In late 2023, the UK government decided not to join an EU-backed interoperability project called Gaia-X. But, with a new government that’s friendlier to Europe and looming data adequacy deadlines following Brexit, the CEO of the organisation is hopeful the UK will reconsider.
This upcoming deadline means that the UK needs to take action to maintain data adequacy with the EU. The consequences for missing it could mean costly compliance complications for the UK’s institutions, including the NHS and the police, plus the prospect of hefty fines and other economic barriers for UK-based firms trading with the EU, a Lords committee has warned.
What is Gaia-X?
Gaia-X was initially designed as a way to reduce European reliance on US cloud providers. The association of governments and companies that form Gaia-X believe that, if data sits in US server rooms, then it is not sovereign or necessarily compliant with European data standards.
The EU and its member states have backed the project, which was founded in 2019, to the tune of €3.5bn (£2.9bn). Major European businesses such as BMW and Orange are on board and aviation giant Airbus recently claimed it was “all in” on the project.
By creating a new system of interoperable standards, the open-source project aims to automate regulations and keep data flows compliant regardless of which country organisations are based in. Its ‘data spaces’ organise data by industry verticals, so that businesses can choose which data they make available in a secure but decentralised and shareable way.
This data is all secured according to common standards through the ‘Gaia-X Clearing House’, which automates compliance, ensuring data flows between borders comply with the laws of both territories. This could mean that a business based in the UK would automatically be cleared for data flows with any EU-based entities and vice versa, should it choose to entrust its data to Gaia-X .
Solving the post-Brexit data adequacy puzzle
Following Brexit, the EU defined the UK as a ‘third country’ that would have to comply with EU laws, such as GDPR, in order to maintain the free flow of data between the territories.
One of these laws was the 2018 Data Protection Act, which eventually became UK GDPR in 2021. This was designed to ensure the UK complied with the flagship EU data regulation, GDPR, plus the Law Enforcement Directive. The introduction of these laws earnt the UK ‘adequacy’ status the same year.
However, because the UK remains a third country, it is subject to continuous re-evaluation of its compliance standards. This adequacy ruling expires in June 2025, when EU regulators will judge if the UK’s data regime remains fit for purpose. A House of Lords’ European Affairs Committee warned of the repercussions should the UK fail to maintain its adequacy status – painting a bleak vision for the UK’s economic outlook and the health of its institutions.
The previous government’s Data Protection and Digital Information (DPDI) bill aimed to reform the UK’s approach to GDPR while exercising some key differences from European counterparts. Some provisions, such as lack of oversight about biometrics and surveillance, were described as “controversial” by EU committees and citizen rights groups, who warned they would risk the UK failing its data adequacy tests.
That bill failed to come to pass before the general election.
The Labour government stepped in to pursue its own data protection reform, the data (use and access) bill. It promises to “harness the power of data for economic growth, support modern digital government and improve people’s lives”.
A spokesperson for the Department of Science, Innovation and Technology (DSIT) would not comment on whether the UK would reopen a dialogue with Gaia-X, instead emphasising the importance of “securing the continuity of personal data flows from the EU to the UK”.
However, for Gaia-X CEO Ulrich Ahle, encouraging the UK to join the data initiative remains a “priority”. He has travelled to London twice this year in an attempt to bring the UK on board with Gaia-X. “The UK is an important partner for a lot of our members in Europe,” he says. “Although it’s not part of the European Union, it’s still part of Europe. The UK has its own legislation and its own rules so there’s an opportunity to create interoperable data spaces based on that legislation.”
Gaia-X and the National Data Library
The government’s proposed National Data Library – a public-sector data store that technologists could utilise – shares some of the same intentions as Gaia-X.
Floated in Labour’s election manifesto, the National Data Library aims to provide “simple, ethical and secure access to public data assets, giving researchers and businesses powerful insights that will drive growth and transform people’s quality of life through better public services and cutting edge innovation, including AI”.
The data stored in this library would need to be interoperable, preserve privacy and be compliant. This would follow a similar approach to Gaia-X, says Amanda Brock, CEO of OpenUK, an open technology advocacy group which has established a Gaia-X hub in the UK. She hopes to discuss the idea with Gaia-X leadership at the OpenUK conference in February.
“We’re waiting for the consultation on the Data Library,” Brock says. “As long as we can demonstrate utility with what Gaia-X is delivering, I am hopeful that it will be incorporated into whatever the UK does with its data library model. But that will be subject to utility being demonstrated and funding being available.”
Openness and collaboration key to competition with the US
One of the hurdles to making Gaia-X a success, says Brock, is cultural. Unlike US businesses, which happily fund open-source organisations, Europe has struggled to foster this culture of collaboration in the digital space.
“In the US, you have a marketplace that understands collaborative working and funds large collaboration projects. That doesn’t really exist in Europe,” she says. “It’s a learning curve. We’re starting to see more European entities contributing to that. But, even if you look at things like Linux Foundation Europe, you’ll see an awful lot of the funders are branches or subsidiaries of US companies. It’s just the way the cookie crumbles at the moment.”
And the Gaia-X project has hit stumbling blocks since it was founded in 2019. Critics have accused the initiative of being ‘slideware’ and lacking any real-world application. Even advocates, such as Airbus, concede that onboarding all their suppliers is a sizable task.
However, those advocates also argue that those real-world applications are starting to emerge. They also suggest that the project’s demands for data sovereignty are influencing the hyperscalers to build EU cloud data centres with much stricter security policies.
For the continent to compete in digital and data, Europe is going to have to “get better” at collaborative, open-source approaches, says Brock, and understand that both industry and business needs to fund it.
Although it is early days, Ahle believes reopening conversations around joining the initiative can “only be a benefit for the UK”. By joining a pre-existing initiative, he says, the UK could leapfrog the need to create its own technologies for digital IDs.
“We’ve been working for six years on the concepts and implementations and developing software to enable interoperable data spaces,” Ahle says. “All of this is open source. It’s available for everyone, for free, forever – there’s no need to start from scratch. It doesn’t make sense for the UK to create its own interoperability solution.”
Whether tying the UK’s digital future to a controversial EU-backed project is a popular political move, though, is another question. But, for UK organisations forced to navigate the complicated maze of global compliance requirements, perhaps automating it is a desirable – if ambitious – vision.
