The UK government’s upcoming data bill will turn the country into a “leaky valve” that would undermine the data rights of European citizens, say Privacy campaigners in call to revoke the UK’s data adequacy.
In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the European Union (EU), allowing the free flow of personal data to and from the bloc to continue, but warned the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.
Set to pass some time in Autumn 2023, the Data Protection and Digital Information (DPDI) Bill will amend the UK’s implementation of the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), which are both transposed into UK law via the current Data Protection Act 2018.
In a letter to the European Commission (EC), the privacy campaigners are now urging executive vice-president Vera Jourova and commissioner Didier Reynders to reassess the UK’s data adequacy decision, on the basis that the conditions which underpinned it will change as a result of the DPDI bill.
The letter’s 28 signatories include a number of non-governmental groups, such as Open Rights Group, Privacy International, Foxglove and Access Now, as well as individual legal and internet regulation experts, such as Ian Brown, Douwe Korff and Max Schrems.
“This decision, granted by the commission, rested on the premise that the UK’s data protection system would continue to follow the same rules as when the UK was an EU member state,” they wrote, adding that the DPDI “flies in the face” of the agreement.
“If passed, the bill would mean a wholesale deregulation of the UK data protection framework, allowing private companies to seek shelter in the UK to circumvent European data protection standards, and turning the UK into a ‘test lab’ for experimental and abusive uses of data. Likewise, the UK government would be given the power to legalise invasive surveillance programmes and other measures that trump the right to data protection of European citizens,” they added.
They said that the EC “must urgently take stock of these changes” and provide European citizens with assurance that the UK’s data adequacy will be repealed if the proposed bill becomes law.
Mariano delli Santi, legal and policy officer for Open Rights Group, added: “The DPDI bill will rip up hard won privacy protections. This will not only harm UK citizens, but also the rights of Europeans living inside and outside of the UK.
“The UK government’s determination to deregulate data protection is putting the adequacy agreement with the EU in jeopardy, which is a risk that the UK economy cannot afford.”
The signatories also outlined a number of other issues with the UK’s proposed approach, including the independence of the UK’s data regulator being undermined by having its board appointed directly by the government, as well as by giving ministers the power to dictate its strategic priorities and interfere with the exercise of its powers.
They added the bill would also weaken the definition of personal data to the point where organisations could use the UK as a base to pseudonymise European personal data before onward transferring it to third countries.
“Further, the bill would allow the UK government to authorise personal data transfers to third countries in the absence of meaningful Parliamentary scrutiny, and without guarantees concerning the retention of enforceable rights and effective remedies once this data has been transferred,” they said.
Secretary of state Michelle Donelan previously defended the government’s new data reforms in March 2023, arguing they would provide certainty for businesses while simultaneously retaining high standards of data protection.
She added, however, that with the EU-UK data adequacy decision scheduled for review in 2024, “the UK government will need to be mindful of the risks involved in diverging too far from the EU GDPR” if it wants businesses to continue sending data to Europe.
Computer Weekly contacted the EC for comment on the letter and whether it will reconsider adequacy in the event the DPDI bill passes into law, but received no response.
Commissioner Reynders, however, has previously said the EU would intervene if the UK did not maintain its compatibility with EU data protection law: “The commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”
The commission’s adequacy decision was accompanied by a four-year sunset clause, meaning mechanisms are already in place that could be used to revoke the decision.
A total of 14 adequacy decisions have been made under the GDPR since it came into effect in May 2018, covering Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK and Uruguay. However, only the UK’s adequacy decision covers law enforcement data exchanges, which are governed by the LED.