Will the UK’s proposed rules for extra-UK data transfers jeopardise its EU adequacy status?

In its “Data: A New Direction” consultation on post-Brexit reforms to UK data protection laws, the UK Government maintained that reforms to the UK GDPR and Data Protection Act 2018 were possible without jeopardising the UK’s adequacy status with the EU. The Government argued that (para 15, here):

“[I]t is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it begins a dialogue about the future of its data protection regime and moves to implement any reforms in the future. European data adequacy does not mean verbatim equivalence of laws, and a shared commitment to high standards of data protection is more important than a word-for-word replication of EU law”

It adopted a similarly confident tone in its subsequent response to the consultation, noting that, while consultation respondents “raised the importance of data flows with the EU, and how our reforms will affect this - in particular with respect to the UK’s EU data adequacy decision…”, the Government's view remained that:

“it is perfectly possible and reasonable to expect the UK to maintain EU adequacy as it designs a future regime… EU adequacy decisions do not require an ‘adequate’ country to have the same rules, and our view is that reform of UK legislation on personal data is compatible with maintaining flows of personal data from Europe.”

As with any proposed reforms, the devil is always in the detail and there is now a publicly-available draft of the Government’s proposed legislation (in the form of the Data Protection and Digital Information Bill) for review.?While many aspects of the Bill could play into a future review by the EU of the UK’s adequacy status (including changes to accountability rules and the regulatory independence of the ICO), perhaps none are quite so important as the UK’s proposed reforms to data transfer rules.

This blog examines those changes - specifically with respect to the UK's own proposed adequacy regime - and asks whether they are compatible with the UK maintaining its EU adequacy status.? In doing so, it explores whether the Bill, as published, is consistent with the Government’s earlier statements on maintaining EU adequacy, recognising the value of maintaining “frictionless” data exports between the EU and the UK (since the costs to UK businesses have previously been estimated at between ￡1bn and ￡1.6bn, if the UK were to lose its adequacy status - see here).

EU adequacy requirements

Under the EU GDPR, when assessing whether or not a third country (i.e. a non-EU country) can be awarded adequacy, the European Commission must take account of certain criteria listed in Art 45(2) of the GDPR - things such as respect for the rule of law, effective and enforceable data subject rights, and the existence of an “independent” supervisory authority (more on this point later).?

The Commission must also take into account the precedent set in the Schrems II CJEU ruling that the third country in question must provide a level of protection that is “essentially equivalent” to EU data protection standards (see, e.g., para 94 of the judgment: “the term ‘adequate level of protection’ must… be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union … ”).?

In Schrems II, the CJEU held that the EU-US Privacy Shield adequacy framework did not provide an “essentially equivalent” level of protection (primarily due to concerns about US government surveillance), and therefore invalidated the framework - throwing the legality of many EU to US data transfers into doubt.?

In light of this ruling, and subsequent EU regulatory guidance casting further doubt on the legality of data exports to the US, it is noteworthy that the UK Government has stated its intention to prioritise the United States for UK adequacy recognition.?This raises immediate questions about the compatibility of UK adequacy standards with EU adequacy standards, and will inevitably raise concerns in the EU (especially with respect to onward transfers of EU data from the UK - more on onward transfers later, too).

Proposed UK adequacy revisions?

Much of the commentary on the UK’s proposed revisions to the adequacy regime (as set out in Schedule 5 of the Bill), has, to date, been relatively superficial - noting that the revised regime permits the UK Secretary of State to adopt adequacy regulations (similar to adequacy decisions by the EU Commission under the EU GDPR) and enables extra-UK transfers to be made if “appropriate safeguards” are in place (i.e. the UK equivalent of EU standard contractual clauses).?At this superficial level, it appears that the UK is maintaining the status quo - and so will surely maintain EU adequacy.

But is it??When delving a little more deeply into the Bill, it quickly becomes apparent there are some material departures from EU standards that could, in a future assessment by the European Commission, harm the UK’s ability to maintain EU adequacy.

The UK’s proposed “data protection test”

In order to issue adequacy regulations recognising a third country as adequate to receive UK data, the Bill proposes that UK Secretary of State must determine whether the country in question meets a new “data protection test” (see Schedule 5, para 2(2) of the Bill, inserting new Articles 45A and 45B into the UK GDPR).?If the test is met, the third country can be declared adequate and freely receive UK data; if not, then UK data exporters will need to implement appropriate safeguards or find a derogation to rely on before they can make exports.

So far, so EU - but there are three key areas where the UK’s adequacy regime departs from the EU’s regime:

A. Will trade trump data protection??

First, in making adequacy regulations, the Secretary of State “may have regard to any matter which the Secretary of State considers relevant”.?This reference to “any matter” appears an exceptionally broad discretion that, notably, finds no comparable provision in the EU GDPR - the EU Commission is permitted only to take account of factors impacting the protection of personal data.?Perhaps most surprisingly, the Secretary of State’s discretion includes “the desirability of facilitating transfers of personal data to and from the United Kingdom”.?To many, this will read as suggesting that a desire to improve trade relations with a third country could be used to justify issuing adequacy regulations, notwithstanding data protection concerns.

In fairness, it is unclear whether this is the intent and, notably, this broad discretion is decoupled from the need to satisfy the data protection test - the discretion and the duty to satisfy the data protection test sit in separate subsections of the Bill. The Bill says says that adequacy regulations may be adopted “only … if” the data protection test is met, independently of this discretion.??

Nevertheless, this “desirability discretion” creates unhelpful ambiguity and should be resolved during the course of the Bill’s legislative passage.?

B. “Not materially lower” is not the same as “essential equivalence”

The “data protection test” itself is set out in a proposed new Article 45B.?In effect, the test says that adequacy regulations can only be issued in favour of a country if that country’s data protection standards are “not materially lower” than UK data protection standards.

Remember that the standard for awarding adequacy in the EU is “essential equivalence”, not just that the third country’s standards are “not materially lower”.?This?begs the question: is the phrase “not materially lower” intended as a synonym for “essential equivalence”, or is there an intended difference between these two standards??Common sense would suggest a difference exists: if not, then why tinker with the previous standard?

An analogy is helpful here.?Imagine you are applying for a job.?The hiring manager tells you that they cannot offer you an improved package, but will hire you on an “essentially equivalent” package.?That might be enough to tempt you, assuming you like the new company enough.?However, if the hiring manager instead tells you that they can hire you only on a package that is “not materially lower” than your current package, then this would likely ring a few alarm bells.?You would probably read into this that you are about to be offered a pay cut or reduction in benefits, even if only modest.?At face value, “not materially lower” appears a materially lower standard than “essential equivalence” (no pun intended).

Does that matter??From the EU’s perspective, almost certainly.?Consider onward transfers of EU data from an adequate third country.?To be deemed an adequate third country by the EU, the country in question must (as noted above) have data protection standards that are “essentially equivalent” to?EU standards.?This means that when EU data is imported into the third country it remains protected to an “essentially equivalent” standard, even if that country subsequently onward transfers the data elsewhere.?Consequently, the protection afforded to exported EU data - whether under the initial transfer or a subsequent onward transfer - never diminishes.?(In theory. Some of you may, rightly, point out that this is an oversimplification, and may not, for example, reflect the state of affairs with respect to countries granted adequacy before the EU GDPR became applicable, but let’s ignore that for present purposes).

This comfort is not guaranteed to hold for onward transfers of UK data under the current proposals, however.?Since the proposed UK standard for assessing adequacy is “not materially lower”, a third country deemed adequate by the Secretary of State could have data protection standards that are lower than the UK’s (just not “materially” lower), and these lower standards may extend to its onward transfer rules.?In effect, protection for UK data could diminish, however slight, on the first hop - and then diminish further on subsequent onward transfers to other destinations.?

To illustrate this, consider a series of daisy-chained data exports (i.e. initial transfer from UK to country A, onward transfer to country B, and so on), as might happen within a subprocessor chain.?At each “hop” along the chain, the adequacy standard of “not materially lower” is applied, and so protection for data diminishes at each stage.?While each country’s standards should not be materially lower than those of the immediate predecessor, the cumulative effect across the entire chain could be a material lowering of protection by the time the data reaches its final destination.?

In effect, the UK could be said to be putting a frog in a cold pan of water, and then allowing a series of cooks to turn up the heat - individually, each turning the dial in a “non-material” way but, collectively, the effect will be that someone ends up having frog’s legs for dinner.

C. Criteria for assessing the data protection test

The criteria the Secretary of State has to consider for determining whether a third country’s laws are “not materially lower” than the UK’s are set out in a proposed new Article 45B(2).?For the most part, these criteria have comparable adequacy criteria under the EU GDPR, as summarised and contrasted below:

• Respect for rule of law and human rights - UK GDPR proposal: Art 45B(2)(a); EU GDPR Art 45(2)(a).
• Existence of an "independent" data protection authority - UK GDPR proposal: Art 45B(2)(b) - but no requirement that authority must be “independent”; EU GDPR: Art 45(2)(b)
• Existence of data subject redress mechanisms - UK GDPR proposal: Art 45B(2)(c); EU GDPR: Art 45(2)(a)
• Rules about onward transfers - UK GDPR proposal: Art 45B(2)(d); EU GDPR: Art 45(2)(a)
• Relevant international obligtions - UK GDPR proposal: Art 45B(2)(e); EU GDPR: Art 45(2)(c)
• The constitution, traditions and culture of the country - UK GDPR proposal: Art 45B(2)(f); EU GDPR: No direct equivalent

From this three things are apparent:

(a) Simplification of drafting:?For the most part, the criteria the UK Secretary of State must consider when reaching adequacy decisions are broadly the same as those the EU Commission must consider under the EU GDPR - they’re simply broken out into smaller, easier-to-read subsections.?Nothing wrong with this - indeed, it makes the text more accessible.

(b)?Requirements for data protection authority independence: A crucial difference is that the UK Secretary of State is only required to consider whether the third country has “an authority” responsible for overseeing data protection, as contrasted with the EU GDPR requirement that any such authority must be “independent”.?This appears to suggest that the UK may award adequacy to countries whose data protection authorities are not independent of central government - and whose decisions may, overtly or otherwise, become politicised as a result.?The independence of data protection authorities is a crucial issue for the EU and, indeed, under the EU GDPR, has been enshrined for Member States' DPAs in Article 51 of the GDPR.?Any removal of an independence criteria from UK adequacy assessments is therefore not only controversial in its own right (perhaps reflecting the fact that, in other areas of the Bill, the ICO’s own independence appears to have been diluted), but will almost certainly be a factor in any future review of whether the UK can maintain EU adequacy (see, e.g., Guarantee C of the EDPB’s Essential Guarantees guidance).

(c)?Consideration of “constitution, traditions and culture: Finally, the UK Government proposes to introduce an additional criterion that allows the Secretary of State to consider the “constitution, traditions and culture” of the country in question - no directly comparable criterion exists in the EU GDPR.?Taking account of a country’s constitution - assuming any constitutional privacy rights extend to data subjects who are not citizens of the country in question - in principle seems sensible.?While it may present challenges for countries with unwritten constitutions (like the UK), a country’s constitution is part of its body of law and therefore relevant to an adequacy assessment.?It is less clear, however, that taking account of a country’s “traditions and culture” is as sensible.?Any assessment of a country’s traditions and culture will, almost certainly, be nebulous, ill-defined, and subjective, and so suffer from a distinct lack of certainty - not what you want when assessing protection for human rights. Could, for example, this provision allow the UK to reach an adequacy determination for a country that has minimal legislated privacy rules, based on little more than an assurance that the country’s “tradition and culture” embed a respect for privacy.?An adequacy assessment ought to be based on factors that are more objective and certain.

What’s more important: maintaining adequacy or simplifying exports?

This blog has focused only on proposed changes to the process of making adequacy determinations under the Data Protection and Digital Information Bill, but needless to say there are other important changes the Bill makes to other aspects of data transfer regulation too.?However, what is apparent is that the UK proposes to adopt a lesser standard of adequacy assessment than the EU - allowing countries whose laws are “not materially lower” than the UK’s, who do not have independent data protection authorities, and whose “traditions and culture” are taken as evidence of respect for privacy, to potentially be recognised as adequate under UK law.

These may be standards the UK is prepared to accept in respect of UK data.?It is far less certain that the EU will accept these standards for EU data that is imported into the UK (under UK adequacy) and then onward exported from the UK (under UK adequacy rules).?The purpose of this blog is not to criticise the UK proposals - for what it’s worth, I’m firmly of the view that EU adequacy rules in their present form are excessively strict - but instead to point out that, if the UK Government’s objective is to maintain EU adequacy, then these proposed rules present a material risk to that.?Conversely, if the UK is prepared to risk is EU adequacy determination with the objective of making data export rules simpler for UK data exporters, then this may be a risk it is prepared to accept.

One thing is certain though: any departure from EU standards will inevitably place more burden on multinational businesses who operate across the UK and EU, and who therefore need to familiarise themselves with - and comply with - two sets of rules.?In that scenario, it is most likely that businesses will hold themselves to the higher (i.e. EU) standard, meaning that any such UK reforms may ultimately benefit only SMEs who operate in the UK alone.?And, if that’s the case, then it further begs the question whether proposing such “Brexit dividend” reforms are really in the UK’s interest.

That’s a question Parliament will have to debate throughout the passage of this Bill.