Support 100 years of independent journalism.

  1. Politics
  2. Brexit
18 December 2020

Why the UK’s post-Brexit plans are a threat to data protection

The British government appears intent on driving through a radical shift in the data standards we have grown used to. 

By James Meadway

With the UK and the European Union reaching the last stages of their annual negotiation pantomime and talk shifting with comforting predictability to an imminent Brexit agreement, the recent noise around no deal has obscured discussion of the UK’s future place in the world.

Behind the headlines, however, the government’s plans are taking shape. The priority isn’t cars, or even – astonishingly – fish, but data. The consequences for the standards of privacy and protection we have become accustomed to, and increasingly expect, are huge; those for the long-term shape of the UK economy perhaps larger still.

[see also: Why Boris Johnson will struggle to deliver a “win” on fisheries]

Strikingly, Britain’s National Data Strategy, published in December, seeks to “maintain the high watermark of data use set during the pandemic”, which means “positioning the UK as a global champion of data use, and encouraging the international flow of information across borders”. The UK’s first post-Brexit trade deals are organised around this ambition, with the Japan deal, signed in October, a lynchpin for the wider strategy.

The Japan-UK trade deal almost exactly mirrors the existing Japan-EU deal that the UK was part of, with one crucial difference. Additions to the existing deal mean that the UK is “shifting towards the Asia-Pacific regulatory model of lower data protection”, as an analysis by the Open Rights Group argues. Existing EU restrictions on the free flow of data have been removed, and a ban on “the forced localisation of computing facilities” imposed, meaning companies do not have to build servers in every country in which they operate. Despite some nods towards World Trade Organisation-standard limitations on data transfers, the deal seriously weakens the ability of public authorities to control or restrict data use in the public interest. It is not clear, for example, if sensitive NHS data could be retained and protected in the UK under these terms.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

But Japan represents only one step along this path, albeit a significant one. Further down the line is the prospect of the UK signing up in some form to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a US-free replacement for the Obama administration’s Trans-Pacific Partnership (TPP), which was introduced after Donald Trump thwarted the TPP. Signing bilateral deals with the CPTPP’s existing members – mainly Pacific-coast countries, including Japan, Canada and Australia – would add credibility to a future British proposal to join. The UK’s Department for International Trade is already holding “preparatory conversations” with all 11 CPTPP members.

Joining a scattered, multi-country trade deal, the majority of whose signatories are on the other side of the world, would make little sense for the UK if the only prize on offer were better access to conventional goods markets. CPTTP members account for 13 per cent of the global economy, but existing trade with them represents less than 5 per cent of UK exports, compared to 43 per cent for the EU. In trade, geography still matters. 

But if the calculation is that the majority of future trade growth will be in data, physical distance begins to matter much less. And if digital trade is determined mainly by the legal regulations between major economies and their trading blocs, there’s an opening for the UK to act as a kind of digital entrepôt – reprising its historic role as a global trade hub, attracting investment from across the world. The recent UK trade deal with Singapore, for example, included the opening of negotiations on a “digital economy agreement”. It’s no wonder International Trade Secretary Liz Truss has waxed lyrical about “Global Britain” and its role in the “digital free trade area” of the future.

A less generous reading would see this as an attempt to exploit what economists call regulatory arbitrage – seeking to profit from the gaps between different rules in different places. The UK would like to simultaneously utilise the lower standards of digital rights protection in the Japan deal, and in likely future agreements, while also claiming its digital protections meet EU requirements for data trade – a tactic otherwise known as having your cake and eating it.

At present, of course, the EU’s flagship data protection regulation, the GDPR, forms part of British law, meaning UK and EU data rules are broadly aligned. The EU also agreed early last year that Japan’s existing data protections meet its “adequacy” requirements, giving Japanese companies rights to trade data inside the bloc. The UK is claiming that since its current protections are near-identical to the EU’s, it, too, should have the same adequacy status.

However, the EU is refusing to sign up to a renewed Japan-EU trade deal that does not entrench these standards. And a European Court of Justice (ECJ) ruling in October found against the UK government’s collection of data, dealing a blow to its claims that current UK data protection standards match those across Europe. As with conventional trade, the EU has little incentive to allow a large, wealthy economy on its doorstep unrestricted access to its markets at lower cost than its own producers, while undermining its existing standards.

[see also: Court ruling threatens EU’s mass surveillance regimes – and UK data adequacy]

Negotiations are presently deadlocked on whether the UK’s data protection regime is adequate: with the 31 December Brexit deadline looming, an interim agreement will be needed to allow data to continue to flow across the Channel, delaying a final settlement until next year. Three-quarters of the UK’s data trade is with the EU, while the EU imported over £90bn of digital services from the UK last year. Whatever happens in the next few weeks, we can expect the data regulation dispute to continue, and to grow in importance.

[see also: UK will probably get an EU data adequacy agreement – but struggle to keep it]

A future change in the UK’s adequacy status is already having an impact at home, with Google and Facebook announcing that they will shift their management of UK data from being under EU jurisdiction in Ireland to the US. This would move UK users’ data rights from the comprehensive data privacy framework provided by the EU and into the US legal regime, where no such protection exists at a federal level. The UK’s hugely valuable NHS dataset has already been opened to Big Tech, with some strikingly lopsided deals that included offering parts of it for free to Amazon. Documents leaked last year from the UK-US trade talks make clear that the British government’s position is to allow the maximum possible freedom of access to data.

The European Court of Justice, meanwhile, has struck down a EU-US data deal on the grounds that it provided inadequate protection against US government intrusions on personal data. The UK’s post-Brexit role is still hugely uncertain. But the government has a clear determination to drive through a significant shift in the data standards and protections that we have grown used to, in what is an increasingly dominant part of our lives.