UK DATA BRIDGE: A GLOBAL PRIVACY RACE TO THE BOTTOM

On October 12, the UK extension (Data Bridge) to the EU–US Transatlantic Data Privacy Framework (DPF) will come into force. This is a voluntary scheme US companies can use to share personal data freely with the EU, and it was introduced after the European Court of Justice (CJEU) found that the previous framework, the Privacy Shield, did not provide sufficient protection against unlawful surveillance by US state agencies.

The DPF is about to be tested again in Court against claims that it falls short of meeting basic rule of law guarantees, but the UK Government’s decision to extend this scheme to the UK unveils some deeper issues with this country’s data protection reform. If approved, the Data Protection and Digital Information (DPDI) Bill would allow the UK Secretary of State to authorise personal data transfers to third countries even when they lack enforceable rights and effective remedies. And while the UK Government argues that the new regime would not differ substantially from the one inherited from the EU GDPR, the decision to adopt the EU–US DPF tells us a different story.

WHAT ARE INTERNATIONAL DATA TRANSFERS?

Digital data can travel freely across geographical boundaries and jurisdictions, but what happens to the rights to have your data protected if it is half-way across the globe?

European data protection law requires companies and organisations to ensure the same, equivalent level of protection regardless of where data is transferred to. However, this common-sense, anti-circumvention rule has since clashed with US surveillance programmes, that allow US authorities to intercept and access personal data without proper accountability or redress. As a result, companies and organisations that transfer personal data abroad now face two choices – the difficult task of implementing additional safeguards to protect personal data from the US state authorities, or avoiding the transfer of personal data to the US entirely.

The DPDI Bill would exclude the need to consider “public security, defence, national security and criminal law and the access of public authorities to personal data”, as well as the existence of an independent supervisory authority or effective judicial redress.

Mariano delli Santi, ORG Legal and Policy Officer

The DPF is an attempt to fix this issue: the US Administration agreed to implement an Executive Order that would provide more rights and stronger accountability for US state surveillance programmes. In return, the EU adopted an “adequacy decision” that legalises personal data transfers to US companies, subject to their adherence to the DPF scheme and the stronger safeguards it provides. However, the scheme is facing fresh legal challenges, and experts warn it may not deliver on its promises to provide enforceable rights and effective remedies against US authorities arbitrary access to and misuse of personal data.

THE UK DATA BRIDGE AND THE FUTURE OF UK INTERNATIONAL DATA TRANSFERS

Schedule 5 of the DPDI Bill would give discretion to the Secretary of State to authorise transfers on the basis of rather vague criteria, such as the “respect for the rule of law and for human rights”, “relevant international obligations”, or any other matter the Secretary considers relevant. With the adoption of the UK Data Bridge, we can observe how some of these technicalities would work in practice.

In the Analysis that preceded the adoption of the UK Data Bridge, the UK Department for Science, Technology and Innovation (DSIT) found that the US have a judiciary, that the US ranks “26th out of 160 countries” in a world justice index, and that the US joined some international agreements concerning human rights and data protection. This herculean effort (13 pages in total) allows the DSIT to conclude that the US provides an “adequate level of protection for [your data]”.

In this instance, DSIT continues with another 80 pages dedicated to the analysis of US State access to personal data via national security, law enforcement provisions, and available avenues for redress. However, the DPDI Bill would exclude the need to consider “public security, defence, national security and criminal law and the access of public authorities to personal data”, as well as the existence of an independent supervisory authority or effective judicial redress. In other words, if the DPDI Bill were in force today, the UK Data Bridge would likely have been approved on the basis of a 13 page essay that a below-average law student could have written as their course assignment.

On top of that, the ample discretionary powers that the DPDI Bill will give to the Secretary of State already find their way into the DSIT analysis, such as when they note the US has signed up to the OECD “Declaration on Government Access to Personal Data held by Private Sector Entities”, or to the “Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System”. These commitments either lack the force of law or are not enforceable against state authorities, thus they don’t solve any of the problems concerning international data transfers to the US— nevertheless, they are still being used by the UK to authorise such transfers.

THE BIGGER PICTURE: THE UK ROLE ON THE INTERNATIONAL STAGE

Lack of accountability and proportionality of state surveillance programmes have become the biggest drivers of legal uncertainty for the digital economy. Indeed, the OECD “Declaration on Government Access to Personal Data held by Private Sector Entities” may be an agreement in principle, but shows that consensus is growing toward making state surveillance programmes accountable, proportionate and subject to the rule of law.

The UK once played a huge role in promoting human rights and the rule of law as means to foster social progress and commercial interests at the same time. However, the UK approach to international data transfers would relinquish this role, betray UK democratic values, and position the UK as a data-laundering heaven pushing for a global privacy race to the bottom. This approach doesn’t only fail to provide a long-term, pragmatic solution to international data transfers, but would further the UK’s reputation as an “international rogue actor” that recent UK Governments have advanced throughout the years.

Open Rights Group will keep advocating for solutions that uphold high human rights and rule of law standards and that reconcile national security and with broader economic and societal needs.

Digital Privacy

Stop Data Discrimination

The government wants to make it easier for companies and authorities to use your data against you.

Find Out More