Most Favoured Nation: Feeling Inadequate
Northern Ireland and data flows, state of digital trade, India, and the Rapid Response Labor Mechanism
Welcome to the 113th edition of Most Favoured Nation. The full post is for paid subscribers only, but you can sign up for a free trial below.
On 28 June 2021, the European Commission adopted two data adequacy decisions (under GDPR and the Law Enforcement Directive), allowing the personal data of EU citizens to be transferred to, and processed in, the UK.
This was good news for … pretty much every business that handles EU personal data in the UK.
As part of the Commission’s efforts to keep Austrian privacy campaigners, and the European Court of Justice, from questioning the legitimacy of the decisions, it included a sunset clause, which limits the duration of the decisions to four years unless a it decides to renew.1
A renewal can only happen if the Commission deems that the “UK continues to ensure an adequate level of data protection”.
The fragile nature of the unilateral Commission adequacy decision has led to quite a lot of fretting among businesses and [some] officials. Much of this fretting is driven by changes the UK plans to make to its EU-inherited Data Protection regime via the Data Protection and Digital Information (No. 2) Bill, which is currently making its way through the UK Parliament.
As the UK government is keen to point out (rightly), EU data adequacy is not necessarily contingent on full alignment with EU rules. The EU has adequacy with many countries that do not have the exact same rules as the EU, for example, Japan, South Korea, Israel, New Zealand and most recently, the US.
BUT. And this is an important “but”. The EU does not necessarily treat the UK the same way as the other countries named due to size, proximity, and lingering Brexit tensions.
All of which is why this new paper, commissioned by Northern Ireland’s Department for the Economy, is so interesting. The paper, which looks at risks to cross-border transfer of personal data, identifies four key areas of change under the Bill that could threaten UK data adequacy:
Independence and Political Influence: Changes related to independence and political influence have the potential to threaten UK adequacy status. This is likely the most significant risk to adequacy contained in the DPDI (No 2) Bill.
Access to Effective Individual Remedies: The dilution of the individual right to lodge a complaint in favour of a shift to more strategic enforcement has the potential to undermine the UK adequacy decision.
Onward Transfers of Personal Data: The DPDI (No 2) provision for onward transfers is likely to be subject to intense scrutiny by the Commission. Additional assurances and safeguards aligned with EU standards are likely to be required.
Changes to the rights of individuals and other societal safeguards: Taken individually, these changes are likely to be acceptable on the basis that the standard of adequacy is essential equivalence and not identical protection. That being said, the changes could be viewed as contributing to a general degradation in data protection rights and that could go against the UK in a holistic assessment of adequacy.
The Northern Ireland dimension of data adequacy has always been fascinating. While it never really made its way into newspaper headlines, the ability to move personal data freely between Northern Ireland and Ireland is essential to keeping trade flowing freely. Companies —particularly SMEs — rely on it, and the absence of adequacy could complicate elements of the Windsor Framework, for example, livestock traceability.
My general view on this is that — at the political level — so long as EU-UK relations are okay, the adequacy decision should also be okay. But I do worry somewhat about the ECJ, which is not to be trusted on issues such as this.