The UK data bridge: a sneak peek at the UK privacy race to the bottom to come

The UK extension to the EU – US Transatlantic Data Privacy Framework will come into force on 12 October. Its adoption provides a sneak peek at the future of UK international data transfers, and the erosion of essential guarantees against surveillance measures that the UK data protection reform would bring.

By Open Rights Group (guest author) · October 11, 2023

On 12 October, the UK extension (Data Bridge) to the EU – US Transatlantic Data Privacy Framework (DPF) will come into force. This is a voluntary scheme US companies can use to share personal data freely with the European Union (EU), and it was introduced after the Court of Justice (CJEU) found that the previous framework, Privacy Shield, did not provide sufficient protection against unlawful surveillance of US state agencies.

The DPF is about to be tested again in Court against claims that it falls short of meeting basic rule of law guarantees, but the Government decision to extend this scheme to the UK unveils some deeper issues with the UK data protection reform. If approved, the Data Protection and Digital Information Bill (DPDIB) would allow the UK Secretary of State to authorise personal data transfers to third countries even when they lack enforceable rights and effective remedies — and while the UK Government argues that the new regime would not differ substantially from the one inherited from the EU GDPR, the decision to adopt the EU – US DPF tells us a different story.

What on earth are international data transfers?

Digital data can travel freely across geographical boundaries and jurisdictions, but what happens to the rights to have your data protected if they are half across the globe?

European data protection law requires companies and organisations to ensure the same, equivalent level of protection regardless of where they are transferred. However, this common-sense, anti-circumvention rule has since clashed with US surveillance programmes, that allow US authorities to intercept and access personal data without proper accountability or redress. As a result, companies and organisations that transfer personal data abroad now face the difficult task of implementing additional safeguards to protect personal data against US state authorities, or else to avoid transferring personal data to the US entirely.

The DPF is an attempt to fix this issue: on the one hand, the US Administration agreed to implement an Executive Order that would provide more rights and stronger accountability for US state surveillance programmes. On the other hand, the EU adopted an “adequacy decision” that legalises personal data transfers to US companies, subject to their adherence to the DPF scheme and the stronger safeguards it provides. However, the scheme is facing fresh legal challenges, and experts warn it may not deliver on its promises to provide enforceable rights and effective remedies against US authorities arbitrary access and misuse of personal data.

The future of UK internaional data transfers

Schedule 5 of the DPDI Bill would give discretion to the Secretary of State to authorise transfers on the basis of rather vague criteria, such as the “respect for the rule of law and for human rights”, “relevant international obligations”, or any other matter the Secretary considers relevant. With the adoption of the UK Data Bridge, we can observe how some of these technicalities would work in practice.

In the Analysis that preceded the adoption of the UK Data Bridge, the UK Department for Science, Technology and Innovation (DSIT) finds that the US have a judiciary, that the US ranks “26th out of 160 countries” in a world justice index, or that the US joined some international agreements concerning human rights and data protection. This herculean effort (13 pages in total) allows the DSIT to conclude that the US provides an “adequate level of protection for [your data]”.

In this instance, DSIT continues with another 80 pages dedicated to the analysis of US State access to personal data via national security, law enforcement provisions, and available avenues for redress. However, the DPDI Bill would exclude the need to consider “public security, defence, national security and criminal law and the access of public authorities to personal data”, as well as the existence of an independent supervisory authority or effective judicial redress.

In other words, if the DPDI Bill were in force today, the UK Data Bridge would likely have been approved on the basis of a 13 pages-long essay that a below-average law student could have written as their course assignment.

On top of that, the ample discretionary powers of the Secretary of State to consider other matters already find their way in the DSIT analysis, such as when they note the US has signed up to the OECD “Declaration on Government Access to Personal Data held by Private Sector Entities”, or to the “Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System”. These commitments either lack the force of law or are not enforceable against State authorities, thus they don’t solve any of the problems concerning international data transfers to the US— nevertheless, they are still being used by the UK to authorise such transfers.

The bigger picture: the UK role on the international stage

Lack of accountability and proportionality of State surveillance programmes have become the biggest drivers of legal uncertainty for the digital economy. Indeed, the OECD “Declaration on Government Access to Personal Data held by Private Sector Entities” may be an agreement in principle, but shows that consensus is growing toward making State surveillance programmes accountable, proportionate and subject to the rule of law.

The United Kingdom once played a huge role in promoting human rights and the rule of law as means to foster social progress and commercial interests at the same time. However, the UK approach to international data transfers would relinquish this role, betray UK democratic values, and position the UK as a data-laundering heaven pushing for a global privacy race to the bottom. This doesn’t only fail to provide a long-term, pragmatic solution to international data transfers, but would further the UK reputation as an “international rogue actor” that recent UK Governments have encroached throughout the years.

Conclusion

Open Rights Group will keep advocating for solutions that uphold high human rights and rule of law standards, and that reconcile national security and law enforcement with broader economic and societal needs. Stay in touch or join ORG in the fight.

Contribution by: Mariano delli Santi, Legal and Policy Officer, EDRi member, Open Rights Group