Tech News
Lords committee warns about risks of the UK losing its EU data adequacy
British businesses and public sector organisations are at risk of facing significant additional costs if the UK loses its ability to smoothly transfer data to the European Union (EU), according to a cross-party House of Lords committee.
In June 2021, the European Commission granted “data adequacy” to the UK after its departure from the EU, allowing the unrestricted flow of personal data to and from the EU to continue. However, there is a warning that this decision could be reversed if future data protection laws in the UK diverge significantly from those in Europe.
As the UK became a “third country” under the EU’s regulations upon exiting the EU, the European Commission will need to regularly assess whether the UK maintains an essentially equivalent level of data protection for data belonging to EU citizens.
By the end of June 2025, the European Commission will have to make two separate adequacy determinations under the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), both of which were integrated into UK law through the Data Protection Act 2018.
Following a seven-month inquiry into the UK’s EU data adequacy, the European Affairs Committee (EAC) has written to the digital secretary Peter Kyle, urging the government to initiate early discussions with the EC to ensure that the UK maximizes its chances of securing a data adequacy agreement in the first half of 2025.
The committee highlighted the potential consequences of losing adequacy status, including creating new obstacles to international trade and economic cooperation, imposing additional costs and administrative burdens on organizations that share data between the UK and the EU (especially in areas like policing and healthcare), and the risk of disrupting the Good Friday Agreement.
Additionally, the EAC pointed out the substantial financial implications of losing adequacy, stating that while GDPR compliance itself can be costly, the loss of data adequacy could result in significant financial penalties for many organizations.
For instance, estimates suggest that the NHS alone could face costs amounting to tens of millions of pounds if adequacy is lost, and UK businesses could incur additional compliance expenses ranging from £1 to £1.6 billion if adequacy status is not secured.
The EAC emphasized the value of adequacy in reducing administrative burdens and compliance costs, enhancing legal certainty, and making the UK a more appealing location for investment and business operations.
Committee chair Lord Ricketts warned of a potential cliff-edge situation in June 2025 if an agreement is not reached with the EU to maintain the free flow of data. He stressed the importance of data exchange in supporting trade, economic ties with the EU, and collaboration between law enforcement agencies.
To address the uncertainty surrounding its future adequacy status, the EAC recommended that the government engage with the European Commission and other EU stakeholders early on to ensure a positive trajectory for the adequacy renewal process and provide reassurance promptly regarding the retention of adequacy status.
The committee also advised the government to explore the possibility of securing future adequacy renewals from the European Commission that do not expire after a fixed period and to engage with the EU in a timely manner to explain and offer reassurances on any planned data protection reforms.
In response to Computer Weekly’s request for comment on the EAC’s letter, a DSIT spokesperson stated that the science secretary has held discussions with EU commissioner Reynders regarding the upcoming EU personal data adequacy review of the UK and ensuring the secure continuity of personal data flows from the EU to the UK. Officials will participate in technical discussions with EU counterparts as needed to support the review process.
New UK data protection laws
The EAC’s letter acknowledged that while much of the evidence presented during the inquiry focused on the previous government’s Data Protection and Digital Information Bill (DPDI Bill), which was dropped from the legislative agenda before the general election, the new government’s proposed Digital Information and Smart Data (DISD) Bill addresses similar issues.
The DISD, introduced to Parliament as the Data Use and Access (DUA) bill on October 23, 2024, will amend the UK’s implementation of the GDPR and LED once passed.
The adequacy decision by the EC will depend on the specific provisions of the DISD Bill, which was published online on October 24. The EC will assess whether the framework offers an essentially equivalent level of data protection for EU citizens’ data.
Following the Court of Justice of the European Union (CJEU) invalidating the EU-US Privacy Shield data-sharing agreement in July 2020, the ruling emphasized the need for equivalent data protection standards when transferring data to the US and other countries, as outlined in the GDPR and the European Charter of Fundamental Rights.
Lord Ricketts highlighted the importance of maintaining adequacy status despite the need for potential reforms to improve GDPR under the new Digital Information and Smart Data Bill.
Lord Clement-Jones expressed concerns about the fragility of the UK’s data adequacy situation and emphasized the importance of resisting significant changes to the UK GDPR proposed by the previous government. Proposed changes included relaxing requirements around data protection impact assessments, data protection officers, and automated processing, as well as giving the secretary of state the authority to appoint the information commissioner directly.
Threats to adequacy
The EAC identified two distinct potential hurdles to the UK’s data adequacy: the EC’s renewal decision and the possibility of a legal challenge at the CJEU against a positive renewal decision.
While the EC is likely to renew the UK’s adequacy status due to various factors, including economic benefits, alignment with GDPR, and political imperatives, the greater risk lies in a legal challenge at the CJEU.
Witnesses highlighted the CJEU’s strict stance on privacy rights and its role in striking down previous adequacy arrangements with the US, raising concerns about the court’s approach to data protection.
The EAC suggested that in the event of losing adequacy status, immediate “workarounds” would be necessary to avoid disruptions and buy time to restore adequacy. Alternatives such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) were proposed, although doubts were cast on the effectiveness of SCCs following the Schrems II ruling.
Owen Sayers, an independent security consultant, pointed out the structural differences between GDPR and LED adequacy and cautioned against collapsing the distinction between the two in practice.
The EAC highlighted several areas of interest to the EC and CJEU, including potential divergence on data protection standards, government actions on encryption, the effectiveness of the Information Commissioner’s Office, national security measures under the Investigatory Powers Act 2016, and legal cases that may impact UK data protection standards.
The EAC also raised concerns about onward transfers of data from the UK to other third countries, such as under the UK-US Cloud Agreement, urging government and public services to review their data governance practices ahead of expanding tech adoption.
The police cloud issue
The use of US-based public cloud services by UK police and the criminal justice sector poses a significant challenge to the UK’s LED adequacy, particularly due to the potential for remote data access and transfer to non-adequate jurisdictions.
Concerns have been raised about the deployment of hyperscale public cloud infrastructure by UK policing, with reports of unlawful data processing in Microsoft 365 by multiple UK police forces.
Issues around the Scottish government’s Digital Evidence Sharing Capability (DESC) service, hosted on Microsoft Azure, have raised legal and compliance concerns, including risks related to US government access via the Cloud Act and data sovereignty.
Discussions between Microsoft and Scottish Police Authority revealed challenges in ensuring data sovereignty and compliance with UK-specific data protection requirements, highlighting broader concerns about data protection in public cloud systems used for law enforcement purposes.
The ICO’s guidance on police cloud systems and potential data transfer mechanisms have been questioned by data protection experts, citing uncertainties around compliance with law enforcement-specific rules under the DPA.
The EAC’s examination of UK’s LED compliance and operational practices revealed discrepancies that may impact the UK’s adequacy status, emphasizing the need for adherence to domestic data protection laws in practice.
Addressing the governance issues around police data protection and technology deployment is crucial to maintaining adequacy and ensuring trust in the handling of sensitive data.
-
Motivation5 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Tech News5 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Destination1 month ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Self Development5 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Tech News3 months ago
Mastering data privacy in the age of AI
-
Guides & Tips4 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Toys5 months ago
15 of the Best Trike & Tricycles Mums Recommend
-
Tech News3 months ago
Soccer team’s drone at center of Paris Olympics spying scandal