In September 2020, the UK government published its National Data Strategy (“NDS”), aiming to use data to boost the UK economy and to “unlock the power of data for the UK,” particularly in light of Brexit. The NDS is intended to set out the UK’s government focus on data, following the recent announcement that responsibility for government use of data will move from the Department for Digital Culture Media and Sport to the Cabinet Office.
However, whilst the NDS is optimistic about opportunities arising from the harnessing of data following Brexit, concerns have been raised that the NDS points to a future divergence by the UK from EU data protection and privacy laws. Any such departure is likely to impact the rights of individuals, the obligations on companies, and the granting of any adequacy decision regarding international transfers of data between the UK and the EEA.
So, what is the UK National Data Strategy?
The NDS sets out the UK government’s intention to utilise data across the public, private and third sectors to “support the UK to build a world-leading data economy” and position the UK as a leader in entrepreneurial data-led innovation following Brexit. The NDS has identified five very broad “missions,” which it sees as priority action areas to utilise data and improve its deployment in the UK:
- “Unlocking the value of data across the economy” by adopting a policy framework to make data “usable, accessible and available across the economy”, whilst balancing the protection of individual data privacy and intellectual property rights.
- “Securing a pro-growth and trusted data regime” by permitting businesses and innovators to use data without being overburdened by strict regulation while maintaining high data protection standards.
- “Transforming government’s use of data to drive efficiency and improve public services.” As part of its Covid-19 response, the government is aiming to improve the management, use and sharing of data by creating an interoperable government-wide data infrastructure.
- “Ensuring the security and resilience of the infrastructure on which data relies” by guarding the transfer and use of data from cyber threats, whilst seeking to increase the use of data across government agencies and businesses.
- “Championing the international flow of data” by promoting the flow of information across borders, in particular by aligning the UK’s data standards internationally and pursuing an adequacy decision for data transfers from the European Commission.
Why might this be a problem from an EU perspective?
The NDS’s “missions” aim to make data more accessible for use by businesses and to facilitate international data transfers, with many concluding that a relaxation of UK data protection law is envisioned with a focus on what enables companies and government to maximise the use of data and lower some of the (arguably onerous) rights afforded to individuals. In particular, the NDS’s hints of a “pro-growth legal regime” involving an appraisal of current data protection laws and regulation indicate that a shakeup could be on the horizon.
The NDS has stated that a central part of this data-driven approach will be the maintenance of high data protection and privacy standards for individuals. The NDS makes it clear that following the transition period, the UK will “control its own data protection laws and regulations in line with its interests”. However, some commentators have seen the NDS as signalling a repudiation of the EU’s data protection regime following Brexit.
How could this affect an adequacy decision from the European Commission?
The NDS comes at an uneasy time during the Brexit withdrawal process. From 1 January 2021 and barring any adequacy decision, the UK will be a third country for the purposes of international data transfers, and that has serious implications for UK businesses that transfer data out of the EEA. The European Commission is currently considering whether the UK offers an adequate level of protection to personal data transferred from the EEA to the UK. An adequacy decision would allow data to travel between the UK and the EEA without any further authorisations after 1 January 2021.
It is likely that the European Commission will only grant the UK adequacy if it is satisfied that the UK’s data protection regime, which currently replicates the GDPR, remains largely unaltered following Brexit. The NDS’s ambitious plan to use data and forge a new path as a global innovator could go up in smoke if this involves a significant change to the UK’s data protection regime.
Furthermore, concerns have been raised that, despite the NDS’s commitment to pursuing adequacy with the EU, the desire to facilitate cross-border data flows, particularly with the United States, could scupper the UK’s chances of obtaining an adequacy decision. The NDS aims to employ “innovative mechanisms” to remove “obstacles” to international data transfers; however, the onward flow of EEA personal data to undesirable third countries is likely to be a key area of concern for the European Commission. Earlier this year the European Court of Justice
ruled that the US data protection regime was incompatible with that of the EU, invalidating the U.S. Privacy Shield mechanism that had permitted transfers of data from the EEA to the U.S. (known as the “
Schrems II” ruling). Failure to obtain an adequacy decision would jeopardise the transfers of data between the EEA and the UK and endanger businesses that rely on the free flow of data.
The European Commission is reportedly also concerned that UK intelligence agencies could be given more extensive access to personal data following Brexit, as UK surveillance legislation such as the Investigatory Powers Act 2016 would no longer be open to challenge in the European courts. The access of personal data by US intelligence agencies was a central reason given for invalidating the Privacy Shield in the
Schrems II ruling, and the UK should not underestimate the seriousness with which the EU would view a high level of access to personal data being given to UK intelligence.
What to expect.
Over the next few months, the UK government will be seeking input from stakeholders as to the nature and form of the NDS, and that consultation will remain open until 2 December 2020. For now, it is likely that the European Commission will wait for the outcome of the consultation while considering what the NDS might look like in practice and whether this will be compatible with the EU regime.