British intelligence agencies risk ‘hard border for data’ across island

Difficult to reconcile EU standards for data protection with UK laws enabling British intelligence services to access such data

There is the risk of a ‘hard border for data’ across the island of Ireland that could disrupt cross-Border services and companies from January 1st.
There is the risk of a ‘hard border for data’ across the island of Ireland that could disrupt cross-Border services and companies from January 1st.

There is the risk of a "hard border for data" across the island of Ireland that could disrupt cross-Border services and companies from January 1st, due to concerns about British intelligence services' access to personal information and plans to cut regulations.

The data adequacy decision is taken by the European Commission separately to the negotiations with the UK on trade, like a decision on financial services equivalence that will determine the access of much of the City of London to the EU market.

Commission officials are engaged in discussions with British counterparts to establish whether a decision is possible, while monitoring progress in the broader trade deal negotiations. It is much more difficult to grant a data adequacy decision to Britain in the absence of a trade deal, according to officials.

In order for personal data to be seamlessly sent out of the bloc, EU law requires a decision by the European Commission that the protection of such information in the other jurisdiction is roughly equivalent to EU standards.

READ SOME MORE

Activities

The absence of an adequacy decision would affect day-to-day activities in many companies, particularly in services. For example, a company in Cavan whose payroll is usually done over the border in Fermanagh would no longer be able to seamlessly send the names, addresses and bank details of employees that allow the payments to be made.

There are also serious implications for cross-Border healthcare. And NHS administrators have been advised to review their patient data storage and transfers and familiarise themselves with the paperwork that would be required if adequacy is not granted.

It is difficult to reconcile EU standards for data protection with UK laws that allow British intelligence services to access such data.

A ruling by the the Court of Justice of the European Union found that the collection of bulk communications data by intelligence agencies allowed by British law is contrary to EU protections.

Though Britain’s treatment of data was largely unchallenged while it was in the EU and it implemented the EU’s data protection and privacy law GDPR, it is another matter now that the state is outside the bloc, according to EU sources.

In particular, the fact that the UK is a member of Five Eyes – an alliance to exchange intelligence made up of Australia, Canada, New Zealand the UK and United States – raises concerns that personal data could be exposed to surveillance, The Irish Times understands.

“You can’t transfer data to a third party that can’t ensure data privacy . . . Intelligence services can’t access it, and it’s never been a secret that in the UK they do that,” an EU diplomat said.

“Creating adequacy now that the UK has left is very very difficult and in some senses seems to be impossible.”

Changes

“That only changes if the undertakings of the UK change in respect of privacy rules in the way they deal with this kind of information. Then we might be able to issue an adequacy decision – if they guarantee the secret services don’t have that access, which they currently do.”

The prospects for an EU adequacy decision were also dampened by an announcement by British prime minister Boris Johnson earlier this year that Britain would seek to diverge from its current standards and "develop separate and independent policies" in areas including data protection.

If no adequacy decision is made, the cost to companies in the UK will be between £1 billion (€1.1 billion) and £1.6 billion, according to a recent study by the New Economics Foundation of the UCL European Institute.

For companies, the cost of compliance would be roughly £3,000 for a micro business, £10,000 for a small business, £19,555 for a medium business, and £162,790 for a large business, with risks of GDPR fines, reduced EU-UK trade and investment, and the potential for services to leave the UK for the EU, according to the study.

Decision

This is because in the absence of a data adequacy decision, companies must use “standard contractual clauses” to send data, a contract that commits the organisation receiving the data to observing EU standards, gives the individuals who the data relates to the ability to pursue legal complaints and states in which jurisdiction disputes will be settled.

An alternative mechanism, binding corporate rules, can also be used by large firms or company groups to transfer data internally and externally.

MEP Clare Daly said it was unclear whether a data adequacy decision by the EU is possible or even desirable, arguing that in the past, the EU Commission should have been stricter in its adequacy decisions and that standard contractual clauses may offer better data protection.

"The UK's data protection practices, and its surveillance programmes, are already seriously problematic, so it's hard to see how the UK regime post-Brexit could be said to offer protections that are 'essentially equivalent' to those required by EU law," Ms Daly said.

“There have been signals from the UK in recent months in regard to possible post-Bexit data protection changes which would only make these problems more acute. So adequacy decisions may not be possible or desirable.”

Naomi O’Leary

Naomi O’Leary

Naomi O’Leary is Europe Correspondent of The Irish Times