Dreaming, delusional, and daft: the UK Government’s ideas for post-Brexit data flows

For more on Brexit and tech policy, visit my dedicated side blog at https://afterbrexit.tech.

Is this the real life? Is this just fantasy?

The answer is both: it’s Brexit Britain, and the digital industry has been pulled so far down the well of fantasy politics that even the most surreal absurdities no longer trigger a laugh.

Case in point: today’s release of the Government’s white paper on data flow adequacy post-Brexit.

The white paper is 15 pages long, containing 12 pages of text. Eight of them – 75% of the white paper – is factual information about how things work or position statements that we have heard so very, very many times before.

Compare that to the 57 pages of exhaustive scrutiny the House of Lords gave to the topic after months of genuinely fascinating committee hearings; also note the time that the House of Commons Research Service spent explaining how data flows work, specifically so the DexEU didn’t have to bikeshed that same information.

So that is your first takeaway: it has taken 14 months since the referendum for the Department for Exiting the EU to come up with four pages’ worth of policy ideas.

Car crash policymaking

The UK Government’s big ideas start at page 8, “A UK-EU model for exchanging and protecting personal data between the UK and the EU, and beyond”. That paragraph states:

In light of the UK’s unprecedented position, the future deep and special partnership between the UK and the EU could productively build on the existing adequacy model (which is set out in more detail in paragraphs 32-41) in two key respects.

An unprecedented position, in other words, calls for an unprecedented arrangement: the UK expects special treatment.

And by God do they ask for it.

The first of their two ‘key respects’ is “Regulatory Cooperation”, meaning ICO’s place in the post-Brexit DP landscape. The paper suggests:

A new relationship could therefore enable an ongoing role for the UK’s ICO in EU regulatory fora, preserving existing, valuable regulatory cooperation and building a productive partnership to tackle future challenges…An ongoing role for the ICO would allow the ICO to continue to share its resources and expertise with the network of EU Data Protection Authorities, and provide a practical contribution at EU level which will benefit citizens and organisations in both the UK and the EU…

In other words, the UK Government expects ICO to continue to have a seat at the table of a dinner party it is leaving. In fact, it expects ICO to be treated as special guest at that party, given a special seat to impress the other diners with its raconteur wit.

Chapter VII, Section 3, Article 68 of GDPR is very clear about who gets invited to that dinner party: member states only. Sure, maybe you could get an invite to the reception, but you won’t get an invite to the wedding.

So that’s the Government’s first great idea squashed.

The next of the two key aspects is “Certainty and Stability.” Brace yourself for this one.

The UK’s data protection law fully implements the EU framework, and this will remain the case at the point of our exit from the EU. On this basis, the Government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.

If you’re thinking “did the UK government basically just threaten the EU with emotional blackmail?”, you’re right. In this paragraph they are demanding that the EU accepts any framework that the UK comes up with in exchange for the UK’s acceptance of GDPR.

At the very least, our Government is demanding that the UK be exempted from being held to data adequacy while still receiving it.

This is delusional.

Reinventing the wheel

Turning to the legal bases for data transfer adequacy, the paper says

The new EU data protection framework also sets out a number of legal bases other than adequacy for transferring personal data to countries outside the EEA (see Annex A). Once the new framework has come into force, businesses and public authorities operating within and outside of the EEA will need to have one or more of these arrangements in place to underpin their transfers of personal data to non-EEA countries that do not have an EU adequacy decision. However, simply extending these provisions or establishing new ones to cover personal data transfers between the UK and the EU would be more burdensome for businesses and public authorities in both the UK and the EU, and would represent a missed opportunity to build a new partnership that reflects the close alignment of our data protection frameworks.

In other words, the existing legal bases are complicated. So they want to invent a whole new system with whole new bases from scratch.

And yes, that’s even more complicated. But better to have an incredibly stupid idea made in Britain than a daft but workable idea made in Brussels. Right lads?

Down the rabbit hole

The paper takes a few paragraphs to note some alternative international data protection frameworks, including the Council of Europe’s Convention 108, the OECD Guidelines, and the APEC Privacy Framework. These frameworks are normally obscure things which only interest digital law students (*secret hand signal*) for comparative purposes.

Yet their inclusion in the white paper indicates that the Government will be examining these frameworks as potential models for the post-EU data protection landscape.

Expect the Minister of State for Digital to embark on many “fact finding trips” to coincidentally excellent holiday destinations in the near future.

Don’t mention the TCNs

Now at this point it must be said again: GDPR is just part of a healthy data protection framework.

The UK is not a healthy country.

What you won’t find in this paper is anything about the Investigatory Powers Act, GCHQ’s mass surveillance, the Watson ruling, withdrawal from the ECHR provisions that protect individuals from abuses of their data, or technical capability notices, much less the existential threats to the concept of third party data adequacy itself such as the likely breakdown of Privacy Shield.

All of these things will be taken into consideration when the EU decides whether the UK is an adequate third country.

We are barely an adequate country right now within the European Union. Now our Government wants us to keep all of the best benefits while committing all of the worst abuses.

This is not going to happen. It is going to be a car crash. Car crashes are fun to watch; not so much when you’re the passenger.

If you want to read the rest of the white paper go right ahead. You won’t learn much. But it was never about learning and it’s barely about an actual data protection framework. If many of these ideas seem like fantasy that’s because they are. As the Panopticon blog puts it:

The Brexit negotiations are not about law, or even logic. They are about politics and have more layers than a very old tree. Nothing will be easy. We are in new territory and while everyone agrees that sorting out data protection post-Brexit is important, how that is done and what is prioritised will be determined by more things than are dreamt of in your philosophy.