Receiving nul points in Eurovision shows how isolated the UK has become. It fails every time. Whether it’s ramming passengers from all over the world together for hours on end at Heathrow, or shiftily dodging questions on the feeble Anglo–Australian trade deal, or privatising the NHS, or the PPE scandal, or the Northern Ireland protocol, it brings home nul points. Marks out of ten for trust? Zero.
The UK is not trusted to keep its word
Last week, while eyes were on the row over the UK refusing to stick by the rules on the Northern Irish protocol, members of the European Parliament decided that the UK’s proposed rules on protecting EU citizens’ personal data weren’t good enough. Until Brexit, the UK followed the same rules as the rest of the EU. Now it wants to deviate to secure a competitive advantage – or so it thinks.
Data on goods and services is transferred across borders all the time in line with regulations on how to do so, on whom you share such information with, and on whom you sell it to. The EU has the strictest rules for protecting personal data privacy, known as the General Data Protection Regulations (GDPR), to stop such data from being looked at, and to try to prevent that data being sold on to companies, advertisers and governments.
Under Article 27 of the GDPR, data controllers or processors outside the EU who process EU citizens’ personal data must designate in writing a representative in the EU, subject to limited exceptions. This means that anyone – including us – handling the private information of an EU citizen has to apply the EU’s rules. They risk big fines if they don’t.
The EU prevents personal data transfers to any country outside the EU whose privacy safeguards are weaker than its own. The USA is one such country, and the UK likes to share lots with it. Both fail the EU’s tests. Yet both try to get around stringent EU rules in the hopes of persuading organisations outside the EU to locate themselves in the UK or USA. This shows just how much they miss the point. Even if a company’s HQ was on the moon, it would still have to comply with EU law if it handled any data about an EU citizen, such as a person’s recent online purchases.
EU questions safety of data in UK hands
Last week, MEPs wanted assurance from the Commission that the UK could be trusted to handle the personal information of EU citizens and trading entities adequately. They weren’t satisfied. MEPs were quick to lambast European Commission proposals on the transfer of personal information from inside the EU to countries outside the EU, especially to the UK and the USA.
The Commission’s proposals were criticised as lacking sufficient safeguards in the so-called ‘adequacy agreements’ with the two countries.
The adequacy agreement is meant to guarantee that EU citizens’ personal data is protected to the same extent outside the EU as inside it, where it is covered by the GDPR. After considerable debate, MEPs decided that unless and until the situation can be improved, they would not approve the adequacy agreements.
This means our government, or any company in the UK, may no longer automatically assume that it can store or send EU citizens’ personal data to the USA, or anywhere else outside the EU – as many social media, travel, health, Covid, game, insurance or shopping sites may do – if that data is not ‘adequately protected’ from onward use and surveillance activities.
The home secretary needs to pay attention. And UK service providers and exporters would be advised just to keep following EU rules.
They must also guarantee that EU citizens’ data will not be traded and probed by outside agencies, and not sign trade agreements that entail EU data being moved without adequate safeguards against ‘intrusion’.
Our main trading partner is the EU and no one there has any incentive to be associated with a UK operator flouting the rules. They face hefty fines if they breach data protection rules.
Lessons from EU ban on Facebook data transfers
Facebook came unstuck when the EU ruled against the main way it transfers data about EU Facebook users to the USA, using what is known as the standard contractual clause (SCC). Under SCCs, no organisation may send such data outside the EU unless adequate data protection is in place in the country to which it is being sent, such as the USA. The EU was unimpressed by Facebook’s claim that the ruling would potentially lead to 410 million EU users not being able to use its services.
The answer is for Facebook – and anyone else – to improve how it safeguards personal data. If data protection in other countries (including the UK) is not up to scratch, they can be assured that MEPs will be on their case. They insist that the EU protect citizens’ rights to privacy otherwise big companies will feel able to do what they like with their personal data.
This is of more than passing interest to citizens everywhere. Social media giants, together with banks, have already suggested that they, rather than governments, should manage citizens’ online identities – such as identity cards and bank cards – and be the ‘trusted providers’ to verify that a citizen is who they say they are. What these organisations might do to commercialise that data or open it to government surveillance is unclear. MEPs, however, want to minimise risks to personal privacy.
The row highlights the chasm between the EU and USA on protecting personal data. Whereas the USA allows personal data to be used extensively by businesses and government agencies for all kinds of purposes, including surveillance, the EU does not. Nor did the UK, when it was in the EU.
We can’t rely anymore on the former protection we had inside the EU. But the EU can insist that we comply with EU rules to safeguard EU citizens and prioritise personal privacy over surveillance.
EU data – EU rules
The UK must now prove that its privacy protection is adequate. That could be done simply by carrying on with the GDPR.
But the government insists that it will not ‘align’ its policies and rules with those of the EU, even though it co-created them a few years ago. UK posturing as a ‘sovereign independent state’ has left the EU unimpressed, but there is a high risk of even more unnecessary rows with the EU in the highly charged areas of trade, migration and policing, which rely on data sharing and cooperation.
It is unclear what has changed to make the UK reluctant to retain the privacy protections we used inside the EU. The government may think that it will get a ‘competitive edge’ by lowering its standards. However, if it doesn’t protect data ‘adequately’, its ‘global’ ambitions will come to nothing. It is in danger of failing us all again. And this is one issue that will not go away.