Digital secretary Oliver Dowden’s announcement that the UK intends to pursue independent adequacy decisions to enable easier transfers of personal data to a number of countries looks, on the face of it, like precisely the kind of Brexit dividend that was sold to us back in 2016.
An adequacy decision allows the free transfer of personal data to the relevant country without additional safeguards, so materially reduces the cost and administrative burden of trading and working across borders. But that apparent business opportunity might not be as enticing as it looks once you dig beneath the surface.
There are two issues – our relationship with the European Union (EU) and the protection of our own citizens. The two are intimately interconnected, however, because what Dowden seems to be portraying as bureaucratic inertia or even bloody-mindedness on the part of the Europeans is actually motivated by a real and present concern for data subject rights.
The EU is rightly very concerned about the increasing use of data both to exploit consumers commercially and – crucially – to surveil and control them governmentally.
Despite the headlines about Facebook’s murky interactions with Cambridge Analytica, and the continuing anti-trust actions against Google, Uncle Sam himself is the real target of European disquiet.
Edward Snowden’s revelations exposed the true extent of US digital surveillance, particularly of non-citizens, and the Schrems II judgment last July – which ended the EU-US adequacy arrangement – was based on the position that these practices violated the Charter of Fundamental Rights.
The issue, let’s be clear, is not the surveillance itself. There is provision in various parts of the General Data Protection Regulation (GDPR) for both surveillance and other abrogations of privacy in pursuit of security and crime prevention, provided that these can be shown to be necessary, compatible with a democratic society and subject to oversight and legal redress for the data subject.
It was this last point that holed Privacy Shield, the US adequacy scheme, below the waterline. Foreign targets of US surveillance have no rights under US law; they cannot appeal, or sue, or often even be told that they have been targeted.
The EU is also unconvinced that the US Foreign Intelligence Surveillance Court that supposedly oversees the gathering of intelligence on foreign subjects actually exercises effective control.
Why should the UK care what the EU thinks? Because our own digital trade with it – our largest trading partner, at around £90bn a year – depends on the maintenance of our own adequacy decision.
Ratified only at the end of June, it is uniquely fragile, being already subject to restrictions and under continuous review, as well as having a fixed four-year expiry date.
European MEPs have already expressed concern that the UK might become a conduit for onward transfers of data from the EU to third countries. Losing adequacy would cost the UK far more than we stand to gain from the proposed policy of “unleashing data’s power”.
The UK’s top-priority list of new adequacy countries? The US – in direct opposition to the current EU position; the Dubai International Finance Centre (DIFC) – a corporate enclave within an absolute monarchy, and one that introduced a privacy law only last October; Singapore – which, while having effective privacy controls in the private sector, has no such governance of state surveillance and is no one’s idea of a liberal democracy; Australia – rejected for adequacy by the EU in 2001 and increasingly authoritarian when it comes to data; Colombia – in pretty good shape apart from issues around its own onward transmission rules, but hardly a giant market at an estimated £120m a year; and South Korea – which has just been granted adequacy by the EU, so all the UK would need to do is mirror the EU list as many other countries already do.
Interestingly, the UK’s own manual on adequacy contains many of the same requirements as the EU’s Article 45 of the GDPR, and it is quite difficult to see how the US, the DIFC or Singapore would qualify.
Squaring that with the avowed intention to fast-track adequacy decisions highlights the undertone to the UK’s stance on data protection.
While the official line remains that UK citizen rights will be protected and the country will stay aligned with EU rules, the narrative of an end to “box-ticking” and the “clear mandate to take a balanced approach that promotes further innovation and economic growth” suggests that the brief for the new information commissioner, John Edwards, is to enable greater monetisation of citizen data rather than roll back the existing excesses of the giant tech firms.
With Google, Amazon and Facebook all having received record fines from European regulators recently, a big-business-friendly approach that treats personal data as currency – as Iain Duncan Smith and other advisers espoused in the TIGRR report – doesn’t look much like marching in step with the EU.
Data protection isn’t box-ticking. It’s the vital job of protecting individuals from intrusive surveillance and exploitation by both corporation and state, and balancing the right to privacy against the interests of economic growth and national security.
Our own research at Securys clearly shows that UK and European citizens care about, and act to protect, their privacy and their data. The UK government risks more than just European trade if it ignores those concerns.
Ben Rapp is co-founder of privacy and security consultancy Securys. He will speak at the Yes We Trust summit on 7 October alongside Vivienne Artz, the outgoing head of privacy at the London Stock Exchange and runner-up for the role of UK information commissioner. Join them to learn more about how compliance and commerce can work together to benefit both businesses and data subjects. You can register for free at https://yeswetrust.com.
