mixmagic - stock.adobe.com
Lords committee warns about risks of the UK losing its EU data adequacy
The UK government must work with the European Commission (EC) to secure a renewal of UK’s two data adequacy statuses, says cross-party Lords committee, in stark warning about impacts of losing the ability to seamlessly exchange citizens’ personal data
British businesses and public sector organisations will face huge extra costs if the UK loses its ability to seamlessly transfer data to the European Union (EU), warns cross-party House of Lords committee.
In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the European Union (EU), allowing the free flow of personal data to and from the bloc to continue, but warned that the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.
In exiting the EU, the UK became a “third country” under the bloc’s rules, which means the European Commission (EC) will have to periodically assess whether it does provide an essentially equivalent level of data protection for EU citizens’ data.
The EC will have to make two separate adequacy determinations under the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) – both of which were transposed into UK law via the current Data Protection Act 2018 – by the end of June 2025.
Now, following a seven-month inquiry into the UK’s EU data adequacy, the European Affairs Committee (EAC) has written to digital secretary Peter Kyle urging the government to engage in early talks with the EC to ensure the UK maximises its prospects of achieving a data adequacy agreement in the first half of 2025.
It also emphasised the that losing adequacy status could cause significant problems across a range of areas. This includes raising new barriers to international trade and economic cooperation, imposing significant extra costs and administrative burdens on organisations which share data between the UK and the EU (particularly in the context of policing and healthcare), and the risk of upending the Good Friday Agreement.
The EAC also noted the high financial costs of losing adequacy, adding that while “compliance with GDPR can itself be costly, the loss of data adequacy would also lead to significant financial penalties for many organisations”.
For example, the NHS Confederation and Understanding Patient Data estimated in a joint submission to the EAC that losing adequacy could cost the NHS alone tens of millions of pounds, while other estimates noted failing to secure adequacy status would impose additional compliance costs on UK businesses of £1 to £1.6bn.
It added that adequacy was therefore valuable because it would reduce administrative burdens and compliance costs, increase legal certainty, and make the UK a more attractive location to invest and do business.
“The UK faces a potential cliff-edge in June 2025 unless agreement is reached with the EU on the continued free flow of data. The safe and effective exchange of data underpins our trade and economic links with the EU and cooperation between our law-enforcement bodies,” said committee chair Lord Ricketts.
“The loss of data adequacy would create new barriers and run completely counter to the government’s ambitions to grow the economy and reset relations with the EU. We recommend that reaching timely agreement on data adequacy should be integral to the reset, and the government’s top data protection priority.”
To limit the uncertainty around its future adequacy status, the EAC recommended that the government “engages early with the European Commission and other EU stakeholders with a view to ensuring that the adequacy renewal process is on a positive track, and providing reassurance as soon as possible about the retention of adequacy status”.
It added that the government should also explore the prospects for securing future adequacy renewal decisions from the European Commission which do not expire after a fixed period, and that it should engage with the EU in good time to explain and provide reassurances on any of its planned data protection reforms.
“Since taking office, the science secretary has met EU commissioner Reynders twice to discuss the upcoming EU personal data adequacy review of the UK, and how to ensure secure continuity of personal data flows from the EU to the UK,” said a DSIT spokesperson in response to Computer Weekly’s request for comment on the EAC’s letter. “Our officials will join technical discussions with EU counterparts where required to support the review process.”
New UK data protection laws
The EAC’s letter noted although much of the evidence provided to its inquiry focused on the previous government’s Data Protection and Digital Information Bill (DPDI Bill) – which was dropped from the legislative agenda during the pre-general election “wash up” period – the new government’s planned Digital Information and Smart Data (DISD) Bill covers some of the same issues.
The DISD was introduced to Parliament as the Data Use and Access (DUA) bill on 23 October 2024. Once passed, the DUA will therefore amend the UK’s implementation of both the GDPR and LED.
While the EC’s adequacy decision will rest on the exact contents of DISD Bill (which was only published online on 24 October), it will be looking to assess whether the framework provides an essentially equivalent level of data protection for EU citizens’ data.
This follows the Court of Justice of the European Union (CJEU) striking down the EU-US Privacy Shield data-sharing agreement on 16 July 2020 for failing to ensure that European citizens had adequate rights of redress when data can be collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling – colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU – found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.
“The UK’s current GDPR regime is far from perfect. But the consequences of not reaching agreement with the EU are extremely harmful,” said Lord Ricketts. “There is clearly scope to reform and improve GDPR as part of the government’s new Digital Information and Smart Data Bill. But this must not jeopardise the UK’s adequacy status.”
Lord Clement-Jones – a Liberal Democrat peer and spokesman for the digital economy in the House of Lords – added that the EAC’s letter “illustrates only too clearly the fragility of the UK’s data adequacy situation and the importance of resisting significant changes proposed by the last government to the UK GDPR”.
Those previously suggested changes to the DPDI bill before it was dropped included removing the need to conduct data protection impact assessments and to have a data protection officer, loosening requirements around automated processing, and giving the secretary of state the power to directly appoint the information commissioner.
Threats to adequacy
In terms of the direct risks to data adequacy, the EAC said the UK faces “two distinct potential hurdles”, one being the EC’s renewal decision, and the potential of a legal case being brought against a positive renewal decision at the CJEU.
It added that while the EC itself is likely to want to renew the UK’s adequacy status due to a range of factors – including the economic benefits it would bring the bloc, the fact the UK is using already GDPR as a starting point, and the EC’s own political and strategic imperatives – it was more likely the UK would lose adequacy as a result of a legal challenge being brought to the CJEU.
“There was a large measure of consensus among our witnesses that, of the European Commission and the CJEU, the latter is the greater risk to the continuation of the UK’s adequacy status. For example, the not-for-profit technology organisation Reset called the CJEU ‘the more exacting forum of the two’ and said that the court ‘has in recent years consistently taken a more absolute line than the European Commission (and most of the Member States) in defence of fundamental privacy rights’,” it said.
“Several witnesses pointed out that, in its two Schrems rulings, the CJEU had struck down previous EU adequacy arrangements with a partner as important as the United States. (The key issue in the strike-down was the risk of disproportionate access – and the nature of oversight of the access – by US national security and law enforcement agencies to personal data held by private entities, and the risk of this including transferred data from the EU.)”
It added that several witnesses said that if the UK were to lose adequacy status, “they would expect the UK and European Commission to implement one or several immediate ‘workarounds’, to avoid the cliff-edge scenario and buy time in which to take steps that would see adequacy restored”.
Suggested alternatives to data adequacy include the use of multilateral agreements and legal mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). However, doubt was cast on validity of the SCC route by Schrems II, which found although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.
According to Owen Sayers – an independent security consultant and enterprise architect with more than 25 years of experience in delivering secure solutions to policing – there is a risk the EAC has collapsed the distinction between GDPR and LED adequacy by too closely aligning them in form, function and nature, when they are “structurally veery different” to one another.
“Under GDPR you can quite simply transfer data if you have adequacy,” he said. “Under LED, it is very hard, and for some specific organisations is virtually impossible, to transfer data unless you have adequacy.
“These sound quite similar conditions, but they’re poles apart – ‘you can do if’ is intrinsically permissive in nature; whereas ‘you cannot do unless’ is a barrier control. Even if you do have LED adequacy, you are then restricted as to who in your target country you wish to send that data to.”
The EAC added there are a range of issues that would be of “interest and potential concern” to both the EC and CJEU as they consider the UK’s adequacy statuses.
This includes potential divergence on data protection standards that would make it harder for people to exercise their data rights; the possibility that the UK government undermines end-to-end encryption; the independence and effectiveness of the Information Commissioner’s Office (ICO); aspects of the UK’s national security regime under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the role of the Investigatory Powers Tribunal; and any legal cases which provide grounds for concern about UK data protection standards.
The EAC also highlighted potential risks posed by onward transfers of data from the UK to other third countries, including under the UK-US Cloud Agreement.
“All this means that government and public services generally need to take a hard look at their governance of data and AI deployment ahead of their ambitious plans for tech adoption in the public sector,” Clement-Jones told Computer Weekly.
The police cloud issue
While the EAC itself did not assess the impacts on adequacy of IT systems already procured and in-use, the growing use of US-based public cloud services by UK police and the wider criminal justice sector has previously been cited to Computer Weekly as a potentially huge problem for the UK’s ability to obtain LED adequacy, primarily due to the potential for remote access to that data and its onward transfer to a non-adequate jurisdiction.
Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing more than a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they are currently unable to comply with strict law enforcement-specific rules laid out in the DPA.
At the start of April 2023, Computer Weekly then revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.
Specifically, the police watchdog said that there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic, rather than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to every public cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.
In June 2024, Computer Weekly then reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.
Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company claimed it has the ability to make technical changes to ensure data protection compliance, it is only prepared to make these changes for DESC partners and not other policing bodies because “no one else had asked”.
The documents also contain acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a Police Force – as required under DPA Part 3 – “cannot be operationalised”.
Although the ICO released its police cloud guidance in the same set of FOI disclosures – which highlights some potential data transfer mechanisms it thinks can clear up ongoing legal issues – data protection experts questioned the viability of the suggested routes on the basis the mechanisms are rooted in the GDPR rather than the law enforcement-specific rules contained in Part 3, and that is it not clear if they can in fact prevent US government access.
Computer Weekly contacted the Home Office about the how data protection issues with existing systems that have already been procured and deployed could affect LED adequacy, but received no response by time of publication.
Commenting on the issue of police data protection and sovereignty, Clement-Jones said: “The revelation of police forces’ failure to observe the requirements of Part Three raises real issues for ongoing adequacy, but also for any trust in the governance around the way technologies such as live facial recognition are deployed.”
According to Sayers, even if the mechanisms suggested by the ICO could prevent US government access, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part 3.
“These steps are not being followed, and Microsoft have made clear that they cannot be followed (actually, they said ‘impossible to operationalise’). Because the steps laid down in the DPA 2018 Part 3 are not and cannot be followed, that is one of the main reasons why the processing done on these clouds is in breach of UK law,” he said.
“It makes zero difference at all if the US government bogeyman tries to use Cloud Act to look at the data, as the data was illegally transferred regardless of cloud act.”
Sayers added that the EAC principally looked at what UK law says in relation to LED and what the impacts of this are, but missed a “huge area of consideration” in whether the UK actually adheres to its own data protection laws in practice.
“That is where the policing stuff becomes interesting, because if the EU examine the UK's operating track record of compliance with their own domestic version of LED (Part Three), then it’s clear that they absolutely do not comply with it to any real measure,” he said.
“To be adequate, the EU might simply look at the legislation in force; but I think they also need to consider the available evidence of UK behaviour (and if they do that the picture is far from rosy).
“The reason they need to consider the latter is that presently if an EU citizens data is sent to a UK law enforcement body, it is almost certainly going to be processed in contravention of UK DP laws. That means it’s certainly being processed in contravention of EU LED-based laws.”
Read more about data adequacy
- Privacy campaigners call for UK data adequacy to be revoked: The European Commission should revoke the UK’s data adequacy if its Data Protection and Digital Information Bill passes, which campaigners argue ‘flies in the face’ of the decision.
- UK signs ‘in principle’ data adequacy agreement with South Korea: Bilateral adequacy agreement will allow businesses to conduct cross-border data transfers with minimal restrictions.
- Privacy campaigners call for UK data adequacy to be revoked: The European Commission should revoke the UK’s data adequacy if its Data Protection and Digital Information Bill passes, which campaigners argue ‘flies in the face’ of the decision.