On 7 June 2018, the UK government published a technical note detailing options for future UK-EU cooperation on data protection, post-Brexit. The technical note is part of a series of papers produced by the UK Brexit negotiation team for discussion with the EU, in order to assist with the development of future EU-UK relations.
The UK government suggests that a new data protection agreement should be executed between the UK and the EU. The agreement would build on the current concept of the “adequacy” of data-sharing laws between the EU and UK after Brexit and enable the Information Commissioner’s Office (ICO) to continue to play an important role in the EU’s data protection decisions. A failure to maintain the flow of information between the UK and the EU is one of many concerns facing multinational companies as the UK prepares to leave the EU.
This blog will look at the key themes put forward in the technical note.
- Improved legal certainty, stability and transparency
A legally binding agreement between the UK and the EU would give a degree of legal certainty and stability that an adequacy decision under GDPR Article 45 could not. For example, unilateral adequacy decisions do not:
- impose obligations on both parties, or
- impose an obligation on parties to deal constructively with challenges as they arise.
An agreement could also incorporate a dispute resolution mechanism for solving problems before they escalate too far.
- Cooperation on enforcement and investigations for EU citizens
Personal data flows between the EU and UK are huge and affect every aspect of peoples’ lives. A level of regulatory cooperation is needed to:
- remove any difficulties EU citizens face in enforcing their rights and gaining redress; and
- avoid EU citizens having to make complaints to both EU and UK regulators for the same personal data breach.
- Keeping it simple for EU citizens and companies
EU citizens and companies will enjoy much simpler arrangements if the ICO remains a member of the European Data Protection Board. In case of a major data breach in the UK affecting EU personal data, the ICO could provide its expertise and utilise its proximity. The ICO could conduct a fuller, more effective and quicker investigation than an EU regulator could.
- Cost saving and more efficient processes for EU businesses
In case of a data breach under a standard adequacy decision, an organisation would face investigation by both EU and UK regulators. An organisation would also face two sets of large fines – up to €20 million or 4 per cent of global turnover – for the same breach.
Under an agreement, EU companies would only have to deal with a single regulator for any breaches that affect both the EU and UK.
- Benefits to EU regulators from ICO’s resource and expertise
The technical note highlights a number of benefits for the EU from keeping the ICO within its data protection governance framework:
- the ICO is Europe’s largest data protection authority;
- many EU regulators have reused the ICO’s domestic guidance;
- the ICO has a strong delivery record as an independent regulator; and
- the ICO is a recognised international authority on the impact of new technologies on privacy rights.
- Why the UK should be treated differently
The technical note makes the argument that the UK should be treated differently than other third-party countries because the UK is:
- unique in terms of its depth, volume and scope of data flows with the EU;
- in full compliance with EU data protection law, having implemented the GDPR and Law Enforcement Directive;
- committed to the same high standards of data protection as the EU; and
- willing to enter into a legally binding agreement to guarantee effective future enforcement of data protection laws.
The UK government argues that a legally binding data protection agreement between the EU and UK would bring benefits that a standard adequacy decision cannot. An agreement would deliver better outcomes for EU citizens exercising their rights and reduce costs for EU businesses. Further, it would lower the risks of interrupted data flows, avoid duplication of effort and ensure that data protection regulators continue to cooperate with each other. Organisations should watch this space to see how the EU responds to the UK’s proposals and what effect, if any, this has on Brexit negotiations.