Future UK divergence: UK data adequacy recognition revealed as DCMS publishes post-Brexit data plans

As the preferred new Information Commissioner appeared before the DCMS Select Committee for pre-appointment scrutiny today, we consider some of the key elements of the UK's ambitious package of post-Brexit global data plans ("UK Global Data Plans").

The DCMS announced the UK Global Data Plans on 26 August 2021, including priority data adequacy partnerships and a UK approach to adequacy assessments. This is the second big data protection step in a post-Brexit world, hot on the heels of the UK Information Commissioner's Office (ICO) publishing its own data transfer agreement and methodology for conducting international risk assessments.

Whilst it is clear that UK growth, trade and innovation (plus a practical, workable regime) are top priorities when considering reform of the UK data regime, the true extent and impact of any UK divergence from the EU data regime remains to be seen in a forthcoming consultation on the reform. In the meantime, the spotlight remains firmly on the age-old tension between innovation and regulation of the digital ecosystem.

Key takeaways:

• The UK Government will prioritise "data adequacy" partnerships with:
  • US, Australia, Republic of Korea, Singapore, Dubai International Finance Centre and Colombia
  • with India, Brazil, Kenya and Indonesia subsequently prioritised in a future tranche,

to enable UK organisations to more easily exchange data with "important and fast moving economies".

• An accompanying Mission Statement sets out the UK's approach to adequacy assessments and international data transfers, alongside the UK manual for undertaking assessments, related guidance and a map illustrating priority countries.
• The DCMS announced a call for experts to form a new international data transfer council to inform and consult on the UK's international data transfers policy and to enable the government to "deliver on its mission to champion the international flow of data".
• International privacy expert and New Zealand's Privacy Commissioner, Jonathan Edwards, is confirmed as the preferred new Information Commissioner. The new Information Commissioner will be empowered to go beyond the regulator's traditional role of focusing only on protecting data rights.
• A related consultation is expected "in the coming weeks" regarding the future of the country's data regime, with the aim to make the regime "even more ambitious, pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards".
• The European Commission has responded to the UK Global Data Plans by re-confirming it will closely monitor these developments and the extent to which the UK diverges from the EU regime, including in light of safeguards attached to the UK's recent adequacy decision. See "UK adequacy: The Commission spotlight remains"
• It may be that an element of divergence is possible whilst retaining the GDPR as a framework (and in turn UK adequacy status) if the UK continues to also keep one eye on secure and trustworthy privacy standards. However, the devil will be in the detail, so watch this space. See “How far is too far? That is the question” below.
• From a practical perspective, the potential for different adequacy decisions and regimes for the UK and the EU adds to the existing complexity around onward international transfers for organisations operating in multiple jurisdictions across a European footprint.

UK adequacy recognition: lucrative global partnerships

The  Mission Statement published alongside the press release highlights the importance of international data transfers, with everyday conveniences relying heavily on data transfers in our hyper-connected environment. The Government intends to unlock the power of data to drive UK international commerce, trade and development (and, in turn, growth and innovation) by reducing unnecessary barriers and burdens on international data transfers.

Now that the UK has left the EU, the Secretary of State may designate third countries, territories within a country, sectors of an economy and international organisations as providing an "adequate" level of protection of personal data transfers from the UK. An "adequacy" determination means that personal data can be transferred from the UK to that country freely, in accordance with the relevant adequacy decision. It is also the most efficient way to freely transfer personal data as it removes the need for UK organisations to use alternative transfer mechanisms, which can be costly and time consuming to implement.

In an effort to move quickly and creatively to develop lucrative global partnerships with "important and fast moving economies", the UK Government will prioritise "data adequacy" partnerships with:

• US, Australia, Republic of Korea, Singapore, Dubai International Finance Centre and Colombia
• with India, Brazil, Kenya and Indonesia subsequently prioritised in a second tranche.

These priority "data adequacy" partnerships will be subject to adequacy assessments to ensure sufficiently high data protection standards are maintained and any such partnerships would add to the 42 adequacy arrangements the UK already has in place. The Government intends for these priority partnerships to increase the annual £80 billion of data-enabled services currently transferred from the UK to these ten countries.

The inclusion of the US in the UK's list of priority "data adequacy" partnerships is of particular note given the ongoing lengthy negotiations between the European Commission and the US Government regarding an alternative mechanism to the EU-US Privacy Shield for the transfer of personal data from the EU to the US. This came after the European Court of Justice invalidated the Privacy Shield last year as part of the Schrems II judgment.

UK's approach to adequacy assessments

The Mission statement also sets out the UK's approach to adequacy assessments and international data transfers, alongside the UK Manual Template (for undertaking assessments), related Manual Guidance and a map illustrating priority countries.

To determine whether a third country is  "adequate", the UK will consider the overall effect of that country's data protection laws, implementation, enforcement and supervision. Among other factors, and in line with s.74B of the Data Protection Act 2018, as part of the test for adequacy the Secretary of State will take into account:

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation (including concerning public security, defence, national security and criminal law and the access of public authorities to personal data);
• the existence and effective functioning of an independent regulator in the third country or to which the international organisation is subject; and
• relevant international commitments the third country or international organisation has entered into, in particular in relation to the protection of personal data.

The procedure will consist of four phases of work for UK adequacy:

1. Gatekeeping: considering whether to commence an adequacy assessment in respect of a country, by reference to policy factors reflecting UK interests;
2. Assessment: collecting and analysing information relating to the level of data protection in another country. The UK Manual Template (containing questions that assist with collecting the relevant information about a country's data protection) and the accompanying Manual Guidance are intended to assist with this stage;
3. Recommendation: the UK adequacy team will make a recommendation to the Secretary of State, who will decide whether to make a determination of adequacy following consultation with the Information Commissioner and other relevant authorities; and
4. Procedural: laying the relevant regulations in Parliament to give legal effect to an adequacy determination of the Secretary of State.

In March 2021, the Secretary of State for the DCMS and the Information Commissioner agreed a Memorandum of Understanding which set out the ICO's roles and responsibilities regarding UK adequacy assessments at each of the four stages.

Once adequacy regulations have been adopted in respect of a particular third country, they will be monitored and kept under periodic review, at intervals of no more than four years. During this time, the Secretary of State may also amend or revoke UK adequacy regulations. All UK adequacy regulations that reflect a decision taken by the UK Government can be challenged in the domestic courts by judicial review and a successful challenge will annul the adequacy regulations.

International data transfer expert council

The DCMS announced a call for experts to form a new international data transfer council to inform and consult on the UK's international data transfers policy. The council will form a subgroup of the National Data Strategy Forum, which was launched in May 2021 to help deliver the UK's National Data Strategy. Comprising 15 leading individuals across academia, industry and civil society, the council will "provide independent and expert advice, of both a technical and tactical nature, which will enable the government to deliver on its mission to champion the international flow of data".

Modified mandate for new Commissioner

The UK Global Data Plans confirmed international privacy expert and New Zealand's Privacy Commissioner, Jonathan Edwards, as the preferred new Information Commissioner from 31 October 2021. The new Information Commissioner will be empowered to go beyond the regulator's traditional role of focusing only on protecting data rights, with "a mandate to take a balanced approach that promotes further innovation and economic growth".

He is expected to appear before the DCMS select committee for pre-appointment scrutiny today.

Horizon scanning: Consultation for reform imminent

A consultation is expected "in the coming weeks" regarding the future of the country's data regime, with the aim to make the regime "even more ambitious, pro-growth and innovation-friendly, while still being underpinned by secure and trustworthy privacy standards". Improved data sharing is intended to boost growth for start-ups and small firms, speed up scientific discoveries and improve health public services in particular.

UK adequacy: the Commission spotlight remains

The issue of international data transfers has long been the main area of concern from a data protection perspective regarding Brexit; particularly whether or not the UK ensures an essentially equivalent level of data protection to that guaranteed under EU legislation. The European Commission's adequacy decision confirmed the UK as an adequate jurisdiction for GDPR purposes on 28 June 2021

One of the key elements of the decision was that the UK's data protection system continued to be based on the same rules that were applicable when the UK was a Member State of the EU. The UK had fully incorporated the principles, rights and obligations of the GDPR into its post-Brexit legal system. However, strong safeguards were also incorporated into the decision (including the unique so-called "sunset clause" limiting the duration of the adequacy decision and the Commission's close monitoring of how the UK system evolves) which seek to restrict the extent to which the UK is able to diverge from the EU GDPR regime going forwards.

Since leaving the EU, there were suggestions earlier in the year that the UK may pursue a more relaxed, business-minded approach to data. In particular the DCMS' National Data Strategy and the Government's "10 tech priorities" sought to pave the way for harnessing and "unlocking the value" of data across the economy to enhance innovation and growth. An approach mirrored in the UK Global Data Plans.

However, such an approach will need to be carefully balanced against the UK's position on data vis-à-vis the EU, particularly to ensure that any divergence from EU legislation is seen as sufficiently protective if the UK is to continue to benefit from the adequacy decision.

In response to the UK Global Data Plans, a spokesman from the European Commission re-confirmed to Reuters that the Commission would closely monitor any developments to the UK data protection regime, stating that it was "fully aware of the risk" and that this is why "in case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended at any time by the Commission. This can be done immediately in case of justified urgency."

Perhaps this is intended to be a gentle warning to the UK Government or a subtle sign that the Commission is already starting to consider whether the growth and innovation priorities outlined recently (including in the UK Global Data Plans) are, in fact, appropriately balanced against data privacy protections.

How far is too far? That is the question

The "business friendly" intentions behind the UK Global Data Plans will be welcomed by commerce, particularly those across the technology industry. However, alongside recent ICO and DCMS commentary, the plans indicate a clear intention to diverge from the EU regime and reform the UK rules on data protection so that "they're based on common sense, not box-ticking. And…having the leadership in place at the Information Commissioner's Office to pursue a new era of data-driven growth and innovation."  (Digital Secretary, Oliver Dowden)

But how far is too far to diverge? When does a "business" and "innovation" friendly approach start to erode the level of protection afforded to data transferred from the EU to the UK and jeopardise the recently determined UK adequacy decision? It is one thing removing barriers to international data transfers in order to deliver growth, but quite another if that then creates further barriers in the process; at its worst potentially leading to the European Commission revoking the UK adequacy decision, increased costs to organisations of using alternative transfer mechanisms and ultimately interrupting the free flow of data between the EU and the UK. A scenario that both the EU and the UK will ideally want to avoid.

At this stage the UK Global Data Plans, are just that, “plans” setting out the Government’s current intentions. Without the detail of the forthcoming consultation to reform the UK data regime, as well as implementation of that regime, it is too early to tell how the UK Government intends to deliver its plan and the impact and full extent of any such divergence.

The DCMS press release does make it clear that any reformed regime will conform to high data protection standards and must be “underpinned by secure and trustworthy privacy standards”. We therefore await the consultation to understand the extent that the Government’s proposals for reform do in fact sufficiently prioritise maintaining public trust in the UK’s data protection regime and, in turn, prioritise the UK’s adequacy status.

In parallel, there is also the possibility of the UK adequacy decision being challenged in the future in a “Schrems-style” action, given the misgivings voiced by a variety of stakeholders as part of the adoption process.

Ultimately, only time will tell whether the UK will be forced to choose between divergence and adequacy. In the meantime, the potential for different adequacy assessments and regimes for the UK and the EU, adds to the complexity around onward international transfers for organisations operating in multiple jurisdictions across a European footprint.