UK-Japan deal dismantles UK

UK-Japan deal dismantles UK’s privacy protections

By Jim Killock

How can you commit the UK to changing its laws without asking parliament first? Well there's one obvious way: Put them in a trade deal.

The recent UK-Japan deal negotiated by Elizabeth Truss commits the UK to weakening restrictions on data transfers by accepting lower privacy standards. These commitments are aligned with those in other trade agreements the government wishes to sign. Yet this strategy has never been voted on, analysed or even explained to parliament.

The government's impact assessment has a bare two lines on data transfers. They merely describe what is intended, but offer no analysis of the impact. Such is the woeful level of information No.10 has supplied to parliament and the public.

This is a very telling test of parliament. The procedures for trade agreements were rightly criticised as giving parliament a very weak role in negotiations. They have no prior sight of documents, they do not set the negotiation mandate, they can only potentially vote on the substantive result. Now we finally see that result. How will parliament react? Will backbench MPs, the opposition and the lords hold the government to account?

The first thing parliament needs is information, which it has been denied. On digital privacy, academics are warning that the agreement pushes weaker protections for data transfers. In this it aligns with the government's ambition to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, which has similar standards. In a worst-case scenario, these agreements could end up with a mess of dual standards for data in the UK, or a loss of adequacy with Europe. Neither would be good for business, let alone privacy.

We need to know what aligning with lower standards for transfers means for consumers. Will their rights be weakened? How would problems be fixed? Does the government have any assessment of these problems? If it does, why are these not available and included in the impact assessment?

"Navigating multiple, possibly conflictual, regulatory regimes is no mean feat," academics at the UK Trade Policy Observatory wrote recently, "and careful analysis of how best to do this and the implications of moving away from the EU's approach is needed. What are the implications of the new UK-Japan provisions for data protection and privacy, and for an adequacy decision from the EU? The answers are far from obvious, the stakes are high, and the government's approach needs to be carefully analysed before the UK-Japan deal is ratified."

Our current standards, which originated with the EU, state that only countries with high data protection can be categorised as safe. They are there to safeguard consumer privacy. Deviating from them towards a more lax American model is a calamitous decision. Even the US Congress think US law is atrocious and there is a push across the Atlantic to provide a basic privacy safety net.

Digital privacy isn't the only danger area in the deal. There are also restrictions to prevent algorithmic transparency, deny access to source code and make online platforms' protections from liability contingent on copyright enforcement. There are protections for 'technical protection mechanisms' which may have implications for the right to repair your own devices.

Answers are needed in all these areas. But instead, the government is effectively asking us to look the other way. It doesn't have to be this way. Downing Street can seek to 'freeze' articles in the deal or even to amend them back to the status quo position in the EU-Japan Agreement. This need not be a fait accompli. But parliament must act now if it's to be stopped.

Jim Killock is the executive director of the Open Rights Group. You can follow him on Twitter here.

The opinions in's Comment and Analysis section are those of the author and are no reflection of the views of the website or its owners.