The Government has been urged to make a decision that will protect data flow between the UK and the EU post-Brexit, to offer certainty to businesses.
Three-quarters of the UK’s cross-border data flows are with EU countries, with services now accounting for 44% of the UK’s total global exports, second only to the US.
Citing concerns over the lack of clarity from the Government on what a transitional deal will look like, the EU Home Affairs Sub-Committee wants the Government to pursue full regulatory equivalence for data protection with the EU post-Brexit.
Although the Government has stated that they “will seek to maintain the stability of data transfers between the EU, Member States and the UK”, little detail has so far been offered on how the Government plans to deliver this outcome.
Matt Hancock MP, Minister of State for Digital, told the committee that “there are many different ways this could work”, but did “not want to stress any particular option.”
The committee identified four parts of the EU’s data protection package that provide options for the UK to achieve unhindered flows of data.
One of them is the General Data Protection Regulation (GDPR), which is set to come into force in May 2018, and is vital to “offer stability and certainty for businesses” according to the report.
The other elements are the Police and Criminal Justice Directive (PCJ); the EU-US Privacy Shield and the EU-US Umbrella Agreement.
These elements offer two options for the UK to achieve unhindered data exchange.
The first would be to secure an ‘adequacy decision’ from the European Commission, – this certifies that the UK provides a standard of protection which is “essentially equivalent” to EU data protection standards.
EU adequacy decisions, however, can only be taken for countries that are deemed ‘third countries’ – i.e. countries that are not EU Member States – so there will be legal barriers to having an adequacy decision in place at the moment of the UK’s exit. To avoid a cliff edge, the committee has urged the Government to ensure there are agreed transitional arrangements in place to cover the interim period.
When pursuing an adequacy position, however, the UK could find itself held to a higher standard as a third country than as a Member State.
Currently, the UK’s national security legislation is not scrutinised for data protection purposes, but when the European Commission considers an adequacy decision for a third country, national security legislation is looked at, and the UK would no longer be exempt from this.
Stewart Room, of PwC, said that an adequacy agreement “would give certainty to businesses and to the economy” but warned that “the critical consideration will be the extent to which the UK is perceived to be adequate, from the EU’s perspective, for data protection.”
Room listed “three key factors”, that the European Commission may take into consideration when determining whether the UK’s data protection rules provided an adequate level of protection: “the overall strength of the legal framework; the effectiveness of the regulator; and [the UK’s] international commitments.”
The Government is non-committal about whether it plans to seek an adequacy decision. Matt Hancock MP, Minister of State for Digital, acknowledged that: “an adequacy decision could work” but emphasised that there were “many different ways in which you could make this work.”
Baroness Williams of Trafford, Minister of State at the Home Office, told the committee that: “an adequacy agreement is certainly an option, but I cannot say, in the context of other options that might be available, what the end point will look like.”
The second option to ensure uninterrupted data flow for the UK post-Brexit is for individual data controllers and processors to adopt their own safeguarding rules. These rules will need to offer an adequate level of protection so personal data can be transferred out of the EU, and includes tools such as Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BRCs).
The Information Commissioner raised concerns that mechanisms like SCCs would “not [be] easy for businesses, particularly small and medium-sized businesses”, while there is concern that they will prove to be complex and time-consuming for large corporates.
Another fear is that without a transitional arrangement, even if the UK’s data protection rules are aligned with the EU regime at the point of Brexit, the EU could amend or update its rules over time.
The UK would then have to align domestic data protection rules with EU rules that it no longer participates in setting.
The report called it “imperative” that the UK Government consider the best method of replacing the structures and platforms that have allowed the UK to influence EU rules on data protection and retention. It recommends starting by “seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.”
The Chairman, Lord Jay of Ewelme, expressed his concern at the Government’s unclear position, saying: “The Committee was concerned by the lack of detail on how the Government plans to maintain unhindered data flows post-Brexit.
It was concerned, too, by the risk that “EU and UK data protection rules could diverge over time when the UK has left the EU.”
However, David Jones MP, then Minister of State at the Department for Exiting the European Union, has tried to allay fears, saying: “On the date of departure, the UK’s data protection arrangements will be in perfect alignment with those of the continuing EU … [and] that will be a good basis for continuing negotiations”,
Lady Williams also emphasised the UK’s “unique position” at the point of exit in being a third country “that has fully implemented the EU’s provisions on data protection.”
It remains to be seen what the outcome of the Brexit negotiations will be on data protection rules for the UK. At the point of leaving the EU, the UK will already be under the new GDPR rules, but this in itself will not be enough to secure unhindered data exchange. Businesses may find themselves subject to complex contracts or having to continuously examine and change the way they protect their data, and will need to be prepared for this possibility come 2019.