The Irish Council of Civil Liberties has written to the European Commission, arguing that the UK should be denied a crucial ‘adequacy’ status in handling EU citizens’ personal data after Brexit.
If the EU agrees, it would mean that trade between the UK and EU could be affected, potentially affecting “billions” in trade transactions, according to ICCL.
The letter has been sent by Johnny Ryan, who recently joined the ICCL as a senior fellow after a role as chief privacy officer at the web browser Brave.
In the letter, Dr Ryan linked the lack of adequate protection for data privacy in the UK to what he describes as a failure to deal with complaints about ‘real time bidding’ methods employed in the online advertising ecosystem. Mr Ryan has previously described this real time bidding setup as the “largest data breach of all time”.
“Under the terms of Article 45(2)b of the GDPR, an adequacy decision is impossible because the UK’s data protection supervisory authority, the Information Commissioner’s Office, does not meet the test of an effectively functioning supervisory authority,” the ICCL’s senior fellow, Johnny Ryan, wrote in a letter to three key European Commissioners, Margrethe Vestager (Competition and Digital), Didier Reynders (Justice) and Thierry Breton (Internal Market).
“The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the Union do not at present have an adequate level of protection in the UK. Therefore, we suggest to you that the inescapable conclusion is that the UK must be unable to benefit from an adequacy decision at the present time.”
Dr Ryan and the ICCL have previously complained to the Irish Data Protection Commissioner about the same real time bidding issue.
Last month, he published data suggesting that the system was allowing online advertising companies to target incest survivors, AIDS patients and substance abuse victims as ad categories, in contravention of EU rules that are supposed to exempt especially sensitive categories of activity, including some health topics.
“The consequences of this should be of utmost concern to the European Commission, endangering the right to protection of personal data and going so far as to interfere in elections within the Union,” Dr Ryan said in his letter to the EU Commissioners.
“The ICO has failed over the last two years to take any substantive action against the largest data breach that the UK and EU have ever experienced. It would be unreasonable to anticipate that it will perform any better after Brexit is complete.”
Dr Ryan said that a failure to secure an adequacy decision from the European Commission “would introduce friction and uncertainty” to EU-UK data transfers that could jeopardise 13pc of the UK’s global exports.
“The UK Government reports that UK exports of personal data-enabled services to the EU accounted for £85bn in 2018,” he wrote. “The UK’s total global exports in the same year were £655.5bn.”
The UK Information Commissioner’s Office said it’s “already equipped for its new role as UK data-protection supervisory authority both during transition and beyond” and is “supporting businesses in the run-up to the transition period with guidance and advice”.
The UK’s Department for Digital, Culture, Media and Sport said in an emailed statement that it’s “committed to high data protection standards and the UK is a global leader in protecting people’s personal data”.
The ICO “already meets the EU’s criteria of an effective and independent data supervisory authority and is capable of fulfilling this role through the transition period and after it ends”, the DCMS said.
The European Commission declined to immediately comment beyond pointing out that adequacy talks with the UK are ongoing. It said the goal is to adopt a decision “by the end of 2020, if the applicable conditions are met”.
[Additional reporting Bloomberg]