Prior to the pandemic, hopes of the UK being deemed adequate by the European Commission by the end of the transition period were cautious at best. Covid-19 poses yet another obstacle.
Adequacy decisions typically take around 18 months, and the UK is 13th in the queue of countries awaiting this process. In January 2020 the EU Commission struck a reassuring note, committing to start the UK adequacy assessment on 1 February 2020, with the aim of reaching a decision by the end of 2020, and emphasising the benefits of an adequacy decision for both sides.
These benefits are significant – the UK Government has calculated that EU personal data-enabled services exports to the UK were worth approximately £42bn in 2018, and exports from the UK to the EU were worth £85bn. Even more importantly, EU bodies have repeatedly recommended that law enforcement cooperation be made contingent on the adequacy of the UK’s data protection framework. A failure to achieve adequacy heralds not only trade disruption (which could be mitigated through widespread use of contractual protections), but an abrupt end to law enforcement cooperation, with potentially devastating effects on the UK’s intelligence and national security interests.
Despite these high stakes, in early February the UK Government suggested that the UK would diverge from EU data protection laws, ignoring the EU’s repeated statements that any ‘substantial deviation’ would pose an ‘important obstacle to the adequacy findings.’
Hopes dimmed further following a resolution approved by the European Parliament on 12 February, which criticised the UK’s approach to processing personal data for immigration purposes, its mass surveillance programmes, and its retention of electronic telecommunications data. The resolution concluded damningly that elements of the UK legal framework for data protection do “not currently meet the conditions for adequacy.”
It is unclear whether the UK Government’s Explanatory Framework for Adequacy Discussions, which makes the UK’s case for why its framework does offer protection to data subjects ‘essentially equivalent’ to the GDPR, has changed the EU’s position.
Onto this already bleak landscape came Covid-19. The pandemic not only poses a practical challenge, swallowing policy-maker focus and complicating business travel, but risks driving further ‘deviation’ between the UK’s position and the GPDR.
Countries across the world, including the UK, are seeking to use geolocation data held by telecommunications providers as part of Covid-19 public health responses. It remains to be seen whether South Korea’s widespread use of citizens’ personal data to combat Covid-19 will impact its ongoing adequacy talks with the EU, which have already been delayed by the virus. Israel’s invasive monitoring techniques, although criticised by domestic courts, have reportedly had no impact on its existing adequacy status.
Other EU countries, including Germany, are considering legislative amendments to permit the data processing required for widespread contact tracing.
The Coronavirus Act 2020 envisages increased surveillance powers, including bulk requests for telecommunications data. A legal opinion on UK tracking app options, commissioned by the Open Society Foundation, stressed that there would need to be ‘a clear and detailed legal basis for a mandatory system, set out in specific legislation.’ Were the UK to enact such legislation, this would constitute further ‘deviation’ from the GDPR.
The UK’s path to adequacy already appeared fraught. Covid-19 has made the road even bumpier.
any substantial deviation from the EU data protection acquis that would result in lowering the level of protection would constitute an important obstacle to the adequaacy findings