Policy 15: Secure a Data Adequacy agreement as soon as possible

In collaboration with The Coalition for a Digital Economy (Coadec), we have produced a manifesto to make Britain the best place in the world to start and grow a business. It features 21 policies across three key policy areas: access to talent, access to investment, and regulation. We’re sharing the policies on our blog. To read the full manifesto, click here.

Data is the lifeblood of the UK’s startups, and that lifeblood must flow freely. After the UK leaves the European Union, we will become a third country to Europe’s data protection framework. This means that while UK businesses will still be able to send data to Europe as before, information flowing from Europe to the UK will require a lot more work.

Without a data protection adequacy agreement, meaning EU recognition of the UK’s domestic privacy framework as one which protects European data to European standards, startups will need contract-based legal structures to cover their data flows. While these contractual structures are easy for large tech companies, they can consume a startup’s time and funding.

The process of evaluating the UK as an adequate third country cannot begin until the UK has left the European Union - you cannot, after all, evaluate a third country which is not a third country yet - and would take no less than a year to adjudicate. Nor is an agreement guaranteed by any means. A range of issues, including the UK’s domestic surveillance programmes, stand in the way of the UK being deemed adequate.

It will be absolutely critical for government to ensure that an adequacy agreement can be achieved, as quickly as possible, to keep the UK’s startups afloat. This will mean remaining within the spirit and letter of the European data protection framework, supporting startups to devise contractual protections at the speed of business, and resolving domestic issues which could block an adequacy recognition.