British businesses and public sector organisations will face immense extra costs if the UK loses its ability to seamlessly transfer data to the European Union (EU), warns cross-party home of Lords committee.
In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the European Union (EU), allowing the free flow of individual data to and from the bloc to continue, but warned that the decision may yet be revoked if future data protection laws diverge importantly from those in Europe.
In exiting the EU, the UK became a “third country” under the bloc’s rules, which means the European Commission (EC) will gotta periodically measure whether it does supply an fundamentally equivalent level of data protection for EU citizens’ data.
The EC will gotta make 2 separate adequacy determinations under the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) – both of which were transposed into UK law via the current Data Protection Act 2018 – by the end of June 2025.
Now, following a seven-month enquiry into the UK’s EU data adequacy, the European Affairs Committee (EAC) has written to digital secretary Peter Kyle urging the government to engage in early talks with the EC to guarantee the UK maximises its prospects of achieving a data adequacy agreement in the first half of 2025.
It besides emphasised the that losing adequacy position could origin crucial problems across a scope of areas. This includes raising fresh barriers to global trade and economical cooperation, imposing crucial extra costs and administrative burdens on organisations which share data between the UK and the EU (particularly in the context of policing and healthcare), and the hazard of upending the Good Friday Agreement.
The EAC besides noted the advanced financial costs of losing adequacy, adding that while “compliance with GDPR can itself be costly, the failure of data adequacy would besides lead to crucial financial penalties for many organisations”.
For example, the NHS Confederation and knowing Patient Data estimated in a joint submission to the EAC that losing adequacy could cost the NHS alone tens of millions of pounds, while another estimates noted failing to safe adequacy position would impose additional compliance costs on UK businesses of £1 to £1.6bn.
It added that adequacy was so valuable due to the fact that it would reduce administrative burdens and compliance costs, increase legal certainty, and make the UK a more attractive location to invest and do business.
“The UK faces a possible cliff-edge in June 2025 unless agreement is reached with the EU on the continued free flow of data. The safe and effective exchange of data underpins our trade and economical links with the EU and cooperation between our law-enforcement bodies,” said committee chair Lord Ricketts.
“The failure of data adequacy would make fresh barriers and run completely counter to the government’s ambitions to grow the economy and reset relations with the EU. We urge that reaching timely agreement on data adequacy should be integral to the reset, and the government’s top data protection priority.”
To limit the uncertainty around its future adequacy status, the EAC recommended that the government “engages early with the European Commission and another EU stakeholders with a view to ensuring that the adequacy renewal process is on a affirmative track, and providing reassurance as shortly as possible about the retention of adequacy status”.
It added that the government should besides research the prospects for securing future adequacy renewal decisions from the European Commission which do not expire after a fixed period, and that it should engage with the EU in good time to explain and supply reassurances on any of its planned data protection reforms.
“Since taking office, the discipline secretary has met EU commissioner Reynders twice to discuss the upcoming EU individual data adequacy review of the UK, and how to guarantee safe continuity of individual data flows from the EU to the UK,” said a DSIT spokesperson in consequence to Computer Weekly’s request for comment on the EAC’s letter. “Our officials will join method discussions with EU counterparts where required to support the review process.”
New UK data protection laws
The EAC’s letter noted although much of the evidence provided to its enquiry focused on the erstwhile government’s Data Protection and Digital Information Bill (DPDI Bill) – which was dropped from the legislative agenda during the pre-general election “wash up” period – the fresh government’s planned Digital Information and Smart Data (DISD) Bill covers any of the same issues.
The DISD was introduced to Parliament as the Data usage and Access (DUA) bill on 23 October 2024. erstwhile passed, the DUA will so amend the UK’s implementation of both the GDPR and LED.
While the EC’s adequacy decision will remainder on the exact contents of DISD Bill (which was only published online on 24 October), it will be looking to measure whether the framework provides an fundamentally equivalent level of data protection for EU citizens’ data.
This follows the Court of Justice of the European Union (CJEU) striking down the EU-US Privacy Shield data-sharing agreement on 16 July 2020 for failing to guarantee that European citizens had adequate rights of redress erstwhile data can be collected by the US National safety Agency (NSA) and another US intelligence services.
The ruling – colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU – found that people must be given “essentially equivalent protection” for their data erstwhile it is transferred to the US and another countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.
“The UK’s current GDPR government is far from perfect. But the consequences of not reaching agreement with the EU are highly harmful,” said Lord Ricketts. “There is clearly scope to improvement and improve GDPR as part of the government’s fresh Digital Information and Smart Data Bill. But this must not jeopardise the UK’s adequacy status.”
Lord Clement-Jones – a Liberal politician peer and spokesperson for the digital economy in the home of Lords – added that the EAC’s letter “illustrates only besides clearly the fragility of the UK’s data adequacy situation and the importance of resisting crucial changes proposed by the last government to the UK GDPR”.
Those previously suggested changes to the DPDI bill before it was dropped included removing the request to conduct data protection impact assessments and to have a data protection officer, loosening requirements around automated processing, and giving the secretary of state the power to straight appoint the information commissioner.
Threats to adequacy
In terms of the direct risks to data adequacy, the EAC said the UK faces “two distinct possible hurdles”, 1 being the EC’s renewal decision, and the possible of a legal case being brought against a affirmative renewal decision at the CJEU.
It added that while the EC itself is likely to want to renew the UK’s adequacy position due to a scope of factors – including the economical benefits it would bring the bloc, the fact the UK is utilizing already GDPR as a starting point, and the EC’s own political and strategical imperatives – it was more likely the UK would lose adequacy as a consequence of a legal challenge being brought to the CJEU.
“There was a large measurement of consensus among our witnesses that, of the European Commission and the CJEU, the second is the greater hazard to the continuation of the UK’s adequacy status. For example, the not-for-profit technology organisation Reset called the CJEU ‘the more exacting forum of the two’ and said that the court ‘has in fresh years consistently taken a more absolute line than the European Commission (and most of the associate States) in defence of fundamental privacy rights’,” it said.
“Several witnesses pointed out that, in its 2 Schrems rulings, the CJEU had struck down erstwhile EU adequacy arrangements with a partner as crucial as the United States. (The key issue in the strike-down was the hazard of disproportionate access – and the nature of oversight of the access – by US national safety and law enforcement agencies to individual data held by private entities, and the hazard of this including transferred data from the EU.)”
It added that respective witnesses said that if the UK were to lose adequacy status, “they would anticipate the UK and European Commission to implement 1 or respective immediate ‘workarounds’, to avoid the cliff-edge script and buy time in which to take steps that would see adequacy restored”.
Suggested alternatives to data adequacy include the usage of multilateral agreements and legal mechanisms specified as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). However, uncertainty was cast on validity of the SCC way by Schrems II, which found although these were legally valid, companies inactive had a work to guarantee that those they shared the data with granted privacy protections equivalent to those contained in EU law.
According to Owen Sayers – an independent safety consultant and enterprise architect with more than 25 years of experience in delivering safe solutions to policing – there is simply a hazard the EAC has collapsed the discrimination between GDPR and LED adequacy by besides closely aligning them in form, function and nature, erstwhile they are “structurally veery different” to 1 another.
“Under GDPR you can rather simply transfer data if you have adequacy,” he said. “Under LED, it is very hard, and for any circumstantial organisations is virtually impossible, to transfer data unless you have adequacy.
“These sound rather akin conditions, but they’re poles apart – ‘you can do if’ is intrinsically permissive in nature; whereas ‘you cannot do unless’ is simply a barrier control. Even if you do have LED adequacy, you are then restricted as to who in your mark country you want to send that data to.”
The EAC added there are a scope of issues that would be of “interest and possible concern” to both the EC and CJEU as they consider the UK’s adequacy statuses.
This includes potential divergence on data protection standards that would make it harder for people to exercise their data rights; the anticipation that the UK government undermines end-to-end encryption; the independence and effectiveness of the Information Commissioner’s Office (ICO); aspects of the UK’s national safety government under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the function of the Investigatory Powers Tribunal; and any legal cases which supply grounds for concern about UK data protection standards.
The EAC besides highlighted possible risks posed by onward transfers of data from the UK to another 3rd countries, including under the UK-US Cloud Agreement.
“All this means that government and public services mostly request to take a hard look at their governance of data and AI deployment ahead of their ambitious plans for tech adoption in the public sector,” Clement-Jones told Computer Weekly.
The police cloud issue
While the EAC itself did not measure the impacts on adequacy of IT systems already procured and in-use, the increasing usage of US-based public cloud services by UK police and the wider criminal justice sector has previously been cited to Computer Weekly as a possibly immense problem for the UK’s ability to get LED adequacy, primarily due to the possible for distant access to that data and its onward transfer to a non-adequate jurisdiction.
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing more than a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they are presently incapable to comply with strict law enforcement-specific rules laid out in the DPA.
At the start of April 2023, Computer Weekly then revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video supplier Axon for transportation and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the usage of Azure “would not be legal”.
Specifically, the police watchdog said that there were a number of another unresolved advanced risks to data subjects, specified as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s usage of generic, alternatively than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
Computer Weekly besides revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to all public cloud strategy utilized for a law enforcement intent in the UK, as they are governed by the same data protection rules.
In June 2024, Computer Weekly then reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot warrant the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company claimed it has the ability to make method changes to guarantee data protection compliance, it is only prepared to make these changes for DESC partners and not another policing bodies due to the fact that “no 1 else had asked”.
The papers besides contain acknowledgements from Microsoft that global data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a Police Force – as required under DPA Part 3 – “cannot be operationalised”.
Although the ICO released its police cloud guidance in the same set of FOI disclosures – which highlights any possible data transfer mechanisms it thinks can clear up ongoing legal issues – data protection experts questioned the viability of the suggested routes on the basis the mechanisms are rooted in the GDPR alternatively than the law enforcement-specific rules contained in Part 3, and that is it not clear if they can in fact prevent US government access.
Computer Weekly contacted the Home Office about the how data protection issues with existing systems that have already been procured and deployed could affect LED adequacy, but received no consequence by time of publication.
Commenting on the issue of police data protection and sovereignty, Clement-Jones said: “The revelation of police forces’ failure to observe the requirements of Part 3 raises real issues for ongoing adequacy, but besides for any trust in the governance around the way technologies specified as live facial designation are deployed.”
According to Sayers, even if the mechanisms suggested by the ICO could prevent US government access, the transfers would be unlawful anyway as UK law lays down a series of circumstantial steps that must be followed for each and all transfer of a circumstantial part of individual data under Part 3.
“These steps are not being followed, and Microsoft have made clear that they cannot be followed (actually, they said ‘impossible to operationalise’). due to the fact that the steps laid down in the DPA 2018 Part 3 are not and cannot be followed, that is 1 of the main reasons why the processing done on these clouds is in breach of UK law,” he said.
“It makes zero difference at all if the US government bogeyman tries to usage Cloud Act to look at the data, as the data was illegally transferred regardless of cloud act.”
Sayers added that the EAC principally looked at what UK law says in relation to LED and what the impacts of this are, but missed a “huge area of consideration” in whether the UK actually adheres to its own data protection laws in practice.
“That is where the policing stuff becomes interesting, due to the fact that if the EU examine the UK’s operating track evidence of compliance with their own home version of LED (Part Three), then it’s clear that they absolutely do not comply with it to any real measure,” he said.
“To be adequate, the EU might simply look at the government in force; but I think they besides request to consider the available evidence of UK behaviour (and if they do that the image is far from rosy).
“The reason they request to consider the second is that presently if an EU citizens data is sent to a UK law enforcement body, it is almost surely going to be processed in contravention of UK DP laws. That means it’s surely being processed in contravention of EU LED-based laws.”
![Policjanci spełnili kolejne marzenie Wojtka z Zarębek. Ty też możesz pomóc [ZDJĘCIA]](https://static.korso.pl/korsokolbuszowskie/articles/image/ea10c42f-9fa0-4d17-ae0c-8debd9014c30)
