The Irish Council of Civil Liberties (ICCL) has written to the European Commission, arguing that the UK should be denied a crucial 'adequacy' status in handling the personal data of EU citizens after Brexit.
If the EU agrees, it would mean that trade between the UK and EU could be affected, potentially affecting "billions" in trade transactions, according to the ICCL.
The letter has been sent by Dr Johnny Ryan, who recently joined the ICCL as a senior fellow after a role as chief privacy officer at the web browser Brave.
In the letter, Dr Ryan cited a lack of adequate protection for data privacy in the UK based on what he describes as a failure to deal with complaints about 'real-time bidding' methods employed in the online advertising ecosystem. Mr Ryan has previously described this real-time bidding setup as the "largest data breach of all time".
"Under the terms of Article 45(2)b of the GDPR, an adequacy decision is impossible because the UK's data protection supervisory authority, the Information Commissioner's Office, does not meet the test of an effectively functioning supervisory authority," Dr Ryan wrote in a letter to three key European Commissioners, Margrethe Vestager (Competition and Digital), Didier Reynders (Justice) and Thierry Breton (Internal Market).
"The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects' rights. As a consequence, the personal data of data subjects in the Union do not at present have an adequate level of protection in the UK. Therefore, we suggest to you that the inescapable conclusion is that the UK must be unable to benefit from an adequacy decision at the present time," he wrote.
Dr Ryan and the ICCL have previously complained to the Irish Data Protection Commissioner about the same real time bidding issue.
Last month, he published data suggesting that the system was allowing online advertising companies to target incest survivors, AIDS patients and substance abuse victims as ad categories, in contravention of EU rules that are supposed to exempt especially sensitive categories of activity, including some health topics.
"The consequences of this should be of utmost concern to the European Commission, endangering the right to protection of personal data and going so far as to interfere in elections within the Union," Dr Ryan said in his letter to the EU Commissioners.
"The ICO has failed over the last two years to take any substantive action against the largest data breach that the UK and EU have ever experienced. It would be unreasonable to anticipate that it will perform any better after Brexit is complete."
The UK Information Commissioner's Office said it's "already equipped for its new role as UK data-protection supervisory authority both during transition and beyond" and is "supporting businesses in the run-up to the transition period with guidance and advice".