The UK Should Beware of Future Restrictions against UK-EU Data Flows

The British government must beware of future challenges to the United Kingdom’s ability to transfer data to and from the European Economic Area (EEA) due to privacy concerns. As Britain expands its global trading role in North America and the Asia Pacific, the UK needs to ensure continued access to European digital markets by revisiting its current surveillance and data retention policies.

As post-Brexit Britain develops a new approach toward data governance, the Boris Johnson government has rightly emphasised free cross-border data flows and restrictions against data localisation requirements. The UK recently signed the UK-Japan Comprehensive Economic Partnership, through which London and Tokyo agreed to remove data localization restrictions, eliminate discriminatory treatment of digital services, and enable cross-border data flows between the UK and Japan.

The UK’s liberalized approach bears a sharp contrast with the European Union’s privacy-orientated and localised approach to data governance, aligning Britain much closer with the US, Canadian, and Japanese stances on cross-border data flow. The UK government must uphold this commitment to liberalized data governance as it pursues trade negotiations with the United States, Canada, and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership.

However, the UK’s recent trade successes should not blind British policy makers to a lurking challenge—the country’s ability to transfer data to and from the EEA. Notwithstanding the potential for Britain’s digital trade elsewhere, the EU remains by far the most important market for UK digital service exporters. In 2018, Britain exported “$124.5 billion in digital-enabled service” to the EU, resulting in a £77 billion ($107.2 billion) services surplus that offset the UK’s trade deficit in goods with the EU. As a result, cross-border data flows with the EU—which account for 75 per cent of Britain’s international data flows—are crucial for British exporters. Without the ability to transfer data to and from EEA countries, London will be at severe disadvantage vis-à-vis Amsterdam, Frankfurt, and Paris, which are competing with the City of London for dominance in financial services and digitally enabled exports.

Under the EU’s General Data Protection Regulation (GDPR), the least cumbersome way for UK-EU data flows requires Britain to receive and maintain an “equivalence” decision from the European Commission. Because of the EU’s strict approach, the commission has granted an “equivalence” status to only 11 countries, allowing businesses in these countries to transfer data from the EEA without any further safeguards. Although Britain received an affirmative equivalence decision from the European Commission in February 2021, this equivalence is subject to continual review by the commission and possible legal challenges at the Court of Justice of the EU (CJEU).

To preempt any such challenges, the UK government should be careful about its continuing intrusive surveillance programmes. Although the United States enjoyed partial equivalence from the EC through the Privacy Shield, the CJEU decided last year in Schrems II that US surveillance programs represented “a disproportionate interference with the rights to protection of data and privacy.” Consequently, the CJEU struck down the US-EU Privacy shield, resulting in significant uncertainty and increased compliance costs for U.S. businesses exporting to the EEA. Any such decision would be exceptionally costly for the UK since Britain exports a much higher proportion of its services to EEA markets.

To avoid future legal challenges to the EU’s equivalence decision, Parliament should consider revisiting the UK’s current approach toward mass surveillance and data retention requirements without adequate safeguards for data subjects. Under the 2016 Investigatory Powers Act, Parliament substantially expanded the UK’s security and intelligence agencies’ authority to conduct surveillance without a warrant and required “ISPs [internet service providers] and mobile operators to store all their customers’ data for a year, regardless of whether the users are criminals or not.”

These two provisions have been subjects of contention between Brussels and London and will likely be under increased scrutiny in the future—especially since the UK no longer enjoys the national security exemptions that it previously enjoyed as an EU member. By limiting the use of mass surveillance and relaxing data retention requirements, British policy makers can preempt future legal challenges against the UK’s transfer of data to and from the EU and other data jurisdictions.

The GDPR’s future enforcement remains uncertain as its provisions are increasingly subject to legal challenges by individual EU countries. However, so long as GDPR data restrictions stay in place, the UK should maintain an equivalence agreement for UK-EU data flows. The UK government should also monitor the commission’s rulemaking on privacy issues and potential divergence in the interpretation of GDPR and the Data Protection Bill by European and English courts. Meanwhile, preempting legal challenges by revisiting the UK’s current surveillance policies should be a crucial part of Britain’s data governance and digital trade strategy.