Brit MPs chide UK.gov: You're acting like EU data adequacy prep is easy
It's not. ♫ It's beginning to sound a lot like Brexit ♪
In the latest report slamming preparations for the UK’s departure from the European Union next year, and the subsequent transition period, Britain's Commons Home Affairs Committee has said it has “serious concerns” about the future of data flows.
The government’s attitude to data flows post-Brexit – that compliance with existing European laws will win it an adequacy decision – is either “worryingly complacent” or evasive, MPs have said.
The analysis of UK-EU security cooperations emphasises the importance of various data-sharing tools used across the bloc to monitor criminal activity. These include Europol’s information system, the Schengen Information System (SIS II) for wanted individuals or stolen objects, and the Prüm convention on international exchange of biometric info.
The committee said it was “vital” for both parties to come to an agreement for continued, real-time access to such datasets, and welcomed the EU’s decision to allow the UK continued access during transition or implementation.
However, it added that it had a number of weighty concerns about the government’s attitude to – and apparent expectation of – gaining an quick and easy adequacy decision to allow data flows after that.
The MPs said:
We are concerned that the government is not yet engaging sufficiently with the implications of an EU data adequacy assessment, nor preparing properly for such an assessment to take place. In addition, we believe that substantial contingency planning is required, in case this process takes considerably longer than the transition period, or in the scenario that it is not possible to achieve the UK’s objectives.
UK.gov told: Scrap immigration exemption from Data Protection Bill or we'll see you in courtREAD MORE
The government has maintained that it wants an adequacy-plus deal, with an early agreement and a place on the EU data protection board for the UK’s information commissioner (this proposal alone is problematic as the board is an EU body, so members should be in the bloc).
But gaining such a decision is riddled with difficulties – which many observers have repeatedly pointed out, apparently to little avail – and the MPs’ report sets out, along with a call for the government to take them seriously.
In short, they are:
- the UK’s Investigatory Powers Act, which the UK has admitted is illegal under EU law;
- provisions in its Data Protection Bill;
- the continued onward transfer to other countries;
- and the red line on direct jurisdiction of the Court of Justice of the European Union.
“We have serious concerns about the number of potential obstacles to the UK achieving an EU adequacy decision within two years,” the committee said.
It argued that the government’s belief that current compliance with EU data protection laws will see it through “takes no account” of the different rules for third countries.
“At best, this response is evasive; at worst, it suggests that the government is worryingly complacent about the UK’s future access to EU data,” the MPs said.
UK laws to face new levels of scrutiny
Among their concerns are that a number of the provisions set out in the UK’s Data Protection Bill – which is the nation’s implementation of the EU General Data Protection Regulation and includes allowed derogations for member states – will not be up to scratch after Brexit.
For instance, the UK’s Joint Committee on Human Rights has questioned (PDF) whether the bill contains sufficient protections as set out in the EU Charter of Fundamental Rights, while an exemption that limits data rights of individuals for purposes of “effective immigration control”, could easily affect the rights of EU citizens.
UK.gov wants quick Brexit deal with EU over private data protectionsREAD MORE
As such, the committee recommended that the government incorporate Article 8 of the Charter into the bill, and ensure the legislation “contains adequate protections for all data subjects”.
A further concern is intelligence-gathering and sharing activities of the UK spy agencies, which as a member state it was allowed exclusive control over, but, as the committee pointed out, will now “face new levels of scrutiny”.
The MPs take the line that it is essential for the UK to retain its intelligence-sharing capabilities with the Five Eyes countries – the US, Canada, Australia and New Zealand – and argued that surveillance and interception regimes have been used to “save lives and prevent serious harm”.
Moreover, they call for the UK to be able to set cross-border exchanges itself, so they are “beyond the scope of EU law”, and “urge the EU to recognise the value of these parallel security relationships, and to work flexibly to come to an agreed solution”.
They do, however, note that the CJEU could cause problems for the UK’s adequacy decision.
“We are also concerned about the risk of the CJEU striking down an adequacy decision, in the way that it has in relation to far less ambitious agreements with the USA and Canada,” the MPs write.
“The Government must work closely with its EU partners to ensure that Brexit does not cause the UK’s surveillance powers to become a source of conflict, nor an obstacle to vital forms of data exchange.”
The government’s red line on direct jurisdiction of the CJEU could also make it “very difficult for the government to negotiate ongoing access to EU law enforcement databases”, the report added.
Where data protection is concerned, the extent of CJEU involvement in any meaningful agreement between the UK and the EU means that it would be unwise to make the jurisdiction of the CJEU a 'red line' issue in negotiations.
The committee concluded by urging the government to speed up preparations “to ensure that UK law enforcement authorities do not face a 'cliff-edge' in their ability to exchange data with their EU counterparts“. ®
Sponsored: Becoming a Pragmatic Security Leader