Fear and loathing in the UK adequacy decision

On June 28, the European Commission adopted the UK adequacy decision, which will allow personal data to be transferred from the EU to the UK without additional safeguards.

In an ideal world, this would indicate that the UK offers an adequate level of protection for personal data, and would signal their willingness to retain those standards. Unfortunately, reality tells a different story, that should be worrying for human rights advocates on both sides of the channel.

UK (in)adequacy decision

Under GDPR rules, data transfers to third countries like the UK need to be preceded by an assessment of domestic laws, that must provide an “essentially equivalent” level of data protection. However, the UK legal framework fails to attain these standards; for instance, where:

• it provides undue restrictions to the exercise of data rights against the Immigration Exemption;
• it lacks safeguards for international data transfers for research purposes;
• it allows excessively intrusive and unlawful surveillance practices, and lacks oversight;
• there is a lack of independence and systemic failures by the domestic supervisory authority in the enforcement of data protection rules.

These same issues were raised by the European Data Protection Board and the European Parliament, and have been thoroughly explained elsewhere. Indeed, much emphasis has been given to the exclusion of Immigration data from the scope of the adequacy decision, as well as to the promise to review the decision in 4 year to measure the UK future divergence from GDPR standards.

On the other hand, the European Commission have already chosen to ignore the issues in front of them, and rely instead on UK Government’s misguided description of domestic laws. This leaves little ground to believe that the European Commission would do any better if UK privacy laws were to change.

What the future will bring

The UK legal framework may be flawed, but UK Government plans and stated intentions are, if anything, even more worrying.

Back in September 2020, the UK Government published the National Data Strategy, stating their intention to reduce restrictions to data sharing and their use. In May 2021, a so-called “independent group” — made of three Conservative MPs appointed by a Conservative Prime Minister — published what is known as the TIGRR report. Here they propose to replace the GDPR with a “UK Framework of Citizens Data Rights” that would:

• reduce reliance on consent, by giving greater emphasis “on the legitimacy of data processing”;
• remove purpose and storage limitation, as they prevent organisations “from collecting new data before they understand its potential value”;
• remove article 22 of the GDPR, and focus instead on “whether automated profiling meets a legitimate or public interest test”.

In other words, the UK Government would allow organisations to collect and reuse data without appreciable restrictions, reducing individuals’ agency over one’s personal data and weakening accountability. These changes wouldn’t only put the UK data protection framework at stake with the GDPR, but also with the European Convention on Human Rights and the data protection convention of the Council of Europe. The UK Government, however, are already considering plans to free judges from the ruling of the European Court of Human Rights.

Finally, the UK is joining the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, which could bind the UK to lower data protection standards in order not to hinder data flows with other signatories of the agreement. In doing so, the UK Government are showing a curious attitude: they are keen to break those international obligations that would promote the welfare of UK residents, but want to undertake new international obligations to undermine individuals’ rights in favour of corporate interests.

We must take care of our own

With Schrems II, an adequacy agreement between the EU and the US was struck down for the second time in a row. The UK adequacy decision could undoubtedly mark yet another defeat for the European Commission, but some damages will be harder to amend.

In the UK, Government are already leveraging on the adequacy decision to misrepresent their plans to gut the GDPR and become a data-laundry heaven — indeed, the UK Secretary for Digital never misses a chance to mention that the EU recognised the UK’s own “high data protection standards”. Any CJEU ruling will likely arrive too late to debunk his argument, giving the UK Government an opportunity to hide their agenda behind an aura of legitimacy provided by the European Commission.

On the other hand, the UK may end up being the only country that lowers data rights standards. Plans in the US to introduce data protection legislation are finally gaining traction, piling up to the long list of initiatives being discussed both in the EU and the US to regulate digital platforms. While it may be pretentious to think that the UK Government will stop the wind, their ability to undermine digital rights to the detriment of UK residents shouldn’t be underestimated.