UK-US deal, legal changes could jeopardize EU data-sharing agreements
Could new agreements and proposed legislation from the UK government mean the European Union no longer considers it compliant with the data adequacy mechanism for personal data?
Concern is being raised in the bloc and in the UK as it proposes veering away from UK GDPR, reducing the independence of the data regulator, the Information Commissioner’s Office, and agreeing to share data with the U.S. – data which may have been shared by the EU. A member of the European Parliament also revealed that the UK may have made a further deal with the U.S. to share more data on people hoping to travel there, including police records and biometrics.
A European regulator has said he is not concerned about the UK’s proposed changes and even suggested Europe follows suit in some respects.
Meanwhile, an investigation into the data breach of 1.9 million records from the U.S. terrorist watchlist by the Department for Homeland Security finds that everything was done properly and makes no recommendations.
Multiple risks to EU-UK data adequacy
The post-Brexit British government has been keen to try to show that things are different and better since leaving the EU. Global Britain will be deft, agile and free to handle its affairs, data will flow freely and the UK services sector will thrive. Or turn the country into a “global data laundering hub,” according to the Open Rights Group.
EU-UK data adequacy is due for renewal in 2025 when a new European Commission takes over.
The UK/USA: Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime was first presented to Parliament in 2019 and comes into effect on 3 October 2022. Then a flurry of new legislation affecting data and human rights was proposed in the final weeks of the parliamentary term amid the resignation of Boris Johnson as leader of the ruling Conservative Party, the role which makes him prime minister, and ensuing leadership battle.
On 20 July 2022, in his final words in the House of Commons before parliament rose for summer recess, Johnson said:
“I want to use the last few seconds to give some words of advice to my successor, whoever he or she may be. Number one: Stay close to the Americans,” reported The Guardian.
Sophie in ‘t Veld, a Dutch MEP, has submitted questions to the European Commission querying the impact of some of the changes, starting with the draft Data Protection and Digital Information Bill (formerly the Data Reform Bill) which has just had its first reading in Parliament. She shared the questions on Twitter:
The UK🇬🇧 plans a revision (weakening) of its data protection law, and it launches a data sharing regime with the US🇺🇸. Both measures risk violating the post-Brexit standards agreed with the EU🇪🇺 as pre-condition for the “adequacy decision”. My questions 👇 to the @EU_Commission pic.twitter.com/E01AeI8Go4
— Sophie in ‘t Veld (@SophieintVeld) July 26, 2022
“The new law will replace the UK’s current data protection legal framework, on basis of which the Commission granted adequacy under the GDPR and LED in 2021,” wrote in ‘t Veld, “It contains some key provisions departing from that legal framework, i.e. affecting the independence of the Information Commissioner’s Office from the government and removing obligations for law enforcement authorities to log the justification for accessing specific data records.”
in ‘t Veld asks the Commission whether it will re-assess the adequacy decisions, when this might happen and if the UK’s data protections are deemed inadequate once the bill comes into force, if it will suspend the mechanism.
The Renew Party MEP also referred to the US-UK Agreement on Access to Electronic Data: “As the Commission noted in its adequacy decision for data flows with the UK pursuant to the GDPR, the UK-US Agreement ‘may affect onward transfers to the US of data first transferred to the United Kingdom on the basis of the [adequacy] decision,’ because data transferred from the EU to service providers in the UK could be subject to production orders issued by US law enforcement authorities.”
The MEP asked the Commission whether the UK has notified the EU about its plans for the agreement, whether the U.S. has adequate data protection safeguards in place, whether this means the UK is still compliant with data adequacy from 3 October and if not, what will the Commission do.
In June 2022 the British government published the UK Bill of Rights to replace the Human Rights Act 1998. The changes could also forfeit EU-UK data adequacy, according to Amberhawk, a UK law firm specializing in data protection.
“The Bill changes who interprets the meaning of necessity, public interest and proportionality and thereby changes the nature of the link between the UK_GDPR and A.8 of the European Convention of Human Rights (right of respect for private and family life etc),” states the firm’s HawkTalk blog.
“The Courts do not undertake the balancing tests associated with ‘proportionality,’ ‘necessity’ and what is ‘in the public interest’; these tests are undertaken by Ministers if a Government has a Parliamentary majority.”
The European Data Protection Supervisor (EDPS) said “we are a little afraid” over the Data Protection Bill’s plans to change the structure of the ICO and whether it will remain sufficiently independent, reports Compliance Week, though overall he was more positive (see below).
There are yet more threats, such as actions by privacy activist Max Schrems, as laid out in the article The Three Deaths of EU-UK Data Adequacy by the Centre for European Reform, which states “The UK’s options in its attempt to secure a digital trading advantage over the EU, without compromising the EU adequacy decision, are therefore all unattractive.”
Cost to the UK if data adequacy lost
The Centre for European Reform also looks at the potential costs to the UK if it loses its data adequacy status with the EU. Companies transferring data would have to revert to “standard contractual clauses” (SCCs), which it says are more expensive to use. These would mean costs of around £1.4 billion (US$1.7 billion) over five years, the burden falling mainly on small businesses.
There would also be a reputational, political cost. A year ago, then Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, gushed about the opportunities for Britain with new data agreements: “It is part of new plans to use the power of data to drive growth and create jobs while keeping high data protection standards. It will work hand in hand with the UK’s trade agreements and support the country’s ambitious trade agenda to unlock data flows and minimize unjustified barriers or conditions.”
Introducing the new Data Bill to Parliament last week, Matt Warman, Minister for Media, Data and Digital Infrastructure said, “We now have the opportunity to seize the benefits of Brexit and transform the UK’s independent data laws. We have designed these new updates to our data protection framework so it works in our interests, protects our citizens, and unburdens our businesses.”
Rather than a cost of £1.4 billion, Warman sees opportunities for businesses to save £1 billion over the next ten years by reducing burdens.
Voice of reason: UK as a sandbox
Wojciech Wiewiórowski, the European Data Protection Supervisor, has said that while he is confident of the safety of EU-UK data transfers for now, his concerns lie in the onward sharing of data to other countries with weaker data protection such as the U.S., in an enlightening interview with Compliance Week published before the Data Protection and Digital Information Bill was introduced.
Wiewiórowski told the publication that, at first glance, the proposals reflect professional concerns, not political, and as such are far more welcome than initial proposals last fall.
The EDPS went further still, telling Compliance Week that the Commission could even see the UK move for a more flexible version of GDPR as a sandbox to see if it can be more flexible or improved and that the Commission might even follow in its footsteps.
US data breach: ‘nothing to see here’
The Office of Inspector General (OIG) has published its investigation into the July 2021 leak by the Department of Homeland Security of 1.9 million Federal terrorist watchlist records.
Titled “DHS Has Controls to Safeguard Watchlist Data,” the audit finds that the DHS “has an approach to safeguard and share terrorist screening data. We confirmed that DHS’ policies and procedures comply with Federal standards for safeguarding sensitive data, including terrorist watchlist records that are used, stored, and shared by the Department.”
Not only are there no issues with DHS data security after the breach of almost two million sensitive records, but the “DHS responded appropriately by immediately notifying the Federal Bureau of Investigation’s Terrorist Screening Center, the owner of terrorist watchlist records. We confirmed with DHS officials that DHS was not involved in the alleged incident.”
The DHS did not respond to the report and the report did not make any recommendations.
The UK may already have signed a further agreement to share police records and police biometrics with the U.S. for British citizens planning to travel to America. The Home Office has not responded to Biometric Update on the issue.