The Guardian 25 September 2020 - by Daniel Boffey in Brussels
A radical “pro-tech” plan championed by Dominic Cummings to rewrite Britain’s data protection laws is endangering future cooperation with the EU worth billions to the British economy, Brussels has warned.
The government’s newly published national data strategy, promising a “transformation” long sought by Boris Johnson’s chief adviser and the former Vote Leave director, has sparked concern at a sensitive time with the continued flow of data between the UK and EU member states in question.
The European commission is currently examining whether the UK’s data laws will be in line with the EU’s general data protection regulation (GDPR) and law enforcement directive after 1 January 2021, allowing the movement of data vital to the law enforcement agencies but also the banking, health, entertainment, insurance and tech sectors.
Downing Street hopes that positive “adequacy” decisions can be made by Brussels before the end of the year when the transition period ends.
The government estimates that EU exports to the UK of data-enabled services were worth approximately £31bn in 2017 while UK exports of data-enabled services to the EU were worth around £80bn in 2017.
But EU sources said the government’s consultation paper published on the same day as the controversial internal market bill had exacerbated existing concerns over the UK’s approach at the end of the transition period.
Amid the uncertainty, on Friday British officials were due to explain the intentions behind the government’s stated pledge in its strategy paper to remove “legal barriers (real and perceived)” to data use, encourage international sharing and deliver a “radical transformation of how the government understands and unlocks the value of its own data”.
EU officials said the two key issues standing in the way of a positive decision were the use of data by the UK intelligence services and the potential “onward flow” to countries such as the US.
“While the UK applies EU data protection rules during the transition period, certain aspects of its system may change in the future or be implemented in a manner that differs from the approach of the EU such as rules on international transfers,” an EU official said. “These aspects therefore raise questions that need to be addressed.”
The official added that there was particular concern over the future rules “governing access to data by UK national security authorities” in the light of a recent ruling by the European court of justice.
In July, the Luxembourg court made the transfer of personal data to the US from the EU almost legally impossible due to the intrusive nature of surveillance programmes undertaken by the US intelligence agencies and the lack of redress for EU citizens.
Brussels is expected to seek assurances that the UK will recognise the implications of the ruling on its own treatment of European citizens’ personal information.
Legal challenges to an adequacy decision would be expected in Brussels should the British government fail to offer failsafe safeguards, EU sources said.
Ross McKenzie, a partner at the Addleshaw Goddard law firm, said the government was “walking a tightrope” by indicating the desire to make a major move away from the EU’s “gold standard” GDPR while also seeking to illustrate that it was in line with its regulatory intentions.
He said: “It is a surprise to me that the government has been so bold in the strategy paper. The European commission will be thinking: ‘What on earth do you want to change?’ But the UK cannot be a world-beating data economy unless we have ‘adequacy’.”
Two years ago, Cummings, who championed vast data collection by the Vote Leave campaign during the Brexit referendum campaign, described the EU’s GDPR as “horrific”.
“One of the many advantages of Brexit is we will soon be able to bin such idiotic laws,” Cummings wrote. “We will be able to navigate between America’s poor protection of privacy and the EU’s hostility to technology and entrepreneurs.”
“Those comments haven’t gone unnoticed,” said one diplomatic source.
Without a GDPR adequacy decision, businesses will be forced to organise individual agreements, known as standard contractual clauses. Industry insiders say the extra costs will be crippling for many small and medium-sized enterprises.
A government spokesman said: “We are a global leader, committed to high data protection standards. Protecting the privacy of individuals will continue to be a UK priority. The EU’s adequacy assessment ascertains whether UK data protection standards are ‘essentially equivalent’ to the EU’s.”