Our blog on Monday made a simple point. The UK’s data protection regime is being weakened without debate. We showed how commitments in the UK-Japan Comprehensive Economic Partnership Agreement could over time allow flows of UK citizens’ data to nations with weak or voluntary data protection arrangements.
There is a very short period of time for the public, and for policymakers, to understand what is taking place in this agreement, and what it means for our privacy. There are aspects of this deal which are new to us, and to Parliament, which need to be understood. There are other things which have not been disclosed, but are absolutely critical.
Committed to move data across borders
The Trade Agreement states in Article 8.84 that:
A Party shall not prohibit or restrict the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person
In broader terms, Article 8.80 explains that each party must have a data protection framework, and these can include, according to a footnote:
sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy
In paragraph 5 the parties also agree to
the development of mechanisms to promote compatibility between … different [data protection] regimes. These mechanisms may include the recognition of regulatory outcomes, whether accorded autonomously or by mutual arrangement, or broader international frameworks
In other words, this all says, “anything more or less should do.” In particular, this paragraph commits the UK government to recognising the kind of standards promoted by Japan and the US such as the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules, that is, “laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy”.
Committed to low privacy standards
The Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC-CBPR) are a low standard, meaning one which recognises voluntary corporate commitments to data protection-style rules. This is in contrast to the EU-derived model which currently exists in the UK, which requires adherence to a defined set of rights-based provisions secured in law. For this reason, the APEC-CBPR framework, as a data protection standard, has been specifically rejected by the EU in its own adequacy agreement with Japan.
The UK Parliament, however, has been given no guidance as to why these standards are being promoted, when or if they might be adopted, or what the impact would be. ORG is looking in detail at analysis from the Pacific region, but the bottom line is that under these framework, it seems to be envisaged that data rights can be governed by contract law, not specific data protection laws.
When is this happening?
It would be possible that the Government intends to implement voluntary standards under the new UK-Japan Adequacy decision, which we believe already exists, and appears to be mentioned on the ICO’s website.
However, it is equally possible that the Government is intending to implement voluntary standards later, once the Japan Trade Agreement is a fait accompli, and changes to data protection and adequacy can be presented as merely doing what was already agreed to.
Equally, they may be pushed by a third party, rather than our own Government, through a trade dispute.
What will it mean?
The UK’s incorporation of GDPR would need to be rewritten to remove enough rights to make alignment with voluntary standards credible, or any compatibility decision would be open to legal challenge.
Beyond that, the precise impact of lowering UK privacy standards to allow voluntary arrangements would include:
- Making your rights harder to enforce
- Reducing your ability to complain about your data being used unexpectedly
- Reducing the fines and penalties for foreign companies that break the rules
For the UK, there are some other impacts:
- Businesses working to high data protection standards will be forced to compete with businesses in countries with lower standards
- To achieve an EU adequacy agreement, the UK would need to agree that businesses would be able to segregate all EU data and not export it under voluntary or other low standards
- This would create a “digital firewall” to be able to separate data from the Republic of Ireland when stored in Northern Ireland, as data moved across the border would count as an EU-to-UK transfer.
Clearly, these are very significant costs, even without the damage to privacy.
Only two years ago, the UK government was arguing that we would continue to have excellent privacy laws following our withdrawal from the European Union. Now, via a few clauses in a trade agreement, it seems to be preparing to reduce or remove them with no public or Parliamentary debate.
This article has been edited to more accurately reflect our understanding of the treaty’s implications.