Data sharing is important for the economy and the intelligence community, but EU-wide regulations are also the reason a social network or cloud storage provider can keep your data in a server room in another country. For the foreseeable future, the UK will be aligned with EU law. The government is currently in the process drafting a new Data Protection Bill which reflect the requirements of the EU General Data Protection Regulation (GDPR) — an updated, stricter set of data protection rules coming into force next May.
That’s all well and good, but we still need to establish a formal data-sharing arrangement with the EU before we leave. The proposals the UK government has now put forward is basically a checklist of what it wants to achieve from Brexit negotiations, which is more or less to maintain the current status quo. The document basically talks up how well-aligned we already are and will be with EU law once the Data Protection Bill is passed, how we played a leading role in drafting the new framework, yadda yadda yadda.
“On this basis, the government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.” Not only does the UK want an initial thumbs-up from the EU to carry on as normal, but it effectively wants to keep its seat at the table.
“It is therefore the UK’s ambition to remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules,” the paper reads. “The UK wants to continue to work closely with the EU, which has also been at the forefront of driving the improvement of global data protection standards, and our wider international partners, to work towards stronger global standards.”
Remember, this is something of a best-case scenario for the UK, and in no way a reflection of how Brexit negotiations may actually play out, especially considering the elephant in the room: The Investigatory Powers Act. You see, the EU has data-sharing agreements with other countries that fall outside of its regulatory umbrella. The data protection laws in these “third countries,” which include far-flung places like New Zealand, Argentina and Uruguay, are assessed on “adequacy” — the key question being: Even though they don’t share the same standardized laws as EU countries, are their data protection rules appropriate and generally up to par with ours? Are they “adequate?”
While the UK is still in the inner circle, it’s to some extent exempt from questions of adequacy. Post-Brexit, though, there is the potential we could fail the test if the EU decides to look at some of our local laws, particularly the Investigatory Powers Act, through objective eyes. The relatively new piece of legislation governs the UK’s digital surveillance regime, and introduces some new and far-reaching powers of questionable legality.
Not even getting into pending legal challenges from human rights groups, the EU Court of Justice ruled last year that “indiscriminate” data collection is incompatible with EU law. There are many powers in the complex Investigatory Powers Act, tantamount to mass surveillance, that could easily fall under that description. The adequacy of our laws in the realm of data protection, then, is not clear cut.
The EU has absolutely no problem rocking the boat when it comes to adequacy decisions, either. In 2015 the Court of Justice invalided the Safe Harbour agreement — the key legal framework that governed the movement of data between the EU and the US — on the very basis that it did not adequately protect data privacy. Needless to say, this had serious consequences and led to the hurried drafting of the Privacy Shield agreement to replace it, which itself has not fully been cleared as fit for purpose.