Chris Middleton explains how data adequacy is within our grasp – if the UK would stop playing political games with its allies.

A formal data adequacy agreement between the European Union and UK moved a step closer on 19 February, with an announcement of two draft decisions by the European Commission (EC).

Data adequacy – recognition of the UK’s regulatory equivalence and safety for data processing – is essential for the transfer of data between the UK and EU to continue unhindered post-Brexit.

This is critical to the ongoing success of UK financial services, and that of countless other sectors.

In a statement released on Friday, the EC said,

“Today, the Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive.

“The publication of the draft decisions is the beginning of a process towards their adoption. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed [sic], the Commission could proceed to adopt the two adequacy decisions.

“Over the past months, the Commission has carefully assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities. It concludes that the UK ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR) and, for the first time, under the Law Enforcement Directive (LED).”

The British government welcomed the announcement, saying,

“Today’s draft decisions follow months of discussions and pave the way for continued free flow of data between the EU and the UK.

“The UK now urges the EU to fulfil its declared commitment to complete the technical approval process swiftly, so that we have final data adequacy decisions as soon as possible. This will provide certainty for businesses, enable continued cooperation between the UK and the EU, and will ensure law enforcement authorities can keep our citizens safe.”

However, the government then appeared to begin scoring political points, by adding:

“The UK has a world-class data protection system, currently the same as the European Union’s, so it is logical that the Commission should find the UK ‘adequate’.”

This clearly implied that the EU’s use of the words ‘adequate’ and ‘adequacy’ was in some way pejorative or insulting, whereas in fact data adequacy is a long-accepted legal concept and a phrase used by both sides.

The Information Commissioner’s Office (ICO) has been issuing statements about the challenges of reaching data adequacy since the Brexit referendum. From the beginning, the ICO warned that it would be a long, drawn-out process, given the need for 27 sovereign member states to agree.

A positive data adequacy decision under both GDPR and the LED would allow personal data to continue flowing freely, not only from the EU to the UK, but also from the European Economic Area (EEA).

This is critical, as a lot of UK data is held, processed, or transferred to and from data centres right across Europe, including those run by most large cloud services providers.

In these data centres are data belonging to the UK government, the NHS, charities, and businesses of every size, so the lack of data adequacy is an economic landmine in a field that is already full of them. Jumping on those landmines for short-term political point-scoring would seem inadvisable.

“Technical confirmation of the draft adequacy decisions will help make sure UK businesses and organisations […] can continue to receive personal data from the EU and EEA without additional compliance costs,” acknowledged the government’s response.

“This ensures they will avoid potential knock-on effects for consumers and boost UK startups and smaller firms which operate in EU markets and sell to EU customers.”

However, the UK then ramped up the rhetoric once again:

“The UK formally provided the Commission with comprehensive explanatory material nearly a year ago at the start of the adequacy assessment in March 2020.

“The UK has already recognised the EU and EEA member states as ‘adequate’, as part of its commitment to establish a smooth transition for the UK’s departure from the bloc and manage data flows on an objective basis.

“The UK made its representations to the EU in a timely manner, but the Commission did not finalise draft decisions in time to complete the adoption process by the end of the transition period.

“For this reason, as part of the UK/EU Trade and Cooperation Agreement, a time-limited ‘bridging mechanism’ for personal data flows was agreed. This currently allows personal data to continue to flow as it did before the end of the Brexit transition period for up to six months, while the EU completes the adequacy process.

“The UK government now urges the EU to swiftly complete this technical process for adopting and formalising these adequacy decisions as early as possible.”

Those demands are not unreasonable, but the EU can hardly be blamed for caution or for dragging its feet. In January 2020, the UK’s exit from the bloc was heralded by unusually aggressive statements from the then Chancellor, Sajid Javid, who said that the UK planned to diverge from European rules and regulations.

In an interview with the FT, Javid suggested that there would be no alignment with EU rules after the transition period.

“There will not be alignment, we will not be a rule taker, we will not be in the single market and we will not be in the customs union, and we will do this by the end of the year,” he said.

His incendiary comments were echoed by Foreign Secretary Dominic Raab, who told the BBC that alignment was “not even on the negotiating table” in what he then saw as an emerging Canada-style deal.

The CBI was among several organisations urging the government last year not to treat the right to diverge from EU regulations as an obligation to do so.

At a Wesminster eForum on data protection in February 2020, Patricia Christias, Head of Legal at Microsoft UK – a major cloud provider to the government – said,

“Superficially, it makes a ton of political sense why it’s an attractive proposition for ministers to present the post-Brexit Britain as this low-regulation, ‘rule-making not rule-taking’, light-touch environment. We get that.

“But there are several reasons why it’s not a good idea to divert from the strict data protection rules in Europe. The first is economic. The modern UK economy has revolved around the provision of data-intensive services as manufacturing has declined.

“Service sectors such as banking, retail, and hospitality accounted for 81 percent of total UK economic output in 2018, so to develop the regulatory structure around that economy in a way that disregards, or worse, damages services would be an act of economic self-harm.

“It would be like Britain in the Industrial Revolution turning its back on the manufacturing sector.”

Writing in the Telegraph prior to the 2016 referendum, Javid acknowledged the UK’s reliance on EU trade in a piece that strongly backed the Single Market.

He concluded, “Of the trade agreements the EU has with more than 50 countries around the world, not one gives service industries the same level of guaranteed access as the Single Market. Not one. […] And that’s because services are complex and highly regulated.

“Unless the exporting country submits to the importing country’s rules and local regulator, access will be denied. Maybe the EU will break the habit of a lifetime and come up with something new just for us.”

So the government’s comments since then would appear to be a case of performative outrage.

Back in the present day, Stephen Kelly, Chair of Tech Nation, offered a balanced and upbeat assessment of the important relationship between the EU and UK: “The international transfer of personal data is critical to UK Tech, particularly sectors such as FinTech, which has expanded rapidly by unlocking the power of data.

“What’s more, the data economy makes up about four percent of national GDP and is predicted to be worth $130 billion by 2025, making the UK a global hub for data flows.

“The positive adequacy decision between the UK and the EU therefore brings great news to the tech sector, following months of waiting and contingency planning in the bridging period. It supports the continued growth of tech scale-ups and the position of the UK as a global leader in data-driven technologies.”

The UK would be well advised to remember statecraft and statesmanship at this critical point in its history, and to stop behaving like an angry backbencher. Too much relies on data adequacy to inflame relations with our trading partners any further.

The UK’s need for better relations with its European trading partners has been put into sharp relief. Reports from the FT and Reuters last week revealed that Amsterdam has displaced London as Europe’s biggest share-trading centre this year.

According to Reuters, Amsterdam has also overtaken London to become Europe’s number one corporate listing venue, and the leader in euro-denominated interest-rate swaps – a vastly lucrative market.

Meanwhile, according to Bloomberg nearly a trillion dollars of banks’ assets have been pulled out of the UK since the 2016 referendum.