Credit: Stux/Pixabay

As the government develops a post-Brexit data-protection regime intended to “break down the barriers” that prevent businesses using data, a minister has claimed that the UK does not need “exact alignment” with EU law to maintain the ability to share information across European borders.

The data adequacy status, granted by the European Commission 10 months ago, certifies that the UK’s privacy law “offers an adequate level of protection” to the personal data of EU citizens. The designation means that data is, effectively, free to be transferred between organisations in the UK and the remaining 27 EU member states – as well as Norway, Liechtenstein and Iceland.

Shortly after the achieving adequacy, ministers announced the government would be “reforming [the UK’s] data laws so that they’re based on common sense, not box-ticking… to pursue a new era of data-driven growth and innovation”. Part of these plans was reaching its own adequacy arrangements with various countries around the world, with the US, Australia, Colombia, the Republic of Korea, and Singapore earmarked as the top priorities, followed by Brazil, India, Kenya and Indonesia.

Experts have warned that any major deviation from European law – particularly the possibility of granting adequacy to the US and other countries not certified as such by the EC – could imperil the UK’s hard-won EU adequacy status.

In a written parliamentary question, shadow attorney general Emily Thornberry asked whether ministers from HM Treasury and the Department for Digital, Culture, Media and Sport – which is responsible for data protection policy – had met to discuss “the costs and benefits for UK businesses of [DCMS’s] proposed reforms of UK data protection regulation and potential risks to the UK's future data adequacy status with the EU”.

Related content

• Users will have more control over personal data under new regulatory regime, minister pledges
• Privacy Shield: government working with ICO to ‘update guidance as soon as possible’
• Whitehall departments reported 500 personal data breaches to ICO in FY20

In response, exchequer secretary to the Treasury Helen Whately said that ministers and officials from the two departments “continue to work closely… on proposed reforms of UK data protection regulation”.

The government does not believe it needs to stick stringently to European regulations in order to maintain its EU-granted status, the minister indicated.

“The UK regained autonomy over its domestic data-protection laws on 1 January 2021 and exact alignment to EU law is not a requirement for EU data adequacy,” Whately said. “The UK can reshape its approach to regulation and seize opportunities with its new regulatory freedoms, helping to drive growth, innovation and competition across the country. In doing so, the UK intends to maintain its high standards of data protection and ensure that the UK data regime continues to be based on public trust in the responsible use of data.”

She added: “The economic impact of any future legislation to implement these reforms will be assessed in the usual way, and we will continue to engage with EU counterparts, as appropriate, on these issues. The government response to the ‘Data: a new direction’ consultation will be published in the spring.”

The UK was finally granted adequacy status by the EC in June 2021, after more than a year of discussions – and six months after formally exiting the European Union. The UK is one of 13 nations and territories recognised as adequate, and is the only country whose status covers the exchange of information between law-enforcement bodies.

Whately’s assertion that the UK can retain this status even if its privacy laws start to diverge from those of the EU comes in light of warnings that this will not be the case.

Shortly after the UK achieved adequacy status, Jon Baines, senior data protection specialist at business law firm Mishcon de Reya, told PublicTechnology if “if the UK takes a bold decision to make data transfers to US easier… that would almost certainly present a risk for the EU adequacy decision”.

“For all third-party countries around the world, the government has said that we going to look at our own adequacy assessments. And each of those is going to be scrutinised by the EU,” he added. “While we have some freedom to set our own data laws and apply our own data regime, none of this is going to happen in a vacuum.”