UK-Japan trade deal threatens UK citizens' online privacy, ORG warns

Adopting a 'free flow of data' approach would be a radical departure from the UK's current position, argues the Open Rights Group

Clauses in the recently announced UK-Japan free trade agreement pose an "existential threat" to the data protection rights in the UK, the Open Rights Group (ORG) has warned.

The UK signed its first post-Brexit trade deal with Japan last month at a ceremony in Tokyo, with the government announcing that the deal could bring £15.2 billion to the British economy over the next 15 years.

The new arrangement replicates most of the current free trade agreement between the EU and Japan, but also adds new clauses around data sharing, including a "free flow of data" across their borders.

The two countries have agreed not to enforce localisation requirements, meaning that Japanese firms like Sony, and British fintech companies, such as Transferwise and Revolut, can operate from offshore servers.

Both countries also said that they would not share their encryption information or mandate disclosure of the source code of their algorithms or software.

In a blog post, Jim Killock, executive director of ORG, and Heather Burns, policy manager at the organisation, state that adopting a "free flow of data" approach would be a radical departure from the UK's current position, where British firms are allowed to transfer users' personal data only when they guarantee that users will continue to have similar rights over access, correction and deletion of that data as they enjoy in the UK.

They argue that the new trade deal would force the UK government to accept lower data protection frameworks, "as compatible with the UK's world leading privacy framework".

Burns and Killock believe that the deal would create a "gateway" for users' data to flow to other countries that also have "free flow of data" trade deals with Japan.

"Worryingly, this will permit UK data to be transferred to the USA, without it being kept under GDPR-style protections," they write.

The ORG warns that once British users' data reaches the USA, their users' rights "would effectively cease," and users would no longer be able to know where their data is held and by whom. Not only that, they won't be able to prevent the reuse or resale of their data.

"You cannot ask for your data to be deleted. If it is lost, then there is no legal barrier to a third party from obtaining it and using it," the ORG warns.

The privacy organisation says that the government could still try to impose restrictions against the flow of data to the USA, although it appears unlikely that it would do so.

"It is unacceptable for the UK to shift from the high levels of data protection we currently enjoy to a data free-for-all through obscure clauses in a trade agreement," the ORG says.

"Parliament must demand answers, and ensure the Government ' freezes ' these clauses from the treaty."

The warning from the ORG comes within a week its privacy advocates filed a legal challenge against the UK's privacy regulator, the Information Commissioner's Office (ICO), over its alleged failure to stop unlawful practices by the AdTech industry.

The ORG and Michael Veale (a lecturer in digital rights at the University College London) made a complaint to the ICO in September 2018 about systemic GDPR breaches by the AdTech industry. Responding to Killock's and Veale's complaint in 2018, the ICO ordered a probe and found that there were indeed many systemic issues with industry practices, such as the sharing of users' browsing history and personal information without any control over who is allowed to access peoples' personal data. However, the ORG says that the ICO has now completely wrapped up its investigation, without taking any appropriate action against the wrongdoers.

In a statement, the ICO said that it was aware of the matter, and that it would be decided by the Tribunal in due course.