What will Brexit mean for our privacy?

The Brexit clock is ticking. As the deadline to extend the transition period officially expired on the 30th of June, the UK will have to leave both the EU custom union and the single market by end of this year — although some commentators pointed out how some creative but unlikely solution may still be viable.

While this will undoubtedly have profound repercussions for all of us, Open Rights Group (ORG) is deeply concerned about the key implications for our privacy: how will the data protection regime change after the transition is over? And will the UK obtain an adequacy decision from the European Commission?

We have no simple, straightforward answer to these questions, but last month brought about some interesting developments, which we will now try to summarise.

GDPR review and US-UK trade negotiations

The General Data Protection Regulation undergoes periodic reviews concerning its implementation and, with little surprise, this year’s report by the European Commission stressed that a “high degree of convergence in data protection” is an important condition to fit the UK in an adequacy decision.

Unfortunately, EU concerns about the future of data protection in the UK are more than rhetorical: Prime Minister Boris Johnson plainly stated his intentions to diverge from the GDPR, and the redlines imposed by the US Government during trade negotiations would risk leaving our personal data at the mercy of Silicon Valley.

On top of that, the Court of Justice of the European Union will soon be called to assess the compatibility with EU law of certain GDPR mechanisms for international transfers, which may end up including the issue of effective judicial remedies for EU citizens against US surveillance practices. This may weaken the position of the UK, given the recent agreement with the US involving the sharing of electronic data for investigative purposes.

Domestic issues

The adequacy assessment will not only look at formal aspects, but also for more substantive signals to corroborate the image of the UK as a country with an adequate level of data protection. However, the UK Government does not seem to be playing its cards very carefully, as these months have resulted in a bit of a privacy horror show.

Starting with the obvious examples, the UK’s Coronavirus public responses were characterised by a rather poor handling of data protection requirements: DPIAs were unsatisfactory at best and outright absent at worst, and it took legal threats to lower the Test and Trace retention period from 20 to 8 years (which by the way is still too long).

Furthermore, the cavalry stayed home: the Information Commissioner’s Office paused an already two-years long investigations into the adtech industry only to display a rather weak oversight of Government behaviour during Coronavirus. Finally, UK security services were caught making illegal copies of the Schengen Information System of the European Union, a cross-border database maintained for national security, border control and law enforcement purposes.

The stakes are high

Needless to say, reduced legal protection against privacy abuses would have dire consequences for our rights and liberties, given the times we are living in.

Furthermore, the impact on trade relationships with the EU would be huge. Without an adequacy decision, businesses may be forced to establish legal representation in the EU, and data transfer to the UK would be subjected to GDPR safeguards for international transfers— in other words, a significant amount of red tape. As the EU accounts for 49% of UK’s international trade, and Coronavirus triggered yet another “once in a century economic crisis”, prospects are not encouraging.

It does not need to end this way though. ORG has been critical of the Government’s attitude, which seems to consider data protection as a mere bureaucratic obstacle in the way of getting things done, rather than a guiding principle which should drive their responses. Furthermore, we challenged Government contact tracing plans over and over, and we demanded that the DCMS committee keep an eye on our feeble regulator. Finally, we recently hosted a roundtable with digital trade experts.

We will keep pushing for more transparency and democratic engagement in negotiations, to ensure our digital rights are not traded away. If you want to know more, take a look at our campaign page, or join us, and contribute to the future of data protection in the UK.