44.Data protection or data privacy, (the terminology differs regionally) is comprised of three concepts: individuals having rights in relation to data that can be used to identify them; the existence of a legal framework to regulate data processing; and the existence of remedies for private and public sector breaches of data processing regulations.85 Professor Christopher Kuner described the rationale for data protection:
The reason that we provide legal protection for data privacy is that processing of data that identifies you may have serious implications for individuals, for their dignity as a person and it can also lead to all sorts of harms, including misuse of data in ways that violate your expectations, discrimination and even serious human rights violations.86
We heard that data protection, in addition to having a role in protecting consumers’ dignity, has an important role in facilitating digital trade. techUK described “strong and robust data protection frameworks” as a “crucial prerequisite to ensuring enduring public trust and support in the cross-border flow of data.”87 This aligns with the evidence submitted by Which?, that consumers “were widely concerned” about implications that the free flow of data between the UK and other countries may have on consumer data protection rights.88 DIT has acknowledged the link between data protection and digital trade, submitting that “the free flow of data needs to go hand in hand with data protection.”89
45.In CEPA, Article 8.80 outlines the requirement for each party to “adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce” and to “endeavour to adopt non-discriminatory practices in protecting users of electronic commerce from personal information protection violations occurring within its jurisdiction.”90 A footnote to this provision states:
For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.91
46.Some stakeholders expressed concerns over this provision. For example, Nick Ashton-Hart, representing the International Chamber of Commerce UK, questioned the strength of this obligation, saying that “endeavouring to adopt is not exactly a hard obligation.”92 Beyond this, we heard criticisms of the footnote to the provision, specifically the phrase “the enforcement of voluntary undertakings by enterprises relating to privacy”. Sue Davies MBE of Which? stated that this “could be interpreted to mean that self-regulation [was] equivalent to the sort of robust regulatory regime that we have at the moment”.93 This view was shared by Javier Ruiz Diaz, an independent trade consultant, who described the inclusion of voluntary undertakings as “accepting a lower redemption” and its inclusion amounting to “accepting that there are lower, less intrusive data protection mechanisms that are equally valid for the UK”.94 Professor Christopher Kuner said:
I can see two possible ways of interpreting it. One is that it would be sufficient if data protection or data privacy is protected by a self-regulatory regime. This is where I think these concerns come from, and I can understand those concerns, but it seems to me that another possible interpretation might be that the Japanese administrative system relies more than our systems do in the west on co-regulation, such as trust marks and alternative complaint resolution systems. I think this gets down to what is intended here by the parties.95
47.In a data protection explainer following the agreement of CEPA, the Government addressed what it called “misinformation in the public domain”.96 In response to claims that CEPA will force the UK to accept data protection frameworks which have lower protection standards, the explainer stated:
Nothing in the agreement undermines the UK’s data protection framework. Likewise, the deal does not require either party to accept lower data protection frameworks as equivalent with their own. In fact, the agreement contains a commitment to maintaining comprehensive legal frameworks to protect personal information (Article 8.80.2). The UK does this through our domestic data protection legislation including the Data Protection Act 2018 (DPA).97
48.The Minister of State for Trade Policy told us that the inclusion of the footnote:
does not imply that these provisions mean that UK personal data can be transferred to a country that relies on self-regulation as its only means of data protection, which I think is what some commentators have drawn out, or attempted to assert, as a result of that footnote.98
He reiterated that the provisions “do not provide the legal basis for the transfer of personal data from the UK”, with those transfers being regulated by the UK’s domestic legislation.99 Graham Floater, Director of Trade Policy at DIT, added that the “voluntary undertakings are simply part of a number of different ways in which that country can meet that provision, but it is additional to the protections that already exist for UK citizens.”100
49.Article 8.84 of CEPA commits parties to “not prohibit or restrict the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.”101 This provision commits to the free flow of data subject to an exception—which is found in other agreements, including CPTPP—allowing for measures required “to achieve a legitimate public policy objective”, such as protecting consumers’ privacy.102
50.We heard differing views on whether this exception is broad enough to allow the UK to maintain its current domestic data protection regime, with Dr Emily Jones, Beatriz Kira, and Danilo B. Garrido Alves describing this area as giving rise to “disagreements among experts”.103 Professor David Collins described this exception as “incredibly strict”, requiring a measure to be the “only one that could achieve” the relevant policy objective.104 When asked whether the UKGDPR could be maintained through this exception, Professor Collins suggested that the exception in CEPA “doesn’t look like it would be sufficiently broad to do that”, noting that whether the provision in CEPA is met is judged by a neutral arbitration panel, and that the exception in CEPA “slightly” broader than that contained in CPTPP.105
51.We also heard evidence supporting the exception being sufficiently broad to maintain the UK’s domestic data protection regime. Hosuk Lee-Makiyama commented that the “UK and EU GDPR is deemed by most mainstream lawyers to pass” the tests contained in the exception, highlighting that CPTPP members such as “Canada, Japan and New Zealand, whose legal systems are more or less conforming with GDPR” have not been actioned on the basis of their domestic data protection regimes being incompatible with their commitment to allowing for the free flow of data.106 The ICO took the following view on the effect of the provision committing to the free flow of data in CEPA:
We do not [ … ] know how the provisions in Article 8.84 of the Agreement, covering restrictions on data flows, could theoretically be triggered by Japan, as there is little international precedent.
Having said this, we do not see significant risks for UK data transferred to Japan. Under article 8.84 the UK would clearly have a strong case that UKGDPR would constitute a ‘legitimate public policy objective’ and the protection required for transfers could be a justified restriction.107
52.The Minister of State for Trade Policy said that it was “strongly” the Government’s “view that the CEPA does not have an impact on our domestic data protection regime.”108 Graham Floater added that the Government has “discussed this with the ICO” and has “taken legal advice”, which showed “this has no impact on the UK’s Data Protection Act or the way in which that operates.”109
53.Data protection rules and relevant provision in FTAs are complex and open to diverging legal interpretations. We welcome the Government’s attempts to address concerns about data protection through its data protection explainers. However, we have heard significant concerns about the data protection provisions and exceptions to the provision committing to the free flow of data in CEPA. We recommend that the Government produces an expanded data protection explainer which addresses these concerns in greater detail, drawing upon relevant legal and non-legal precedent.
54.We recommend that, as a part of its published impact assessments for future agreed FTAs, the Government includes its assessment of the agreement’s impact on the protection of UK citizens’ data. This assessment should outline the UK’s domestic data protection regime, any relevant commitments made in the new FTA, and any effects that those commitments have on the UK’s ability to maintain its data protection regime.
55.Some witnesses raised concerns over whether the UK’s commitments in its FTAs could result in UK citizens’ data being transferred to third countries with insufficient data protection safeguards. This manifested itself in two risks: the risk of data being transferred through a legal mechanism, and the risk of data being transferred due to practical difficulties in preventing its transfer.
56.First, there is a potential issue caused by what Javier Ruiz Diaz referred to as “overlapping regimes of free flows of data” caused by Japan agreeing to the free flow of data in FTAs with both the UK and the US.110 He explained that the US may have a legal claim against Japan for “breaching [the US-Japan FTA] by trying to restrict the data of the people from the UK or from the EU from going there.”111 He described the US’s legal claim to require Japan to transfer UK citizens’ data to the US as a “very good case.”112 However, this analysis was disputed by Hosuk Lee-Makiyama, who outlined how onward transfers from the UK’s FTA partners to third countries without sufficient safeguards are “explicitly forbidden” under the UKGDPR.113
57.The Government has downplayed this risk. In the relevant section of CEPA’s data protection explainer, it said:
transfers of personal data from the UK to Japan will continue to be protected by UK GDPR and the Data Protection Act 2018, under the preserved effect of the EU’s adequacy decision for Japan. This recognises that there are appropriate protections in place when personal data is transferred from Japan to other countries and does not provide for the onward transfer of UK or EU data using APEC CBPR [a data protection system developed and endorsed by the APEC economies].114
58.A second potential risk is that of practical difficulties in preventing onward transfers without sufficient safeguards, even though such transfers are forbidden by the UKGDPR. One practical difficulty may come in the form of improper labelling of UK citizens’ data in foreign jurisdictions. Dr Kristina Irion, Assistant Professor at the University of Amsterdam, explained that if “UK personal data is not labelled and kept separately from other personal data, it could easily be subject to onward transfer to yet another third country and from there to yet another third country.”115
59.The Minister of State for Media and Data outlined that a UK citizen who feels that their data protection rights have been contravened can pursue a complaint by raising it with the ICO, or with the relevant data protection body in the country where they feel the contravention may have occurred, some of which have a Memorandum of Understanding facilitating cooperation with the ICO.116
60.Digital trade regulations are affected by a mix of domestic law and international commitments. The UK’s current and future FTA partners may have made commitments concerning the free flow of data to third countries. We recommend that the Government specifically addresses the practical risk of UK citizens’ data being passed onto third countries without sufficient safeguards in its published assessments of the impact on the UK’s data protection regime for future agreed FTAs, considering both legal and non-legal mechanisms to prevent such transfers.
61.The UKGDPR, which alongside the Data Protection Act 2018 regulates the data of UK citizens, came into force on 1 January 2021. The ICO—which is the body in charge of managing the UKGDPR—told us that the UKGDPR is “derived from the EU GDPR” and “seeks to enable data flows via measures to protect personal data when it is transferred to a third country.”117 The legislation allows for third countries’ data protection systems to be granted ‘adequacy regulations’, the UK regime’s equivalent to the EU’s ‘adequacy decisions’, which allow for UK citizens’ data to be transferred to those countries without further safeguards. For transfers to countries without an ‘adequacy regulation’, the UKGDPR allows for transfers under alternative safeguarding measures, such as standard contractual terms.118
62.We received positive evidence concerning the Government’s decision to replicate the EU’s GDPR in the UK’s data protection regime. Which? described the UK’s data protection regime as delivering stringent protections for UK consumers, calling for the protections provided in the regulations to be built upon rather than eroded.119 Diana Avila, of TransferWise, and David Holman, of Armour Communications, both described the GDPR as the “gold standard”, and ultimately expressed support for the regulation despite time taken to initially adapt to the GDPR and a potential increase in costs that comes with following it.120
63.In March 2021, the Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden, expressed an interest “in reforming our data laws” and “taking a slightly less European approach” to data protection.121 When asked about plans to modify the UKGDPR, the Minister of State for Media and Data said:
GDPR is certainly not perfect, and in some areas it has proved to be quite burdensome. We are not seeking to dismantle our entire data protection regime but certainly we are interested in making what changes can be achieved that will make it easier for data to be shared, while not diminishing the standards of protection.122
64.In February 2021, the European Commission granted the UK a draft data adequacy decision, which—if formally enacted—would allow EU citizens’ data to pass into the UK without any additional safeguards. Data adequacy from the EU was considered important by a range of stakeholders, including businesses and data privacy organisations. A study by UCL and the New Economics Foundation, found that the UK not receiving an adequacy decision from the EU would cost UK companies between £1bn and £1.6bn, amounting to around £5,000 in legal costs for each small business.123 Business representatives expressed the importance of maintaining adequacy, with the CBI describing adequacy with the EU as a “top priority for business”.124
65.If adopted, the EU’s adequacy decision in relation to the UK will be unilaterally revocable, and in any case will be reviewed within four years. Two potential threats to maintaining an adequacy decision emerged in the evidence we received. These were the possibility of the UKGDPR diverging from the EU’s, and the UK’s FTA commitments resulting in the EU no longer considering the UK’s data protection regime adequate.
66.Dealing first with changes to the UKGDPR, Dr Emily Jones, Beatriz Kira and Danilo B. Garrido Alves suggested that “departing from the GDPR would place the UK’s adequacy decision [ … ] at risk.”125 Following the Secretary of State for Digital, Culture, Media and Sport’s comment that the UK take a “slightly less European approach” to privacy, the Minister of State for Media and Data told us that, in order to maintain adequacy with the EU, the UK does not need to adopt “every dot and comma of the GDPR regulations”, it only needs to maintain a high standard of data protection.126 He told us that the UK has the opportunity to make “some small tweaks” to the UK’s data protection laws, citing the EU GDPR’s impact on small businesses as an area for improvement.127
67.Second, witnesses expressed concern about the effects of the UK’s FTA commitments on data adequacy. For example, Which? suggested that the free flow of data provisions in CEPA may put the UK’s adequacy decision at risk. Similarly, the UKTPO highlighted that the EU’s GDPR takes rules governing onward transfers of personal data into account for adequacy decisions, with accession to CPTPP meaning that the UK would potentially accept free flows of data with countries which do not have adequacy decisions with the EU.128 In its non-binding resolution evaluating the European Commission’s approach to UK data adequacy, on 12 May 2021, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs expressed concerns over the risk on onward transfers without sufficient safeguards. Highlighting accession to CPTPP as a particular area of concern, the Committee’s resolution states that it:
Takes note that on 1 February 2021, the UK sent a request to join the Comprehensive and Progressive Trans-Pacific Partnership (CPTTP), in particular to ‘benefit from modern digital trade rules that allow data to flow freely between members, remove unnecessary barriers for businesses [etc.]’; notes with concern that there are 11 members of the CPTTP, eight of which do not have an adequacy decision from the EU; is strongly concerned about potential onward transfers of personal data from EU citizens and residents to these countries if the UK is granted an adequacy decision;
Regrets that the Commission did not assess the impact and potential risks of the Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership, which includes provisions on personal data and on the level of data protection;
Is concerned that if the UK includes provisions on data transfers in any future trade agreements, inter alia US-UK trade agreements, the level of protection offered by the GDPR would be undermined.129
68.Three CPTPP signatories have received data adequacy decisions under the EU’s GDPR. The Institute of Export and International Trade described membership of CPTPP and maintaining data adequacy as not a “binary decision”.130 Dr Emily Jones, Beatriz Kira and Danilo B. Garrido Alves, and the UKTPO told us that Japan—a CPTPP member with a data adequacy decision from the EU—was required to modify its domestic data protection regime to treat EU data differently from non-EU.131 Dr Emily Jones, Beatriz Kira, and Danilo B. Garrido Alves called this a “two-tier data protection regime”, referring to the differing arrangements for EU data and non-EU data in Japan.132
69.When asked whether the UK may move towards a two-tier data protection regime itself, the Minister of State for Media and Data said the Government does “not intend to diminish [the UK’s] standards of data protection in a way that could threaten EU adequacy.”133
70.Retaining an adequacy decision from the European Commission is a priority for both businesses and consumers. We welcome the Government’s progress in achieving a draft adequacy decision, and its focus on retaining such a decision. We recommend that, as a part of its published impact assessments for future agreed FTAs, the Government includes an assessment of each agreement’s potential impact on maintaining an adequacy decision from the European Commission.
71.Accession to CPTPP is potentially a good opportunity for the UK in facilitating and encouraging digital trade. However, we heard that joining CPTPP may result in changes to the way data—particularly EU citizens’ personal data—is handled in the UK. We recommend that the Government states what changes it anticipates in the management of EU citizens’ personal data in the UK as a result of accession to CPTPP and the impact of any changes on UK stakeholders.
72.Amending the UKGDPR could create a simpler, more effective regulatory regime. We welcome the Government seeking to build on the UKGDPR but call on it to set out how it will depart from the EU’s GDPR while maintaining data adequacy and minimising any additional regulatory burden for businesses.
90 Foreign, Commonwealth and Development Office, Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership, CP 311, October 2020, p 216
91 Foreign, Commonwealth and Development Office, Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership, CP 311, October 2020, p 216
96 Department for International Trade, UK-JP CEPA—a good deal for data protection, p2
97 Department for International Trade, UK-JP CEPA—a good deal for data protection, p2
101 Foreign, Commonwealth and Development Office, Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership, CP 311, October 2020, p 219
102 Foreign, Commonwealth and Development Office, Agreement between the United Kingdom of Great Britain and Northern Ireland and Japan for a Comprehensive Economic Partnership, CP 311, October 2020, p 219
114 Department for International Trade, UK-JP CEPA—a good deal for data protection, p 2
116 Letter from the Minister of State for Media and Data to the Chair regarding UK personal data transfers, 5 May 2021
121 “Government to reform data protection laws to spur economic growth”, Sky News, 11 March 2021
123 New Economics Foundation and UCL European Institute, The Cost of Data Inadequacy: The Economic Impacts of the UK failing to Secure an EU Data Adequacy Decision, pp 2, 26
124 Advertising Association (DTD0004), Federation of Small Businesses (DTD0005), Professional and Business Services Council (DTD0013), techUK (DTD0015), Law Society of Scotland (DTD0016), The Institute of Export and International Trade (DTD0017), CBI (DTD0022)
129 European Parliament resolution on the adequate protection of personal data by the United Kingdom (2021/2594(RSP))
Published: 28 June 2021 Site information Accessibility statement