The European Commission and the US government have taken the first formal steps towards a mutual agreement for enabling the transfer of personal data between the European Economic Area (EEA) and the US. Even though it is also attempting to broker a similar arrangement (an announcement was made in October 2022 suggesting formal UK regulations might be made in "early 2023"), is post-Brexit UK actually less able to negotiate such deals rather than – as some had suggested – better able?
One of the perceived (or claimed) benefits of Brexit was that when it came to international transfers of personal data, the UK would be able to forge its own relationships with third countries, and enter into arrangements which enabled such transfers. The evidence from the last twenty-four months, however, is that such arrangements may not be as easy to broker as the Government might have wished. The evidence even leads one to speculate whether countries might be reluctant to negotiate with the UK if doing so might prejudice their own negotiations with the European Commission.
Both the UK GDPR and the EU GDPR forbid the transfer of personal data outside their relevant jurisdictions unless it is in accordance with the specific provisions of those laws. If a third country has been decided to have an adequate level of protection of personal data (one that is, in the wording of the recitals of the UK and EU GDPR, “essentially equivalent”) then there is a presumption of free movement of personal data between the UK (or the EEA) and the third country. Following Brexit, the UK and the European Commission recognised each other as having “adequacy”, and the UK also adopted the Commission’s existing adequacy decisions in respect of Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand and Switzerland.
In August 2021 the UK Government announced ambitious plans to "independently strike data adequacy decisions with our international partners…[using a] flexible approach… part of the government’s wider ambition for a thriving, fast-growing digital sector in the UK."
The announcement went on to say that a new flexible approach would answer the challenge of “rising restrictions on cross-border data flows” as identified in December 2020’s National Data Strategy.
Priority “destinations” for adequacy were identified: Australia, Brazil, Colombia, The Dubai International Financial Centre, India, Indonesia, Kenya, Singapore, the US and the Republic of Korea. However, since August 2021, only South Korea has been the subject of a UK adequacy decision, and that was 11 months after the European Commission had made its own adequacy decision in respect of the same country. (It is fair to note that the UK Government believes that the UK decision is slightly broader than the European Commission's, because it will allow "UK organisations will be able to share personal data related to credit information with the Republic of Korea to help identify customers and verify payments".)
Then, on 13 December, the European Commission announced it had begun the process for formal adoption of a new EU-US adequacy decision. It seems, then, highly likely that that will be in place before the UK can negotiate a similar arrangement with the US (even though the October announcement in the UK had talked of "significant progress" towards a UK-US deal).
This indicates a potential problem with the UK’s aim of having a “flexible” and “independent” approach to adequacy. As an only-recently-departed EU member state, many of the UK’s main trading relationships are with countries that also (or still) have major trading relationships with the EU. So, the UK’s “priority destinations” for adequacy are largely also the European Commission’s. The signs are that those third countries may see the EU as more of a priority for negotiations than the UK (the UK and the US did announce a joint data adequacy statement in October). If the only adequacy decisions the UK can broker are ones that follow on the heels of the Commission, then the benefits of independence in this regard would seem to be lacking. (The UK Government might counter that the UK has flexibility to make wider arrangements – as with the South Korea agreement).
It is also worth bearing in mind that third countries may be keen to avoid putting negotiations, or potential negotiations, with the Commission at risk by being seen to negotiate too closely with the UK. The safer route, it might be argued, would be to secure adequacy with the Commission, and then the UK adequacy would likely be a 'shoo-in' (something that could not be said the other way round).
There might also be valid fears on the UK Government's part that granting adequacy to a country that has not been declared adequate by the Commission might adversely affect the UK's own adequacy status with the European Commission (especially as that arrangement will be reviewed, under a "sunset clause", in 2025). The perception might be that data could, in effect, be "funnelled" through the UK to third countries considered adequate by the UK – but not by the European Commission – allowing companies to enjoy lower liability but with weaker protection for EU data subjects.
When it comes to international trade agreements, legal arguments – and intentions of flexibility and independence – tend to fall aside in favour of more practical considerations. It seems likely international data agreements will follow much the same pattern.