Amid the kerfuffle over the possible sale of the NHS as part of the leaked UK-US trade agreement late in November, something slid through largely unnoticed. The two countries seemed to be negotiating a closer future relationship in which they would exchange personal information much more freely.
Today, Europe and the US have an adequacy agreement called the Privacy Shield. This lets companies in Europe export data to companies in the US, even though the US does not have a federal privacy law in line with GDPR. In one section of the leaked trade agreement document, titled “Data: UK’s overarching data protection regime, and Free Flow of Data,” negotiators suggest keeping this arrangement for the time being, but switching it out for something more flexible in the future.
The document said: “The UK is looking for bespoke deal with adequacy as a starting point that underpins the existing relationship.” However, it also called adequacy “a flawed system that cannot become a global standard and is very difficult for developing countries in particular to adopt.”
Ashley Winton, partner at legal firm McDermott Will & Emery UK LLP and an expert in European privacy law, pointed to one suggestion raised in the document as an area of particular concern. It floated the idea of using the APEC Cross-Border Privacy Rules (CBPR) certification instead of Privacy Shield or GDPR, arguing that the US has problems with how GDPR is being implemented.
“By APEC’s own admission the APEC-CBPR is not as comprehensive nor as strict as the GDPR,” Winton told Infosecurity. “Alignment with these rules in the UK here will certainly cause eyebrows to be raised in Brussels, and likely threaten any adequacy determination over EU-UK data flows that the UK is seeking from its European friends.”
The documents may well be just a finger in the wind for the time being, but they’re worthwhile as a pointer to the possible future direction for governance of data flows between the two countries, with all the potential privacy implications that might bring.
