When Boris Johnston stood on the steps of Number 10 for the first time, he delivered a speech that centred on how to unleash Britain’s productive power. techUK believe emerging and transformative digital technologies, such as AI, hold the key to increasing productivity and creating the high-skill, high-wage economy the Prime Minister aspires to, as well as solving some of the greatest challenges we are facing, from an ageing society to the climate emergency.
It would seem that the PM agrees. The recent investment of £250 million for AI in the NHS is a clear indication that unleashing the power of advanced, digital technologies is high on the new government’s agenda.
However, it’s time to be absolutely clear. Realising the full economic and social power of advanced, innovative digital technologies will not be achieved without data. Data is the fuel powering innovative fourth industrial revolution technologies such as the Internet of Things, Machine Learning, AI and Autonomous Connected Vehicles.
In our modern digital economy the flow of data is an integral part of trade and business across the UK as well as between the UK, Europe and the rest of the world.
For example, businesses on both sides of the Channel hold the data of their customers and employees and use it to manage operations, customise market services, fulfil orders and communicate in a wide range of ways. The free flow of data is something that underpins all of these and therefore to continue to enable the timely and personalised services we have become accustomed to the smooth flow of data between the UK and the EU must be maintained.
If data is not able to flow smoothly between the UK, Europe and the rest of the world the UK’s ability to unlock the productive power of current and future digital technologies, as well as to continue to be a world leader in the development and adoption of responsible, digital innovation, will be put at risk.
Currently, the transfer of personal data is tightly regulated inside the EEA and requires a very high level of protection. The transfer of such data is relatively simple inside the single market because it is protected and policed by the EU’s unified data protection regime, meaning that even where the sender and receiver of data are in different EEA states data can be transferred easily. This is because both states are bound by a common data protection framework where the transfer is treated as having taken place within a single jurisdiction. This framework is supported by common data protection rules applied within the EEA, the General Data Protection Regulation (GDPR).
When the UK leaves the EU we will leave this common data protection framework and become a third country. To continue to meet the thresholds GDPR sets out for data transfers to third countries UK businesses will have to demonstrate alternative mechanisms that meet adequate standards. Such mechanisms can be difficult to put in place, requiring changes to business contracts and companies to spend more time examining how they transfer data in order to avoid being penalised by regulators.
The UK can apply for an adequacy decision from the EU which would allow data to flow freely without these mechanisms, however, to achieve this it will have to be assessed by the European Commission and granted adequacy. The length of this process is uncertain, however the shortest time an adequacy decision has been reached so far (with Argentina) was 18 months.
The European Commission has said it will not begin assessing the UK until it has left the EU. This assessment could take place during a transition period agreed as part of a Brexit deal, where we would temporarily maintain access to the EU’s common data protection framework. However, in the event of no deal the requirements for transferring data will change on day one, with many business suffering extra administrative costs and having to justify their data protection measures to potential clients, where they didn’t have to before. The longer it takes for the UK to receive an adequacy agreement with the EU the bigger impact these changes will have on business.
The decision-making process for an adequacy decision will require the European Commission to do an assessment of the UK’s data protection rules. The UK has committed to maintaining GDPR, however concerns around how the UK’s security services can access personal data and any changes to our data protection rules made during an adequacy decision could slow this process down.
The impact of failing to reach agreement on the free flow of personal data is a critical risk not just to the UK tech sector, but to every business in the UK which sends or receives personal data from the EEA.
techUK welcomed the previous administrations commitment to seeking a data adequacy agreement as a matter of priority, and due the importance of maintaining the free flow of data techUK urges the new Government to restate this priority to receive an adequacy agreement with the EU and set this priority clearly ahead of attempts to reform UK data protection rules or negotiating terms in any trade agreements that would significantly impact how the UK handles personal data.
techUK wants to see the UK to become a world leader in innovation with a gold standard in data protection, this means ensuring that the UK is granted an adequacy decision so that UK business is not hindered in its ability to access and transfer data or that UK business faces a competitive disadvantage due to uncertainty around the strength of data protection being used by UK business.