British businesses and public sector organizations could face hefty additional costs if the UK loses its ability to share data smoothly with the European Union, according to a cross-party House of Lords committee.
In June 2021, the European Commission granted the UK “data adequacy” status after Brexit, allowing personal data to flow freely between the UK and the EU. However, this status is not guaranteed. If the UK’s data protection laws diverge significantly from EU standards, the Commission could revoke that status.
Post-Brexit, the UK is classified as a “third country” under EU rules, meaning the European Commission must periodically review whether it maintains an equivalent level of data protection for EU citizens. By June 2025, the Commission will assess UK compliance with both the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), which were incorporated into UK law via the Data Protection Act 2018.
After a seven-month inquiry into the UK’s EU data adequacy, the European Affairs Committee (EAC) urged Digital Secretary Peter Kyle to begin talks with the European Commission soon. The committee stressed that losing adequacy status could lead to numerous problems, such as new barriers to trade, increased costs, and complications in data sharing for policing and healthcare, potentially even jeopardizing the Good Friday Agreement.
The EAC highlighted the financial risks involved. Compliance with GDPR can be costly, and losing data adequacy could lead to significant fines for many organizations. For instance, estimates from the NHS Confederation and Understanding Patient Data suggest that the NHS could lose tens of millions of pounds, while UK businesses might face additional compliance costs of up to £1.6 billion.
Lord Ricketts, the committee chair, pointed out that the UK could face a “cliff-edge” in June 2025 if no agreement is reached. “The safe exchange of data is critical for our trade and cooperation with the EU,” he said. The EAC emphasized that securing timely data adequacy should be a top priority for the government.
To navigate these uncertainties, the EAC recommended early engagement with the European Commission to ensure a smooth renewal process of data adequacy. It also suggested that the government should seek long-term renewal decisions that do not expire after a set period and engage proactively on any proposed data protection reforms.
In response to the EAC’s letter, a representative from the Department for Science, Innovation, and Technology mentioned that the science secretary had met with the EU Commissioner to discuss the upcoming review of UK data adequacy and maintain continuity of personal data flows.
The EAC also noted that evidence from its inquiry focused on previous government plans for the Data Protection and Digital Information Bill, which has now evolved into the Digital Information and Smart Data (DISD) Bill. This new bill, introduced as the Data Use and Access (DUA) Bill on October 23, 2024, aims to amend the UK’s implementation of GDPR and LED. The European Commission’s decision on the UK’s adequacy will depend heavily on the details of the DISD Bill.
The EAC pointed to potential risks stemming from the UK’s current GDPR regime, which, while not perfect, must not jeopardize adequacy status. Lord Clement-Jones noted that the fragility of the UK’s data adequacy situation calls for caution against significant changes to the GDPR framework.
The EAC identified two main risks to data adequacy: the European Commission’s renewal decision and possible legal challenges. Witnesses expressed concern that the Court of Justice of the European Union (CJEU) represents a greater risk than the Commission itself. They noted that the CJEU has previously struck down EU-US data-sharing agreements, reinforcing its stringent standards for privacy.
Should the UK lose its adequacy status, there may be a push for immediate alternatives like Standard Contractual Clauses or Binding Corporate Rules, but concerns remain over their legal validity in light of the Schrems II ruling.
Additionally, the EAC highlighted substantial issues regarding the ongoing use of US-based public cloud services by UK police and the criminal justice system. Experts warn that this reliance could pose significant risks to achieving LED adequacy due to the potential for unwarranted access to data by US authorities.
Concerns surfaced regarding police forces’ compliance with data protection laws, as investigations revealed instances of unlawful data processing within Microsoft 365. Furthermore, a pilot project in Scotland involving body-worn cameras has raised alarms over the legality of hosting data on US-based Azure servers.
Ultimately, the current situation suggests pressing challenges ahead for the UK’s data protection framework and its relationship with the EU. The government must ensure adherence to its own laws, or risk serious repercussions for data sharing and overall compliance.