The UK government has warned of the risks of the Internet being ‘Balkanzied’ by the application of different rules in different geographies, suggesting that data localization efforts could throttle competition and innovation and weaken security.
It makes the warning in a negotiation position paper drawn up as it’s seeking to engage in separating itself from the 28-Member State bloc known as the European Union — in order that it can, er, make its own rules in future. RIP Great British Irony.
“In an ever more connected world, we cannot expect data flows to remain confined within national borders. Moves towards data localisation, or the Balkanisation of the internet, risk stifling the competition, innovation and trade which produce better services for consumers, and can weaken data security,” it writes.
“Global leadership and standards are needed to ensure that individuals can have confidence that their data is being appropriately protected wherever they choose to access goods or services, but not in such a way as to undermine the provision of those goods or services, including on a cross-border basis.”
On the data protection front, the UK’s digital minister, Matt Hancock, confirmed back in February that the country’s great big data protection idea is to largely mirror the EU’s rules — to avoid the risk of data flows coming to an abrupt end in 2019 when the UK concludes the two-year process of leaving the EU. Brexit leading to a data cliff edge would result in wanton damage and disruption being rained down upon domestic businesses, consumers, and law enforcement agencies alike. Hence the government being so keen to avoid it.
This includes implementing the EU’s incoming GDPR (General Data Protection Regulation), which sets out stricter penalties for mishandling personal data — and which the UK has said it will transpose into national law via a new UK Data Protection Act (and the repeal of the existing Act to avoid any conflicts).
In any case, as an ongoing EU member until 2019, the UK is legally bound to ensure GDPR comes into force domestically in May 2018.
In the newly published position paper — which is entitled: “The exchange and protection of personal data” (and optimistically subtitled: “a future partnership paper”) — the UK claims to have played an influential role in shaping GDPR’s updating of the EU’s digital data rules — writing that “GDPR takes a more risk based approach than had previously been adopted, with the result that certain obligations with which data controllers must comply are proportionate to the risk posed by the data processing activity”.
Thing is, last month a UK parliamentary report warned the country risks losing influence in setting future EU data protection rules after brexit. Ergo, it seems unlikely, post-brexit, the UK will be positioned to wield such EU-wide legislative influence again.
Although the government can here by seen peddling very hard to put an alternative spin on things — claiming that after leaving the EU, the UK will “continue to play a leading global role in the development and promotion of appropriate data protection standards and cross-border data flows” and will thus “work alongside the EU and other international partners to ensure that data protection standards are fit for purpose”.
It avoids making the point that, currently, it’s the EU setting the gold standard globally for data protection — via the GDPR — which requires any business, located anywhere in the world that wants to do business with EU citizens to comply with the bloc’s rules. Which is forcing non-EU companies to rethink their data holdings to push privacy considerations forward.
(And if the EU is leading here, while the UK is leaving the EU, it seems counterintuitive — to say the least — to interpret that as an enhancement of the UK’s global influence.)
In the position paper the government does flesh out in slightly more detail its current wishlist pertaining to personal data rules, post-Brexit — suggesting it’s hoping for a so-called ‘adequacy decision’ from the EU. This refers to a certification, agreed by the EU, that a third country (as the UK will be after brexit) provides a standard of protection that is “essentially equivalent” to the bloc’s own data protection standards.
The government also wants “mutual agreement” to recognize each others’ data protection frameworks “early in the process” — i.e. after the UK’s exit — also to avoid a data flow cliff edge. (A transition will be necessary to give time for an adequacy decision to be agreed after it has exited. Though the UK specifies it also wants agreement over the timeframe for negotiating “longer-term arrangements” — so apparently it does not want an open-ended transition.)
It also says it intends to liaise with third countries that already have adequacy arrangements with the EU (which would include the US) — to seek transition arrangements there too, also so that data can keep flowing (e.g. between the UK and the US).
“The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal,” it writes.
It’s also hoping to secure “continued” regulatory participation for the ICO, within Europe, while keeping the keys to domestic DP policy solely on UK soil — writing on this: “The UK would be open to exploring a model which allows the ICO to be fully involved in future EU regulatory dialogue. An ongoing role for the ICO would allow the ICO to continue to share its resources and expertise with the network of EU Data Protection Authorities, and provide a practical contribution at EU level which will benefit citizens and organisations in both the UK and the EU.”
In the paper the government also particularly specifies that a UK-EU model for exchanging and protecting personal data must respect “UK sovereignty” — which it flags as including “the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection”.
(The government has previously made it clear it wants to withdraw the UK from the jurisdiction of the European Court of Justice, though this data position paper offers no thoughts on what alternative ultimate arbitration authority it is envisaging to take over the ECJ’s role when it comes to data protection issues.)
The security point there especially suggests a potential future sticking point for negotiations between the two sides, given recent European Court of Justice decisions have rejected blanket data retention policies being used by governments to further law enforcement and national security agendas — as a violation of EU citizens’ fundamental rights.
The UK controversially legislated last year to expand and extend state surveillance powers, via the Investigatory Powers Act. A move that is already facing legal pushback domestically, with digital rights group Liberty pursuing a challenge in the UK High Court.
Meanwhile the year-old EU-US Privacy Shield agreement, which was put in place last year as a replacement mechanism for governing personal data flows between those two regions (after the ECJ invalidated its predecessor arrangement), is already looking precariously placed, and critics maintain the agreement has merely papered over a fundamental disconnect between EU privacy rights and US government national security data collection programs.
Similar troubles may well be brewing for the UK government on account of its demonstrable appetite for sweeping state surveillance powers — when, outside the bloc, it too risks butting up against EU citizens’ fundamental privacy rights.
Even as it’s hoping to secure EU agreement that its domestic data protection rules are “essentially equivalent” to those offered within the bloc.
It doesn’t take a magnifying glass to spot some sticky issues there.
On the EU’s process for adequacy decisions, one rather ominous paragraph in the position paper lists various barriers, noting: “There is no set timeframe for the adequacy decision process. Once proposed, the decision needs to be confirmed by a panel of representatives from EU Member States, and the Commission can revoke the adequacy decision in the future. Adequacy decisions may also be invalidated by the CJEU.”
Regardless, the government’s position appears to be to say security is its sovereign right and hope the EU will find the legal wiggle room to accommodate it.
“Given that the UK will be compliant with EU data protection law and wider global data protection standards on exit, and given the important role of continued regulatory cooperation as part of a future economic relationship, the UK believes that a UK-EU model for exchanging and protecting personal data could provide for regulatory cooperation and ongoing certainty for businesses and public authorities. This could build on the existing adequacy model,” it suggests.
And while it further notes the EU’s data protection framework includes a number of alternative legal bases for transferring personal data out of the European Economic Area — i.e. other than securing an adequacy decision — it warns these “would be more burdensome for businesses and public authorities in both the UK and the EU”, and adds that: “[It] would represent a missed opportunity to build a new partnership that reflects the close alignment of our data protection frameworks.”
It’s also worth noting that even some of these alternative legal bases are themselves facing legal challenges after data protection agencies expressed concern over their robustness, following the 2015 Europe Court of Justice decision to strike down the original Safe Harbor data transfer arrangement. So Brexit is by no means the only uncertainty in play here.
To date, the EU has adopted 12 adequacy decisions under its existing data protection directive, including the aforementioned agreement with the US (which covers certified companies), and one with Canada (for transfers to commercial organisations subject to a Canadian data protection act). All arrangements are subject to routine review.
The EU-US Privacy Shield is due to get its first review next month — and European DPAs have been visibly sharpening their claws.