The UK Government has published a position paper (“the Paper”), which will form part of a series of papers setting out key issues forming the Government’s vision for their partnership with the EU post-Brexit. The Paper explains how it intends to resolve the much-debated issue of UK-EU data transfers post-Brexit. This issue is a real concern for businesses that currently enjoy the ability to transfer data freely within the EEA, as well as with third countries that are recognised by the European Commission as providing an ‘adequate’ level of protection under EU law.
Some of the key points to note are as follows:
The Government wants to explore a UK-EU model which allows free flows of data to continue after the UK leaves the EU.
It proposes that this could build on the adequacy model that is currently provided under the EU Data Protection Directive (95/46/EC) (“Directive”), and is set out in the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)). Both the Directive and the GDPR allow the European Commission to formally recognise that a third country – i.e., a country outside the EEA – provides an ‘adequate’ level of data protection under EU law. To date, the Commission has adopted 12 adequacy decisions under the Directive. Two of these decisions are partial: in Canada, the decision applies only to transfers of data to Canadian recipients who are subject to the PIPED Act; and the EU-US Privacy Shield applies only to transfers to those companies in the United States that have self-certified to the standards set out in the Privacy Shield framework.
The Government believes “it would be in the interest of both the UK and the EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force”.
It comments that the UK’s data protection framework will be fully aligned with the GDPR at the date of withdrawal from the EU, pointing to the new Data Protection Bill which was announced in the Queen’s Speech and discussed further in its Statement of Intent last month. In view of this, it considers it should be possible to extend current data-sharing provisions, while at the same time agreeing a negotiating timeline for longer-term arrangements. This is good news for businesses, as certainty at the point of Brexit will prevent businesses being put under pressure to renegotiate their contractual arrangements, and will also avoid them incurring unnecessary expense and time in contingency planning.
The Government wants to make sure that flows of data between the UK and third countries with existing adequacy decisions can continue on the same basis post-Brexit.
Given that such transfers may include EU data, and that the UK will remain a safe destination for personal data after it leaves the EU, the Government seeks to avoid any disruption to data flows from third countries to the UK. It therefore plans to liaise with those third countries to ensure that existing arrangements will be transitioned over at the point of exit.
The Government wants to secure an ongoing role for the UK’s Information Commissioner’s Office (“ICO”) so that it remains “fully involved in future EU regulatory dialogue”.
It recognises that after the UK’s withdrawal from the EU, regulatory cooperation between the UK and the EU will be essential. As such, an ongoing role would allow the ICO to continue to share its resources and expertise with the network of EU Data Protection Authorities. Presumably, the intention here is for the ICO to retain its seat on the European Data Protection Board, at least in some capacity.
For businesses currently preparing for the GDPR, the position remains unchanged, and there is still uncertainty around the future of UK-EU data transfers.
However, the Paper demonstrates that the Government is clearly taking the matter seriously and pushing forward its agenda to try to ensure certainty in the least burdensome manner. The Paper is also helpful, as it finally provides us with some detail on the Government’s preferred approach to UK-EU data transfers post-Brexit. The proposals sound reasonable, particularly given that the UK’s data protection framework will be fully aligned with the GDPR when it leaves the EU. However, it is not clear whether the UK will push for a full or partial finding of adequacy, or indeed, how the concerns regarding the UK’s Investigatory Powers Act might be resolved in determining adequacy status. If the Government would prefer partial adequacy, like the EU-US Privacy Shield for example, the challenges to the future of the Privacy Shield clearly might impact any such decision. In any event, the likelihood of these proposals moving forward depends entirely on the European Commission’s position, and we must wait for its response before drawing any conclusions.