Powers granted to UK ministers under the EU Exit Regulations allow them to determine or revoke data adequacy decisions with little to no parliamentary scrutiny, and could jeopardise the UK’s ability to share data with Europe, experts have told Computer Weekly.
As the UK’s negotiations with the EU continue to be mired in disagreement, concerns are growing over the ability to exchange data freely between the two, which rests on the UK government’s ability to secure a data adequacy decision from the EU.
Without such a decision, UK companies could face difficulties in exchanging data with their EU subsidiaries, or with customers and suppliers. Experts fear that UK legislation, if used, could undermine the prospects of such a decision being made.
Introduced in February 2019, the EU Exit Regulations transfer the adequacy decision-making powers of the European Commission (EC) to UK ministers, who, through the use of a statutory instrument, will be able to avoid any serious scrutiny from Parliament.
This is because the instrument (a tool for creating secondary legislation) is subject to the “negative resolution procedure”, which means once it is signed off by the relevant minister, it becomes law unless it is actively annulled by Parliament within 40 days.
Although any MP can table a motion for annulment (referred to as a “prayer”) within this period, the government is under no obligation to debate it in the House of Commons and, according to the Institute for Government, while the “negative procedure gives Parliament a theoretical veto over secondary legislation, in reality this power is rarely used”.
It added: “The last time the House of Commons prayed against secondary legislation was in 1979, while the Lords have not rejected a negative instrument since 2000.”
The regulations say the secretary of state must monitor developments in the adequacy jurisdiction “on an ongoing basis”, and that a review must be carried out “at intervals of not more than four years”.
In contrast, under the current legislative framework of the EU, the adoption of an adequacy decision – which determines whether a country outside the EU offers an adequate level of data protection and therefore whether data can be shared with it – requires input from multiple bodies.
This includes an initial proposal from the EC, which is then reviewed by the European Board of Data Protection and voted on by a committee of member state representatives, before going back to the EC for final approval.
At any time, either the European Parliament or Council can request that the EC maintain, amend or withdraw the adequacy decision if they decide it exceeds the EC’s implementing powers.
Lack of accountability
According to Nick Dearden, director of Global Justice Now (GJN), as the government takes on powers previously invested in the EU, “they are not translating the democratic or accountability mechanisms at all”.
“I just find it absolutely extraordinary, given that one of the arguments about the EU was how undemocratic it was, that we find ourselves in a situation where government ministers are able to take sweeping powers that wouldn’t have been possible in the EU,” Dearden told Computer Weekly.
“Clearly, we’ve got a government here that is not interested in democratic accountability at all. That would be an enormous problem at the best of times, but it is particularly a problem at a time when we are transferring powers from one place to another, ie into their hands, because what it means is they’re building a whole system which is undemocratic, and we simply don’t have the checks and balances there to rein them in at the moment.”
The Exit Regulations also give ministers power to create new standard contractual clauses (SCCs) that they consider to provide an appropriate level of data protection, which could also be used as the legal basis for data transfers to non-adequate jurisdictions or entities.
In July, a landmark ruling by the European Court of Justice (CJEU) that struck down the US-EU Privacy Shield data-sharing agreement also cast doubt on the legality of using SCCs as the basis for international data transfers, finding that although they were legally valid, companies still have a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.
While various European data protection and privacy regulators are in the process of deciding what appropriate SCCs would look like in the wake of the CJEU ruling (colloquially known as Schrems II after the Austrian lawyer who launched the case), the same negative resolution procedure would apply to UK ministers when creating their own SCC’s, which means they could potentially create their own standards, again without proper parliamentary scrutiny.
Speaking to Computer Weekly, Javier Ruiz Diaz, an independent digital policy consultant who previously worked as the policy and campaign director of the Open Rights Group, said the transfer of power from Brussels to Westminster is “not a like-for-like transfer”, because despite valid criticisms that many have of the EU’s bureaucracy, the checks and balances in place tend to foster higher levels of engagement in the process.
“On the one hand, this model is detached from ordinary citizens, but on the other, because of that detachment, they have many [more] formal processes of engagement than you have in the UK,” said Ruiz Diaz, adding that there are concerns that the UK is more interested in prioritising data flows and trade over data protection.
“From everything we know from the government, they really want to have this new cutting-edge, algorithmic, AI, data-driven UK,” he said.
In its recently published National Data Strategy, the government pledged to eliminate the “real and perceived legal and security risks of sharing data”, which it claimed would help to deliver a “radical transformation of how the government understands and unlocks the value of its own data”.
According to reports in The Guardian, EU sources said the data strategy had exacerbated existing concerns over the UK’s approach at the end of the transition period.
“We will also facilitate cross-border data flows by removing unnecessary barriers to international data transfers that promote growth and innovation,” said a consultation paper accompanying the data strategy, which also asks respondents which countries are priorities for future UK data adequacy arrangements.
Echoing Ruiz Diaz, Dearden said: “There is a particular worry when it comes to data protection because we know this is an area that the British government wants to move on, potentially watering down standards.”
While ministers do have the possibility of making new adequacy decisions or SCCs, doing so would make it harder to be deemed adequate by the EU itself.
Phil Lee, a partner in law firm Fieldfisher’s privacy, security and information group, told Computer Weekly that after the transition period ends, the UK will no longer be subject to EU law, and once the General Data Protection Regulation (GDPR) is copied into the UK statute books, it is up to the government how it develops from there.
“Because we will be sovereign, we can choose which countries we want to bestow adequacy upon,” he said. “For those reasons, we could choose to bestow adequacy on entirely different countries from those that the EU has recognised as adequate.
“But if we do that, it will inevitably impact our standing with the EU and whether the EU considers us safe to receive EU data, because the concern would be that you can simply transfer data to the UK, and then onward transfer it from the UK to countries that the UK would consider adequate, but the EU doesn’t.”
Although it is already uncertain whether the UK will be deemed adequate by the EU, largely because of its intrusive surveillance laws, such as the Investigatory Powers Act and membership of the Five Eyes Alliance, Ruiz Diaz said he is hearing concerns that some in government “realise that European adequacy from the EU may not be worth it from their point of view”.
He added: “If you read between the lines on the government’s stated data ambitions, a lot of it isn’t compatible with an adequacy decision.”
GJN’s Dearden added that maintaining the same GDPR standards, and therefore adequacy with the EU, “is something they’re potentially going to compromise in order to get an American trade deal, or a trade deal with various other countries”.
“That will make it harder for us to trade with the EU, but as far as I can see, that’s the path they’re most likely to go down,” he said. “For them, the whole point of getting out of the EU was to get out of the standards and protections that have been negotiated over the years by that bloc.
“The standard the British government are looking at is one that benefits the big-tech private sector – and they are prepared to forgo the relationship with the EU and the trade networks that have been built up over time to get that.”
Referring to the US-UK trade documents leaked in November 2019, Ruiz Diaz said: “The US is quite openly hoping to use the UK to weaken European data protection.” He added that this should all be considered in the context of a “geopolitical battle over the global digital economy” between the regulatory models of Europe, the US and China.
But he also said the EU and the UK were essentially locked in a game of regulatory chicken, a situation of “who moves first”.
“Say the UK gets adequacy itself – and that’s a big if at the moment – that would tie the UK government’s hands in terms of what it could do,” said Ruiz Diaz, while also agreeing with Lee that should the UK start making adequacy decisions elsewhere, it would tie the EU’s hands too.