Does the UK Risk Its Data Position with the EU by Acting Reasonably?
Hell hath no fury like a bureaucracy scorned.
Do you know a person who insists on having his own way all the time and who wants to control your relationships with others? I hope not, but many of us do. What do you think would happen if you angered this person by ending your 40-year relationship with him, but he could still influence the way you treated other people? He would be angry, irrational and punitive.
Our British friends are feeling the brunt of this dynamic right now, as they “broke up” with the EU last year, but the EU is threatening to punish the UK for changing any of its data relationships with third parties. The current battle involves the enormous and octopean data privacy bureaucracy that has metastasized in Europe over the past 25 years, dipping its arms into nearly every business and government activity. Brexit forced the UK version of this governmental privacy establishment to splinter away from the EU version.
Over the years, the British official privacy pronouncements have leaned more toward common-sense consumer protections and less toward German and French style extremisms. For example, when the European Court of Justice tossed out certain methods of transferring data to responsible companies in the U.S., the British privacy regulators suggested methods of resolving the problems while still protecting personal data. German and French bureaucrats took the occasion to suggest that no person data should be sent to the U.S. at all and that Europe should insist on data remaining in the country where it originated.
Now that the UK has separated from the EU, such moderation will no longer be tolerated.
Generally, if you do not meet your obligations under a law, you are classified as non-compliant. When the EU doesn’t believe that your country is meeting its data privacy obligations, it finds you “inadequate.” The EU privacy panjandrums start with the assumption that everyone else is “inadequate” and certain countries apply on bended knee to apply for a positive adequacy decision. In the past 26 years of the current EU privacy regime, out of the world’s 249 countries, the EU has recognized the adequacy of some territories surrounded by the EU, small adjacent islands, and Argentina, Canada, Israel, New Zealand, Uruguay and Japan. French privacy bureaucrats even publish a map of “adequate countries” and “partially adequate countries.” Of course, like the vast majority of nations, the United States has never been deemed even partially adequate.
The UK must be adequate, right? Its entire data privacy regime grew with the EU system following EU rules. How could you complain about that?
The EU dragged its feet, but eventually and grudgingly granted that the UK data privacy system – essentially identical to the data privacy systems of all other EU countries – was adequate. But, unlike the EU’s other adequacy decisions, which were granted indefinitely, for the first time in history the EU data-crats qualified a country’s adequacy status, including a “sunset clause” whereby the UK’s adequacy expires in four years. Plus, the EU gave itself the right to intervene at any time and pull the adequacy decision away.
Does this status really matter? Yes, it can have significant practical implications. The EU may fine companies for sending EU personal information to an inadequate jurisdiction, which, in this digital age, could reduce trade with that country. This is a particular problem for the UK, which has built its trade relationships deep into the European continent.
And the UK just poked the sleeping bureaucratic bear. As the UK readies for a change in leadership in its Data Protection Authority, it is considering addressing requirement of online cookie banners and other attempts at consumer data protection that aren’t working as intended. The UK discussed the possibility of moving deeper into “common sense” data enforcement and “an end to box-ticking.” The European Commission was listening and reacted quickly. According to Reuters “Britain said it would reform the data rules it agreed as an EU member by adopting a "common sense" approach that could help it secure data partnerships with the United States and other nations, immediately drawing a warning from Brussels. Data adequacy partnerships mean organisations would not have to implement costly compliance measures to share personal data internationally when doing business, the UK's digital ministry said in a release.”
This broad statement of intent to use common sense has incensed the EU regulators who, like angry mob bosses, are already threatening the UK with “consequences.” The European Commission warned on the record that its adequacy decision for UK “can be terminated or amended at any time by the Commission. This can be done immediately in case of justified urgency.” The urgency, of course, being the UK actually applying logic, rather than emotion, to decisions about protecting data.
Nothing has happened yet on either side of the channel to endanger the UK’s adequacy status. However, the tenuous nature of the UK’s status vs. the others who attained “adequacy” and the speed with which the European Commission acted in a threatening fashion at even a whiff of change both portend that the EU is likely to deeply overreact to any shift in the UK’s data privacy enforcement position, no matter how small and insignificant.
Fortress Europe clearly feels threatened at the prospect of a potentially more relaxed or business-friendly approach to data protection. One that might cast shade on the multi-billion-dollar Big Tech fining programs so popular in the EU right now. I’m sure there is logic to the EU’s positioning, but it feels more emotional – like a way to punish the country who broke up a long-term romance.