Digital Privacy
14 Dec 2022 Mariano delli Santi Data Protection
Data Grab Bill from an EU perspective
A delegation from the European Parliament visited London and left with some rather scathing opinions about the UK data protection reform, but UK Ministers have been denying that there is any issue with their proposals.
Mixed messages
At the Westminster eForum Conference, the deputy director for the Department of Digital boasted how “adequacy is at the heart of the UK data protection reform”. More recently, the DCMS Minister Julia Lopez took the floor during a summit on International Data Transfers to reassure industry lobbyists that the Government “place a lot of emphasis on adequacy” and have a “very positive relationship with the Commission”.
On closed-door meetings, the Government went further and assured stakeholders that the European Commission would be broadly comfortable with the direction of travel of this reform. But can we trust the UK Government, and their confidence about the uncontroversial nature of their proposals?
Open Rights Group have long focussed on the UK data protection reform and the broader issue of regulatory divergence between the UK and the EU. As such, we have identified a few reasons that suggest the EU may not be as pleased and enthusiastic about the DPDI Bill as the UK Government is suggesting.
Open letter to eu commission
The Data Protection and Digital Information Bill could threaten the UK adequacy decision.
Find out moreIn a nutshell, the DPDI Bill would
- Lower the level of protection required to authorise international data transfers, and reduce judicial oversight over the Government decision to authorise such transfers. The Secretary of State for Digital has been clear about the intention to make the UK “the bridge across the Atlantic and operate as the world’s data hub”. As the UK adequacy decision allows personal data to be transferred from the EU without additional safeguards, these changes would make the UK an avenue to circumvent EU international data transfers rules: once in the UK, EU personal data could be transferred to the Unites States and other third jurisdictions that the UK would approve under their new international data transfers mechanisms.
- Make it more difficult for individuals to exercise their rights, contest or refuse to be subject to an automated decision, or to have access to administrative redresses against an infringement of their rights. The UK Government want to attract businesses and investors to the UK by providing lower standards of data protection than the EU. However, attempting to exploit the adequacy system to gain a competitive edge with a regulatory race to the bottom would threaten the integrity of the EU Single Market and expose EU businesses to unfair competition.
- Introduce new clauses that legitimise data processing and further processing for reasons of law enforcement, national security, and to answer to a request made by a public authority, without meaningful safeguards against abuse. The UK Government have shown a growing sense of hostility over judicial oversight and the challenges brought by civil society organisations against their policies, thus they want the power to change legal requirements when needed via delegated legislative powers that lack meaningful Parliamentary Scrutiny. This would foster uncertainty over the impact that sudden, arbitrary changes of legislation may have on adequacy status of the UK.
- Weaken data protection rights and undermine the independence of the UK Data Protection Authority. Loopholes could be exploited by UK state departments to covertly circumvent their obligations under the Withdrawal Agreement. The Withdrawal Agreement includes certain obligations regarding the immigration status of EU nationals residing in the UK and their access to social security. However, the Home Office have adopted a digital-only immigration-status policy, while the Department of Work and Pensions have been automating systems to detect fraud and process benefits applications. EU nationals who reside in the UK may lose or find it difficult to understand or contest a decision that affects their right to residence or social security
What could go wrong?
The United Kingdom benefits from an adequacy decision, granted by the European Commission, that allows personal data to be transferred from the European Union to the UK without additional safeguards or restrictions. The Commission adopted this decision at the end of the Brexit implementation period, on the basis that the UK inherited EU data protection rules in the form of “retained EU law”.
This decision will expire on June 2025, and the Commission have stated that they are ready to intervene at any point “if the UK deviates from the level of protection currently in place”. However, the data protection reform is one among many legislative initiatives that threaten this status quo: the UK Government already announced plans to “unshackle UK Courts” from the European Court of Human Rights and the Council of Europe system, as well as to introduce a sunset clause that would see all EU retained or derived laws expiring automatically by the end of 2023.
On the other hand, the European Commission have been silent about these legislative developments, and it wouldn’t be the first time they underestimate the legal issues surrounding their adequacy determinations: the Court of Justice of the EU already stepped in twice to invalidate the Safe Harbour (in 2015) and Privacy Shield (in 2020) frameworks. Likewise, the new draft EU-US Data Privacy Framework seems likely to face legal challenges.
As a result, EU institutions are becoming more alive of the potential for legal challenges, and are likely to be more inclined to pick through the details to ensure that legal challenges are less obvious. After all, it is a lot of work and inconvenience going through renegotiations while forcing extra costs and uncertainty on businesses. Parliament is already aware of the risks we outlined above, so is likely to place pressure towards resolving them. And finally, if a poorly made decision goes forward, then it is the EU Courts that decide.
Either way, reassurances from UK Ministers about Commission views are not going to cut it. Legal analysis about the potential for challenges at the CJEU is what matters. Anything expressed by the UK government is going to be self-serving, so all eyes should be on the developing academic discourse on data and trade.
You can find more information in:
- ORG short explainer
- ORG analysis of the Data Protection and Digital Information Bill
- AWO briefing papers on the UK Data Protection Reform
Hands Off Our Data
Read more about the Hands Off Our Data campaign