Fear and loathing in the UK adequacy decision

On 17 June 2021, the Council of the European Union unanimously approved the United Kingdom (UK) draft adequacy decision. The European Commission is now expected to confirm their assessment, which will allow personal data to be transferred to the UK without additional safeguards.

In an ideal world, this would indicate that the UK offers an adequate level of protection for personal data, and would signal their willingness to retain those standards. Unfortunately, reality tells a different story, that should be worrying for human rights advocates on both sides of the channel.

UK (in)adequacy decision

Under General Data Protection Regulation (GDPR) rules, data transfers to third countries like the UK need to be preceded by an assessment of domestic laws, that must provide an “essentially equivalent” level of data protection. However, the UK legal framework fails to attain these standards; for instance, where:

• it provides undue restrictions to the exercise of data rights against the Immigration Exemption;
• it lacks safeguards for international data transfers for research purposes;
• it allows excessively intrusive and unlawful surveillance practices, and lacks oversight;
• there is a lack of independence and systemic failures by the domestic supervisory authority in the enforcement of data protection rules.

These same issues were raised by the European Data Protection Board and the European Parliament, and have been thoroughly explained elsewhere.

What the future will bring

Back in September 2020, the UK Government published the National Data Strategy, stating their intention to reduce restrictions to data sharing and their use. In May 2021, a so-called “independent group” — made of three Conservative MPs appointed by a Conservative Prime Minister — published what is known as the TIGRR report. Here they propose to replace the GDPR with “a new, more proportionate UK Framework of Citizens Data Rights” that would:

• reduce reliance on consent, by giving greater emphasis “on the legitimacy of data processing”;
• remove purpose and storage limitation, as they prevent organisations “from collecting new data before they understand its potential value”;
• remove article 22 of the GDPR, and focus instead on “whether automated profiling meets a legitimate or public interest test”.

You may be wondering if these plans wouldn’t be at stake with the European Convention on Human Rights. The UK Government, however, are already considering plans to free judges from the ruling of the European Court of Human Rights.

Finally, the UK is joining the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, which could bind the UK to lower data protection standards in order not to hinder data flows with other signatories of the agreement.

Is the EU still a leader in data protection?

With Schrems II, an adequacy agreement between the EU and the US was struck down for the second time in a row. The UK adequacy decision could undoubtedly mark yet another defeat for the Commission, but some damages will be harder to amend.

In the UK, plans to gut the GDPR and become a data-laundry heaven are already finding their legitimacy in the European Commission adequacy decision— indeed, the UK Secretary for Digital never misses a chance to mention the EU recognition of the UK’s own “high data protection standards”. Any CJEU ruling will likely arrive too late to debunk his argument.

On top of that, the EU seem to have chosen the worst possible moment to erode their reputation as leader and standard-setters in data protection and the digital economy. With growing momentum around the regulation of digital platforms and the tech sector around the world, shouldn’t this be a chance for the EU to shine?

(Contribution by: Mariano delli Santi, EDRi member, Open Rights Group)