be able to receive free flows of EU data. Countries such as New Zealand, Switzerland and Argentina have such an arrangement. Having recently assimilated into law the GDPR through the Data Protection Act 2018, the UK practically meets these adequacy requirements and some expert opinion believes it wouldn’t take long for the EU to grant such a decision. Nevertheless, concern still exists in EU member countries regarding UK mass surveillance techniques and the use of data by UK intelligence agencies.
The Government accepts the EU will need to assess the adequacy of the UK data regime. But it wants this future agreement to be on a bilateral basis with an international agreement or treaty which recognises the unique and special data relationship the UK and EU already shares. The Government would also like a continuing role for the Information Commissioner on the European Data Protection Board and representation under the European One-stop shop provision.
The EU is reluctant for the UK to have its cake and eat it by being able to influence EU data principles while being outside the bloc. If the UK crashes out of the EU without an adequacy decision, then UK businesses can still have access to EU personal data through Standard Contractual Clauses and Binding Corporate Rules. For large companies, this will be manageable, but for smaller and medium-sized ones it could be a heavy economic and bureaucratic burden.
A recently published Government Technical Note highlights the benefits of a new data protection agreement and how each party stands to gain through this method. But as with other Brexit-related issues, it will come down to how much leeway the EU wants to give the UK over EU rules. In data, the UK may not get the solution it wants.