Why EU-UK data flows have a dim future
After Brexit, the EU and the UK reached an uneasy truce to maintain the free flow of personal data between them. The European Commission decided at the last minute that the UK still provided an adequate standard of personal data protection. Without this decision, EU businesses would have had to introduce special measures to protect personal data which is sent to the UK – costing UK and EU businesses of billions of Euros.
The EU’s decision to allow the continuation of free personal data flows was no foregone conclusion. The UK retained the EU’s General Data Protection Regulation (GDPR). But the UK’s intelligence-gathering activities have already been found to contravene EU law. And the future looks even riskier – the UK Government plans to loosen its data protection laws in future, and wants deals for seamless transfers of personal data with many countries the EU does not believe adequately protect personal data.
The EU decision to maintain free personal data flows was therefore pragmatic, intended to limit disruption in the short term. It is unlikely to last. The real question is not whether seamless data transfers will end – but how and when they will end.
First, the European Court of Justice (ECJ) could overturn the Commission’s decision that the UK provides adequate data protection standards. The ECJ has already decided that national security authorities should not have access to personal data held by businesses, without sufficient safeguards. The ECJ already has concerns the UK’s safeguards are insufficient – but now that the UK is no longer a member of the EU, those concerns mean seamless data transfers could be disallowed. Given the current UK government’s animosity towards the ECJ, London would probably not limit its national security laws merely because of an ECJ judgment. The EU might then end up with no choice but to end free data flows.
Second, the Commission may decide to end the free flow of personal data if the UK departs too aggressively from GDPR standards. The UK government recently published a consultation paper floating a range of possible ways the UK could diverge from the GDPR, in order to promote “innovation and economic growth”. Some of the proposed changes are relatively minor or anticipate reforms the EU will probably soon adopt itself. The Commission might overlook these divergences. But other proposals are more significant. For example, some changes would undermine the UK data protection regulator’s independence; others would give individuals fewer rights to challenge how their personal data is used. If the UK government pursues these more incendiary proposals, the EU will probably quickly prevent free personal data flows, on the basis that the UK is undermining EU nationals’ privacy rights.
Finally, Britain’s global ambitions may prove an intractable problem. The UK wants to enable free personal data transfers with countries like the US, Australia, Singapore, Dubai and Colombia. The EU does not recognise that these countries provide privacy standards equivalent to the GDPR. So the Commission will be alarmed at the possibility that personal data could be transferred from the EU to the UK, and then moved onward to a third country where it would not be adequately protected. If the UK persists in pursuing this aspect of its ‘Global Britain’ strategy, the Commission will inevitably impose new safeguards on data transfers from the EU to the UK.
Protection of personal data is just one more area where London needs to face up to post-Brexit realities. London can pursue deregulation and a ‘Global Britain’ trade strategy – but it will struggle to do that while protecting free personal data transfers with the EU. Three-quarters of the UK’s personal data transfers are with EU member-states, so the UK will struggle to compensate for losing seamless data flows with the EU by making new data transfer deals with new countries. But, politically, that may be the only choice open to London. The political compromises the UK may eventually need to make to maintain seamless EU-UK data flows – such as narrower intelligence-gathering laws, ongoing alignment with GDPR, and abandoning free data transfer deals with third countries – seem increasingly impossible for the current UK government to swallow.
If the UK wants to secure maximum flexibility while maintaining seamless data flows with the EU, it needs to understand that the Commission’s decisions about free data flows are influenced by broader political and economic calculations. London’s ongoing disputes with Europe do not help its cause – for example, on fishing quotas, the Northern Ireland protocol, and the so-called AUKUS defence deal. A closer and more constructive EU-UK relationship would give the UK a bit more flexibility, and make the Commission think twice before bringing free personal data flows to an end.
Zach Meyers is a research fellow at the Centre for European Reform.