By Julian Hayes, Partner at BCL Solicitors LLP
"We want the UK….to be the best place in the world to start and grow a digital business". With this ambitious aim, the Government has laid out its National Data Strategy, focusing on unlocking the value of data, establishing a pro-growth data protection regime, and championing international data flows to promote economic development. Already a feted success, the UK's digital sector now stands behind only the US and China in global venture capital funding and directly employs more than 1.5 million people in London and other major UK cities. Despite its laudable aspiration, however, the Data Strategy signals post-Brexit regulatory intentions which risk inhibiting and choking off the future growth of this successful UK industrial sector.
Bonfire of data obligations?
Though it emphasises the importance of public support and maintaining trust in how personal data is used, the Data Strategy highlights business' lack of clarity about current data protection rules, takes implicit aim at the burden of the current data regime on innovators and entrepreneurs, and laments costly over-compliance and consequent risk aversion. In response, the Data Strategy foreshadows alleviating data compliance obligations, particularly for SMEs, once the Brexit transition period ends on 31 December 2020. Although the Data Strategy carefully avoids specifics, the complexity of the GDPR's principles-based system and one-size fits all approach have long been a bugbear for micro-enterprises. Indeed, acknowledging concern in its recent two-year review of the GDPR, the European Commission (EC) itself urged national data regulators to lend SMEs a helping hand by offering ready-made templates, training and consultancy helplines. Nevertheless, the EC rejected calls to exempt smaller businesses from GDPR obligations, arguing that data risks were not dependent on an operator's size.
Cross-border transfer dilemmas
Equally contentious is the Data Strategy's approach to cross-border data transfers, cited as being of fundamental importance for economic development. The Data Strategy complains that such transfers of personal data are currently being inappropriately constrained and celebrates that the UK will be able to make its own 'data adequacy' decisions to allow for extra-territorial personal data transfers in a post-Brexit world. Unlike EC adequacy decisions which involve consultation between the Commission, the European Data Protection Board (EDPB) collectively representing EU data regulators, and member state representatives, UK adequacy decisions will be in the gift of the Secretary of State, subject only to Parliament's rarely used negative resolution procedure. The Data Strategy effectively suggests UK adequacy decisions will be 'up for grabs' in future bilateral trade negotiations.
The transfer of personal data from the EU to 'third countries' has been a running sore in relations with the US which has not been granted an EC adequacy decision. The European Court of Justice (CJEU) has twice torpedoed hard-negotiated EU-US personal data transfer mechanisms, first 'Safe Harbour' and most recently the 'Privacy Shield' on which an estimated $7.1 trillion of annual transatlantic digital trade relied. US-UK trade documents leaked to the media in late 2019 suggested the US was seeking to weaken European data protection in its ongoing free trade negotiations with the UK.
These revelations merely added to pre-existing concern in Brussels, based on the UK's Investigatory Powers Act (IPA), that Britain's legal regime already falls short of offering an "essentially equivalent" level of personal data protection to that enjoyed in the EU. Aspects of the IPA have been repeatedly criticised by the European Courts, most recently in Privacy International's challenge to the UK's bulk retention powers. UK data sharing with third countries for law enforcement purposes has also raised concern in Brussels, with reservations at the UK's participation with non-EU allies in the 'Five Eyes' agreement and expressions of disquiet by the EDPB and Members of the European Parliament at the implications for personal data protection of the UK-US bilateral data sharing agreement signed in October 2019.
Data adequacy – wait and see
Against this unpropitious backdrop, the prospects of Britain being granted an EC adequacy decision by the end of the Brexit transition period – something which the UK is pursuing – appear somewhat forlorn. From the Commission's perspective, in the face of concerns over US authorities' access to personal data, how could it grant an EC adequacy decision to the UK, allowing the free flow of EU personal data to Britain when the UK could, in turn, grant its own adequacy decision to the US, theoretically facilitating EU personal data to flow westwards to the US without what the EC regards as adequate protection? Even were the Commission to grant an EC adequacy decision to the UK, it is likely the decision would quickly face challenge in the CJEU from privacy campaigners. In any event, with the Data Strategy foreshadowing imminent changes to UK legislation, how could the Commission practically compare its own data protection regime with one which is morphing into something as yet undefined? Logic surely dictates it would delay making an EC adequacy decision until the future outline of the UK's data protection regime becomes apparent.
Add to this uncertain picture energised lobbying by European interest groups who, even as the Commission assesses the UK's data protection regime, have opened a new front in the "battle for adequacy". The Irish Council for Civil Liberties has recently written to the Commission castigating the UK's data watchdog, the Information Commissioner for being fundamentally supine, unwilling and unable to take on the "hard cases" when enforcing national data laws, even if those laws were deemed on a par with those of the EU.
All things considered, the chances of a smooth segue into the new era of EU–UK data flows at the end of the Brexit transition period seem bleak, and though undesirable, a wait and see outcome for an adequacy agreement must now be the most likely outcome.
Tech unicorns tethered
Avowedly aiming to drive UK economic growth by alleviating the deadweight of data protection obligations, the Data Strategy envisages digital entrepreneurs and innovators of the UK's digital economy powering the country to success after the COVID-led downturn. But with the status quo of the transition period drawing to a close and an EC data adequacy decision potentially on-hold until the UK's data protection regime becomes settled, the UK's tech start-ups may in fact find themselves hamstrung by having to satisfy the EC's data protection requirements in other ways, including the use of Standard Contractual Clauses and Binding Corporate Rules, if they wish to do business in Europe, adding an unwelcome layer of bureaucracy and expense to their overheads. Looking across the Atlantic, even if a US free trade deal is agreed, those same UK unicorns which the Government wishes to foster would confront the formidable stranglehold of the US tech giants when seeking to break into the North America market. That would leave them reliant on the altogether smaller domestic market which would likely inhibit their growth. Despite the Data Strategy's good intentions, its inadvertent consequence may in fact be the stifling of the very sector it was designed to assist.