Karlin Lillington: Latest instalment in Brexit saga? Free flow of data

If the UK cannot meet European Union standards, it will become a global data pariah

The UK has form for demonstrating astonishing belief in the gangrenous category of ‘now that we have left the EU, we make up our own rules’. File photograph: Getty

Given all that is happening politically in the UK at the moment, a chirpy press release Tuesday from the UK’s Department for Digital, Culture, Media and Sport on international data transfers might have been overlooked.

Echoing the same breathless metaphorical choices of a related August statement: "International data transfers: building trust, delivering growth and firing up innovation", the department confidently informed usthis week of the formation of a new council: "Global data experts fire up government's plans to promote free flow of data."

So much firing up to do!

Back in August, the department argued that now that the UK was free of those pesky and bothersome EU data protection and privacy rules, it would “turbocharge data” for private sector companies and research.


The department's then minister, Oliver Dowden, said: "Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society."

That data unleashing unfortunately faces obligations that haven’t gone away just because the UK now sits outside the EU. To be fair, the UK has form for demonstrating astonishing belief in the gangrenous category of “now that we have left the EU, we make up our own rules”, forgetting that while it has indeed departed, it nonetheless cannot continue to engage with its major trading and political partners without observing internationally agreed rules.

Hence the previous statement was greeted with a mix of be- and a-musement by international experts on data and trade policy. Yet here we are months later, anticipating even more firing up.

The firing this time around is to be overseen by a huge new UK Data Transfer International Expert Council. There are 20 of them, and, surprise, only one comes from a fully independent data protection/data privacy non-governmental advocacy group or one that isn’t funded by major corporate donors.

That's the Australian Privacy Foundation, sitting alone despite the fact that both the UK, US and EU have world-leading privacy advocate organisations.

There are lots of lawyers from large practices, and some academics (mostly, lawyers). There are representatives of global tech and business multinationals – and, perhaps tellingly, it is these the UK government seems most excited about as they are the only members highlighted in a handy top-line bullet point: "Representatives from Google, Mastercard and Microsoft among the 20 experts meeting today to launch International Data Transfer Expert Council. " What a relief to know the big data gatherers, some the target of past GDPR fines or investigations, are contributing their expertise.

The new council also includes some leaders of large data protection organisations that are either data protection industry representative bodies (IAPP, the International Association of Privacy Professionals) or in part, corporate-funded (The Future of Privacy Forum). I’m sure they’ll make useful contributions, but just as a reminder, “privacy professionals” cover a huge category of people, many of whom (like legal privacy experts) have the goal of ensuring companies can meet the bare minimum for data protection legal requirements.

The intent is to help the UK arrange data transfer agreements with what it calls "priority countries"  including the United States, Australia, the Republic of Korea, Singapore, Dubai and Colombia. The end goal is "striking data adequacy partnerships to ensure the data protection standards in the country data is being transferred to mirror the UK's", according to the government statement.

Perhaps you too noted the obvious absence of the UK's biggest trading partner, the European Union. While the UK has been deemed by the European Union to have "adequacy" for data transfers, this is widely considered to be as fragile as the untested adequacy of the EU-US Privacy Shield data transfer agreement.

"Mirroring the UK" standards is not even the issue. The only significant adequacy agreements that really matter to the United Kingdom are those with the United States and European Union. And that's the UK's big problem. While it may boast of its own independent data protection law, it, like the United States, has a massive national surveillance agency that gathers data at scale and mostly in secrecy.

The US and EU remain locked in negotiations to try to resolve this overshadowing trade issue. Some of the European Court of Justice's most significant data protection and privacy decisions, such as the Digital Rights Ireland and the two Schrems judgments, hinge on problems the ECJ has identified in ensuring data protection meets EU standards, when surveillance agencies have limited restrictions and non-transparent oversight.

The next entertaining instalment in this Brexit saga will be to see how the new council proposes to help the UK “fire up” and “turbocharge” more data exploitation and determine “how the UK can be a global leader in removing barriers to cross-border data flows” while still meeting EU standards of data protection. Because the UK can turbocharge all it likes with Colombia, Dubai and the US, but if it can’t meet EU standards, it will become a global data pariah.