TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Not granting GDPR adequacy to the UK would be a mistake Related reading: Preparing for Brexit: Are privacy pros ready?

rss_feed

""

As part of the two-year review of the EU General Data Protection Regulation, the European Commission said it “cannot predict” whether the U.K., now an ex-EU member, will be fit for a data transfer adequacy agreement with the EU on the grounds that the U.K. might adjust its national legislation to deviate from the GDPR. Threatening to make it harder for the U.K. to engage in digital trade with the EU is a misguided move for three reasons.

First, when it comes to the digital economy, there are a number of areas in which the EU needs the U.K. more than the U.K. needs the EU. With cutting-edge companies, such as DeepMind, and world-class universities, the U.K. has become a world leader in artificial intelligence. The country is home to a third of Europe’s tech unicorns, more AI companies and startups than France and Germany combined, and 35 world-renowned research centers, such as the Alan Turing Institute. Investors are still voicing support for London as the best European location for AI brainpower, adequate talent, strong infrastructure and convenient use of English. According to a StartupGenome study, London rivals other global tech startup ecosystems, like New York and Silicon Valley, in terms of value concentration, success rate, market reach, knowledge, talent and investment, vectors on which European cities, such as Berlin and Paris, perform more poorly. It would be reckless to make it more difficult for data to flow freely between the EU and the U.K. because this would only lead to the block falling further behind in the digital economy. And if the EU does make it more difficult to transfer data to the U.K., it only makes sense for the U.K. to reciprocate.

Second, threatening to not grant adequacy to the U.K. makes no sense because the U.K. has already shown its adherence to the GDPR. With Brexit, the Data Protection Act 2018 remains in place and, alongside, the EU Withdrawal Act incorporates the GDPR into U.K. law. And the U.K. Information Commissioner’s Office has been one of Europe’s leading data protection regulators. If the EU will not grant adequacy to the U.K., few other nations have a chance.

Third, the EU’s punitive use of adequacy determinations to force other nations to emulate its data protection laws — a form of regulatory imperialism — is the real problem and should be discontinued. EU policymakers often refer to the GDPR as the “global standard” to sell a narrative that strong privacy rules are a source of competitive advantage, but the reality is that the GDPR actually hurts EU competitiveness by limiting the use of data by European firms, including for AI. The U.K. would be wise to take advantage of Brexit to alter its implementation of the GDPR so as to encourage more AI research and adoption while still protecting privacy, and the EU should allow and encourage such improvements to its framework.

The commission should have used the GDPR’s two-year anniversary review to acknowledge the need to speed up its adequacy decision-making process, which is lengthy, complex and arbitrary. The fastest adequacy assessment so far, for Argentina, took 18 months, but others have taken up to five years. Adequacy determinations also appear arbitrary. For example, the EU granted Israel adequacy even though the country has come under fire recently for its decision to allow the police to use the country’s anti-terrorism location tracking system to track COVID-19-positive individuals’ mobile phones without their consent. In addition, the EU should address cases in which the GDPR allows companies to transfer EU data to China using legal mechanisms, like binding corporate rules and standard contractual clauses, even though these companies are subject to laws, such as China’s National Intelligence Law, that can force them to hand over data to the Chinese government.

If the EU fails to foster digital trade with the U.K., the EU will only fall further behind in the digital economy. To stay competitive post-Brexit and in the digital economy, the EU should ensure its data protection framework facilitates rather than obstructs data transfers with the U.K. and allow easier international transfers with more countries.

Photo by Rocco Dipoppa on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

3 Comments

If you want to comment on this post, you need to login.

  • comment Tim Bell • Sep 18, 2020
    I must say that I strongly disagree with the content and position of this article, which demonstrates exactly the type of exceptionalism which has misled the UK population to believe being outside the EU would be a benefit for them. Yes, there are absolutely benefits to the EU if they make it easier to transfer data to the UK. However, if the EU conclude that the UK doesn't currently offer equivalent levels of protection to EU data as would be the case under GDPR, their only response can be to decline the UK adequacy status - to do otherwise would make efforts to require other countries to protect EU personal data pointless. Consider the position with Privacy Shield: if the EU is willing to take issue with data going to the USA - for which I anticipate the free transfer of data would be more beneficial for the EU's economy - it would make absolutely no sense to be more-permissive to the UK, who's only answer seems to be "well, we'll shoot ourselves in the other foot as well then, by not letting you have our data".
    
    For context, I am a British citizen living in the UK.
  • comment Jonathan Kaltner • Sep 18, 2020
    I disagree with the content and position of this article because it is factually wrong. Over the past two years the ICO has mostly taken positions when interpreting the GDPR which are "inconsistent" with the opinions of the majority of the other EU member states' data protection authorities; and as far as I can tell the European Data Protection Board has not yet adopted any of the ICO positions. Culturally and politically the ICO is not aligned with the thinking of the majority of the EU member state's data protection authorities. The reference in the EU Commission's Two Year Anniversary Review Report is simply a warning to the UK that strict adherence of the ICO to the DPB's interpretation of the GDPR is expected.
  • comment Jonathan Kaltner • Sep 18, 2020
    I may add and please remember there were a number of opt-outs the UK made use of during its EU membership, notably among them the international (foreign) agreements related to the UK surveillance laws and practices. Realistically speaking, it is very difficult to see how an adequacy decision can be made for the UK given their use of personal data under the Clarifying Lawful Overseas Use of Data Act or CLOUD Act a bilateral agreement between the UK and the US and under The Five Eyes (FVEY) an intelligence alliance comprising Australia, Canada, New Zealand, US and the UK. Both agreements conflict with the European Data protection rules. If the UK will not meet the GDPR standards the UK will need to change it practice and not the EU or its member states. But all of the foregoing is the natural political and legal consequence of the #Brexit referendum. No real surprises here.