The risk of losing our EU data adequacy agreement is real

Ever since the UK left the European Union (EU), there has been talk of reforming the data protection regime currently in existence in the UK, inherited from the EU. GDPR (General Data Protection Regulation) became an acronym that caused angst among many in the run-up to its implementation and has continued to be viewed as a “problem” by some. Even some non-Brexiteers would probably be pleased to see the back of it for the UK.

It is, however, only really in the last 18 months that we have seen any sign of tangible reform measures. The Data Protection and Digital Information Bill that was introduced into Parliament in July of this year is the result of a major consultation held by the Department for Digital, Culture, Media and Sport (DCMS) last year. The Bill’s introduction for debate in the final week before summer recess was an indication of how important the government (as it was at the time) viewed the UK data protection regime. 

Since that introduction, however, it has been a bit stop-start for data protection reform in the UK. The Bill had been scheduled for its second reading on 5 September, which, it turned out, was to be the day Liz Truss was formally elected Conservative Party leader. In a Business Statement that same day, the government confirmed that the second reading would not take place as scheduled “in order to allow ministers time to consider the Bill further”.

The Bill has now moved to Committee Stage since the leadership election, so it is back in progress, although the timeframe for its implementation, if indeed the draft remains in its current form, is somewhat unclear.

Also, there was more uncertainty at the start of October when Michelle Donelan, the new secretary of state for digital, culture, media and sport, discussed data protection in her speech at the Conservative Party conference, saying: “We will be replacing GDPR with our own business- and consumer-friendly British data protection system. No longer will businesses be shackled by lots of unnecessary red tape.” 

Donelan also stated that she would be working with businesses to “co-design” the legislation, which suggests a more substantial “start from scratch” approach, rather than a simple review of the Bill previously submitted.

The intention behind the Bill, in its initial and current form, was already to update and simplify the UK data protection framework in order to “reduce burdens on organisations while still maintaining high data protection standards”. One could question why Donelan and her team need further time to “review and reconsider”. The idea was that the reform would represent “an evolution rather than a revolution”. Yet, if the proposed Bill remains in its current form, that does seem to be the case. 

But any more large-scale changes or significant departures from the GDPR risk jeopardising the UK’s adequacy with the EU. There is a danger that the “review and reconsideration” referred to by Donelan will go further and result in a regime that is no longer “essentially equivalent” to that of the EU. 

If that were to be the case, we would be facing more of the “revolution” the previous government had wanted to avoid. While that may satisfy Brexiteers, keen to see stark changes marking the UK’s departure from the “shackles of the Union”, the cost to business would be impactful – at a time when the economy is already struggling.

Another fly in the ointment, so to speak, is the proposed adequacy assessment by the UK of the new US Data Privacy Framework, a framework to securely send UK data to organisations in the US. In the same week as the Conservative Party conference – the same day, in fact, that US president Biden signed the infamous Executive Order – Donelan met with US secretary of commerce Gina Raimondo to discuss “a range of digital issues”, with the UK’s adequacy assessment of the US Data Privacy Framework being front and centre of the discussion.

The government should be similarly mindful of any grand moves to declare an adequacy decision in favour of the US in advance of the EU’s assessment, the outcome of which is expected in the coming weeks.

If the EU authorities determine that the UK’s reform measures render its regime no longer “essentially equivalent”, the adequacy decision falls away, as does the free flow of data between the UK and the EU. Why are we so concerned with the UK’s adequacy status and free flow of data, you may ask. Well, the value to the economy is estimated at between £1bn and £1.6bn. It is hardly surprising, therefore, that the government has admitted the cost to the economy of losing adequacy status would outweigh any benefits of reform.

Interestingly, although the UK’s adequacy decision is not scheduled for review until 2024, rumours are circulating that Brussels’ lawmakers are coming to London in November to scrutinise the proposed UK data reforms and their effect on UK adequacy. The risk is real – and the UK government should be alert to it.

Sarah Pearce is a partner and UK head of data privacy at Hunton Andrews Kurth. She has extensive experience of working with large tech companies and helping them manage global privacy and information security risks and compliance issues.