Prime Minister: Data Adequacy agreement 'self-evidently in the interest' of UK and EU

This morning (3 February), both the EU and UK outlined their stances for the upcoming future relationship negotiations due to begin in March.

While the UK has taken the bold approach of insisting there will be 'no alignment' on EU rules and regulations, the Statement from No. 10 released this morning accepted that there were some areas which it were of interest for both sides to agree and remain aligned. In the statement issued by No. 10 following Boris Johnson's speech, a data adequacy agreement was highlighted as one of the areas that the EU and UK should agree:

Finally, there are certain areas where the UK considers agreement is self-evidently in the interest of both sides, and where early progress is a test of the constructive nature of the negotiating process. [...] The UK would see the EU’s assessment processes on financial services equivalence and data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit. The UK intends to approach its own technical assessment processes in this spirit.

The DMA has been pushing hard for a data adequacy agreement to be included in the EU-UK future relationship agreement, regardless of the style of deal, for the time since initial negotiations of the Withdrawal Agreement. The UK Government's recognition of this is excellent news for the data and marketing industry and should be seen as a real success for the DMA and its industry partners.

However, there remain concerns on the EU side about a data adequacy agreement.

In 2000, the USA reached a data-alignment agreement with the EU, which allowed US business to process EU citizens’ data. However, over the next 15 years, the USA implemented progressively more pervasive counter-terrorism laws, which gave government unbridled access to data contained in US-based servers.

Because of this, in 2015, the Safe Harbour agreement was overturned by the EU Court of Human Rights. So long as EU citizens’ data was held on US servers, their privacy in accordance with EU rights and regulations was not guaranteed.

The UK’s counter-terrorism strategy is as stringent – if not more so – than US policy. Operation Tempora allows virtually uninhibited government access to personal data on UK servers – emails, phone records, search histories and more.

Currently, Europol and EU joint intelligence efforts include the UK’s operations and our counterterrorism laws are exempt from conformity to data protection. However, if a Brexit deal did not include the same level of co-operation on security, the UK’s counterterrorism laws would be deemed to breach EU human rights laws, and a data adequacy agreement may not be offered by the EU.

The second point of contention is the future path of the UK in regards to data protection. While the EU says it is their intention to say make a positive decision on adequacy, in their negotiation mandate (also released yesterday), the EU would like assurances that the UK will not reduce standards of data protection after a data at any point after the future relationship is agreed. The UK has stated it does not want to be legislatively bound by the EU's laws in this regard, so for an adequacy decision to be granted, the UK may need to move on this position, or accept that the adequacy decision could be revoked at any point if the EU becomes dissatisfied with the UK's data protection standards in future.

Nonetheless, at present, it is likely a security cooperation agreement and will be reached and there will be an agreement that mirrored standards are beneficial (at least in the short term), and therefore likely that data adequacy decisions will face little opposition.

Nonetheless, The DMA will continue to impress through our European partner organisation, FEDMA, how necessary for both the UK and EU to agree an adequacy agreement to safeguard the continued success of the digital and data industries in both jurisdictions.

If the EU does not grant an adequacy agreement, or there is a no-deal scenario, businesses must take steps to ensure they can exchange data with the EU. These are outlined in the DMA Brexit Toolkit. For further information on this or any of the above, please contact Michael Sturrock.