Brexit: More Worries for Data Adequacy as DCMS Committee Question Experts & ICO is Criticised

Following last week's ruling by the European Court of Justice on the use of mass surveillance by EU member states, questions have been raised about the impact on the likelihood of the UK being granted an adequacy decision.

This morning, experts were asked about this at the House of Commons Digital Culture Media and Sport committee hearing on issues pertaining to data, ethics and AI.

SNP Shadow Secretary of State for DCMS, John Nicolson MP, asked witnesses Dr Jeni Tennison, (Vice-President, Open Data Institute), Carly Kind (Director, Ada Lovelace Institute), and Dr Jiahong Chen (Research Fellow in IT Law at Horizon Digital Economy Research, University of Nottingham) about the implications of the EUCJ's ruling on the prospects of a deal, and whether there were any other issues that could impede a deal.

The experts warned that the EUCJ's ruling would most likely have a negative impact on the EU's adequacy assessment, given that the UK's security practices relied on mass-collection of data for surveillance purposes, which has now been ruled illegal.

Furthermore, Dr Chen outlined that the Investigatory Powers Act (2018) posed similar problems for data adequacy. The Act allows the UK Government to gather and keep personal information on individuals for the purposes of decision making in visa applications. After the EUCJ ruling, this kind of data gathering would also be illegal in the EU.

Watch the full DCMS Committee exchange here.

Also today, the Irish Council for Civil Liberties (ICCL) published a letter to the EU Commission saying that they must not grant the UK adequacy status due to the UK’s “dismal record” in tackling the adtech industry’s mass breach of data protection laws.

Data activist Johnny Ryan (who has been a long-time critic of the ICO and the Irish Data Protection Authority) has led the efforts of the ICCL, whose letter states that "Under the terms of Article 45(2)b of the GDPR, an adequacy decision is impossible because the UK’s data protection supervisory authority, the ICO, does not meet the test of an ‘effectively functioning’ supervisory authority".

The ICCL argue that the ICO has not done enough to stop breaches of GDPR by companies permitting and using real-time bidding.

The letter concludes that "the UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the Union do not at present have an adequate level of protection in the UK".

The ICCL estimate that, if the UK is not given adequacy status, £85bn of UK exports are in jeopardy because they rely on EU data, accounting for 13% of the UK’s total, global exports.

While this letter is unlikely to sway the EU Commission's decision, it does allude to a real concern that the ICO has not acted quick enough to crack down on RTB activity. Nonetheless, the ICO says it will continue their investigation and actions when they are less occupied with coronavirus-specific activity.

The UK Government has been consistent in its message that it is confident it will reach a data adequacy agreement with the EU. However, throughout this time, separate issues have been raised and not directly addressed by UK Government ministers.

The UK and EU have agreed to treat this as a technical issue, which should remove any political back-and-forth over the adequacy issue, but it does not remove the legitimate legal questions.

The DMA's Brexit Toolkit outlines the means by which companies can exchange data with the EU post-Brexit, regardless of the type of deal (or lack thereof).