The UK National Data Strategy has landed just as the country is at a final knotty juncture of the Brexit withdrawal process. It aims to set out how Britain will unlock the value of data to increase productivity and growth.
The strategy is vocal about the importance of privacy and ethics in the collection and processing of personal data and recognises that trust is essential to leverage data and to cultivate a culture of sharing. Nevertheless, the general spirit underpinning it is very much one of Britain carving out rules for itself through a ‘pro-growth’ digital regime, which includes a choice over the data protection landscape post-Brexit. The strategy makes clear that data sharing needs to override the high risk-aversion caused by ‘unnecessary complexity or vagueness in the regulatory environment’ – a statement that leaves no ambiguity about where the UK priorities lie.
There are at least two possible outcomes I can foresee from this positioning, and they pose different risks to the adequacy process Britain is currently going through. A positive adequacy decision, based on an assessment of data-protection levels, would permit cross-border data transfer outside the EU, to the UK.
One outcome could be that Britain’s privacy laws change over time, in which case it will be difficult to grant the adequacy status Britain is seeking for data to flow freely between the EU and UK. Alternatively, Britain could continue to adhere to the GDPR as enshrined in the UK Data Protection Act 2018 and, mostly importantly, commit to guaranteeing ‘essential equivalence’ in the treatment of data subjects moving forward.
There is, of course, a fundamental sticking point to resolve before adequacy could be agreed: the question of how it would be possible to deem Britain adequate at this point in time, where it is already known that the laws are going to change in the future?
The second challenge to the adequacy process concerns the US: Britain’s focus on boosting international data flows comes at a delicate moment regarding data transfers to the US (and beyond). The Schrems II ruling, issued by the European Court of Justice in July, invalidated and cast aside the Privacy Shield, which was the tool used by many companies to transfer data between the EU and the US. The ruling also directed that additional safeguards be included in the Standard Contract Clauses (and other mechanisms as a consequence) to ensure that the personal information of European citizens is not caught by surveillance agencies when transferred to the US.
To understand the background one needs to look back to 2013, when Edward Snowden revealed the far reach of NSA surveillance. At that point, after discovering the PRISM programme and other forms of spying, Max Schrems, a privacy rights advocate, filed a complaint against Facebook Ireland arguing that, given the breadth of US surveillance, his data was not adequately protected in the United States. In 2015, the Schrems I case ruled that the European Commission’s adequacy determination for the US-EU Safe Harbor Framework was invalid, and this led to the creation of the EU–US Privacy Shield. The Shield was invalidated by the Schrems II ruling.
The reaction to Schrems II has been interesting to watch. Businesses have (correctly, in my view) pointed out practical complexities around the implementation of the guidance issued by the European Data Protection Board to support organisations with identifying potential additional measures to protect their transfers. Commentators have rushed to identify the political reasons underpinning these events, including a soft drive to localise data as part of the global digital race, which is certainly a key component, and one that emerges also from the very recent Digital Services Act draft published by the European Commission. Anthony Gardner, former US Ambassador to the EU, felt moved to tweet: ‘Time for Max Schrems to make clear who has been financing his court cases. I doubt they have all been crowdfunded. Funny how he doesn’t seem to care about misuse of EU citizens’ data by Russia or China’.
Solving how an adequacy recognition by (and cooperation with) the EU may operate alongside Britain’s commitment to free flow of data with the US after Schrems II is by no means easy. There is speculation about how it may impact on the negotiations around adequacy status, which will, in turn, affect the viability of the many EU-based organisations that rely on EU-UK data flows for their operations.
Meanwhile, the data protection landscape is changing, and in many different ways:
- Firstly, data protection is increasingly aligned with security. At the global level, what is emerging is a strong link between data residency and national security in the face of cyber threats, often coming from foreign actors.
- Second, running counter to the call for data localisation is the phenomenon of global alignment of data protection law and practice. This, to me, is the most interesting aspect of this whole story. When the Schrems I ruling kicked in, the world was very different, particularly because China’s extensive surveillance practices were not yet a global concern from a privacy and human rights standpoint. (The repercussions of China entering the geopolitical dynamics underpinning data are now in full swing, as the concerns around Huawei) Data protection laws were certainly sparser then than they are now. The recent approval of the amendments to CCPA in the US is a clear sign that privacy protection is not only a European matter. All over the world, privacy laws are being approved and strengthened, from China to Brazil and New Zealand. When Schrems I came into force, it was a clear sign of incompatibility between the EU and US conceptions of privacy: is this still the case?
- Lastly, artificial intelligence and machine learning have become more reliant on data sharing to train algorithms, and recently the pandemic has shown that harnessing data is key to resolving global challenges. The perception around data sharing has changed, as citizens realise how interconnected and interdependent they are, which has happened alongside an increased awareness of rights and control.
All the above lead in my view to a question that is fundamental if Britain is to move forward with regard to privacy standards. How can we reconcile data protection and digital protectionism in a context where privacy protections are aligning at a global level? In other words, is Britain going to diverge from EU privacy standards at the exact time where both the EU and US are perhaps coming closer over privacy?
The crucial issue is that the US privacy law landscape will change regardless of whether a Privacy Shield II emerges to counter the issues raised in the Schrems II ruling. It is true that the focus of the ruling itself is around surveillance laws and how they impinge on the rights of those whose data is being shared outside the EU. However, addressing this seems to be more related to politics than to the law. Namely, is there the political will to establish a federal legislation and a data protection agency to cater for the needs of businesses and level up global protection to help commerce run smoothly?
This is yet to be seen, especially as we now have a new US administration. And we must be aware that data protection is not the only area of EU–US alignment. More recently, data protection and competition laws have been operating closely together, with access to personal data being viewed as instrumental for companies to compete globally. Actions are being announced in both the UK and the EU to try to curb big tech’s power to consume data and so hamper the competition needed to innovate.
In addition, it is worth noting that on 2 December 2020 the European Commission and the EU foreign affairs office greeted the new Biden administration with the olive branch of a joint statement entitled ‘A new EU-US agenda for global change’. This paper meditating on European digital sovereignty recalls the strong relationship between the two powers and sets out principles for a new transatlantic agenda, not least in the digital field. Interestingly, the paper argues that there is an ‘unprecedented window of opportunity to set a joint EU-US tech agenda.’
The key question for post-Brexit Britain is how it can assert itself as a global player, while diverging from EU standards at a time when privacy, competition and data protection seem to be finding a new global alignment. While it is true that data localisation can be risky and hard to achieve without imposing high costs and efficiency losses, this threat can also be a driver for alignment. Alignment has the potential to bring together citizens’ expectations and business requirements, and this is the area where global leadership is most urgently needed.
This article is the second article in a series on the geopolitics of data regulation, exploring questions arising from the UK’s National Data Strategy, transition from the EU and new regulations, and the impact of the incoming Biden administration on Anglo-Euro-US cross-border data transfer.
Ivana Bartoletti is a privacy and data protection expert, author of An Artificial Revolution: on Power, Politics and AI and founder of the Women Leading in AI Network.