Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA.
In line with previous declarations, the position paper outlines the Government’s desire to maintain the “frictionless” movement of data to and from other countries within the EEA. It cites the economic benefits for the UK and EU as well as cooperation in respect of law enforcement matters (such as serious crime and terrorism).
The position paper sets out the Government’s preferred outcome in three key areas:
- an EU adequacy decision in relation to the UK’s post-Brexit data protection legislation;
- the continued input of the UK data regulator (the Information Commissioner’s Office (the “ICO”)) in the EU’s regulatory dialogue; and
- interim arrangements, from the point of Brexit to the time when more permanent measures have been put in place, to maintain stability and consistency.
An adequacy decision would be made by the European Commission. It would effectively state that the UK’s data protection regime offered a standard of protection equivalent to that in other EU member states. This would be the most efficient method of ensuring that personal data can continue to flow between the UK and the rest of the EU. The position paper highlights the fact that the UK will have in place, at the point of departure from the EU, a data protection regime which is at an “unprecedented point of alignment with the EU” (by virtue of the GDPR, which will have applied up to that point).
If an adequacy decision, or something similar, is not forthcoming, then data controllers within the EEA would only be able to export personal data to the UK under the terms of the Standard Contractual Clauses, or by following approved Codes of Conduct, or, in intra-group situations, after they have implemented Binding Corporate Rules. These are the alternative legal bases for transfers of personal data outside the EEA as set out in the GDPR. As we have seen (in the context of data transfers with other non-EEA countries), these inevitably lead to additional cost and administrative hassle for organisations, especially for small to medium sized companies.
There are nonetheless some obstacles to the adequacy model, not all of which are mentioned in the Government’s position paper. One (somewhat glaring) omission is the fact that the UK’s controversial surveillance regime may affect its ability to meet the standards. In particular, there are ongoing concerns about the extent of the surveillance, interception and retention powers in the Investigatory Powers Act 2016, which run counter to the EU’s approach to data protection. Surveillance legislation in the US has to date precluded an adequacy decision, forcing it to rely instead on measures such as the US Privacy Shield, Standard Contractual Clauses and Binding Corporate Rules.
ICO input into European Data Protection
The paper outlines the UK’s intention to remain “fully involved in future EU regulatory dialogue” around data protection in a post-Brexit world. It states that the ICO would want to continue working closely with other authorities and proposes that the UK explores mechanisms to this effect.
This position is not surprising. If the UK were to lose influence at the European table, this could lead to divergence in the interpretation of relevant legislation between the UK and the rest of the EU. This could, in turn, impact any adequacy decision applying to the UK.
Throughout, the paper advocates the need for stability and certainty in respect of the many existing data transfer arrangements between the UK and other EU member states. In order to tackle this issue, it proposes that the EU at least find in favour of an interim adequacy decision for the mutual benefit of all parties. It argues that this is acceptable on two grounds, namely:
- The UK’s data protection regime will necessarily be fully compliant with the GDPR at the point of its departure from the EU (as it will be subject to the GDPR immediately beforehand); and
- At least in the short term, the GDPR will continue to apply under UK domestic law through the EU Withdrawal Bill.
The paper suggests that this interim arrangement should hold until a more permanent agreement is put in place (which, in an ideal scenario, would simply be a more long term version of the same thing).