The House of Lords EU Home Affairs Sub-Committee (“the Committee”) has published a report on the EU Data Protection Package and the impact of Brexit (“the Report”). The Report considers the implications of the UK’s exit from the EU for cross-border data transfers, and for UK data protection policy more generally.
The Report looks at four elements of the EU’s data protection package: (1) the General Data Protection Regulation (“GDPR”), (2) the Police and Criminal Justice Directive (“PCJ”), (3) the EU-U.S. Privacy Shield, and (4) the EU-U.S. Umbrella Agreement. Upon leaving the EU, the UK will become a ‘third country’ under EU data protection rules, and all four measures of this data protection package will cease to apply to the UK. However, the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK.
The Government says it wants to maintain unhindered and uninterrupted data flows with the UK post-Brexit. According to the Report, the Committee supports this objective, but is concerned by the lack of detail on how the Government plans to achieve this outcome. The Committee is concerned that any arrangement that creates greater friction around data transfers between the UK and EU, post-Brexit, risks (1) hindering police and security cooperation, and (2) presenting a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. In the Committee’s view, the Government should set out clearly, as soon as possible, how it plans to deliver this objective.
The Report notes the two broad options for “third countries” seeking to exchange data with the EU as provided under the GDPR and the PCJ: (1) achieving an adequacy decision from the European Commission, or (2) individual controllers adopting their own safeguards which offer an adequate level of protection, such as Standard Contractual Clauses or Binding Corporate Rules.
In option (2) above, the Committee concludes that these would be less effective than an adequacy decision, as these mechanisms may not be available to some types of companies. There is also uncertainty around the future of Standard Contractual Clauses, given the outstanding legal challenge in the Schrems II case.
The Committee points to the fact that the UK is so heavily integrated with the EU – three-quarters of the UK’s cross-border data flows are with EU countries – that it would be difficult for the UK to get by without an adequacy arrangement. Accordingly, it recommends that the Government should seek adequacy decisions to facilitate UK‑EU data transfers once the UK has ceased to be a member of the EU.
Achieving an adequacy decision is not without challenges, however. Such decisions are only taken in “third countries” (a category in which the UK does not currently fall), and the period of negotiations is likely to be lengthy. As such, the Committee urges the Government to ensure that transitional arrangements are agreed to cover the interim period.
The EU-U.S. Privacy Shield and the EU-U.S. Umbrella Agreement will also cease to apply to the UK post-Brexit. Given the EU’s rules regarding onward transfers, securing unhindered flows of data with the EU may require the UK to demonstrate that it has put arrangements in place with the United States that afford the same level of protection as the Privacy Shield and the Umbrella Agreement. In relation to data-sharing for commercial purposes, the Committee highlights the approach taken by Switzerland, which has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement with the United States.
Finally, the Report notes that Brexit will impact the UK’s future ability to influence EU rules on data protection, as it will lose the institutional platform from which it has been able to exert that influence. The Committee recommends that the Government should secure a continuing role for the UK Information Commissioner’s Office on the European Data Protection Board as a starting point, and find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and global level.
As discussed in our previous blog concerning the House of Commons’ briefing on Brexit and data protection, it is clear that the issue of data transfers to the UK post-Brexit remains a real concern. Businesses need certainty over what they can expect when the UK leaves the EU, as well as time to take any steps necessary to comply.