The Department for Exiting the European Union has started to publish position papers outlining how the UK will negotiate on issues related to Brexit, one of which outlines personal data proposals post-Brexit. Within the paper, the UK government emphasises the value of personal data to UK and EU businesses and sets out how it foresees the UK’s future interaction with the European Union’s data protection regime.
What will happen to UK data protection law after Brexit?
GDPR, when it comes into force in May next year, will bring major changes to the current European data protection regime. The UK data protection authority, the Information Commissioner’s Office (ICO) has previously confirmed that the UK will need to comply with GDPR prior to Brexit. The current position of the Withdrawal Bill also suggests that GDPR will be implemented post-Brexit.
GDPR will continue the current restrictions on export of personal data outside of the EU to ‘third countries’. GDPR permits certain mechanisms for organisations to lawfully transfer personal data to such third countries. For example, such transfers would be permitted:
- if the European Commission (EC) has made an “adequacy decision” in respect of the country that the data is being transferred to. This means that the EC acknowledges that a specific country ensures an adequate level of protection for the data that is commensurate with the standard required by EU data protection law. It is notable that, to date, the EC has only made 12 adequacy decisions since the 1995 Data Protection Directive came into force
- if the transfer is subject to appropriate safeguards such as binding corporate rules (used frequently by organisations with a multi-jurisdictional presence) or standard data protection clauses adopted by the EC (sometimes called Model Clauses).
The UK government has been considering these options and has expressed its intention to come to “new arrangements” that could build on the existing adequacy model to legitimise the cross-border transfer of personal data between the EU and UK following Brexit, so as not to disrupt the economic benefits of free-flowing data.
What does the UK government suggest?
The paper puts forward the UK government’s position and suggests that:
- upon exit, the UK's data protection rules will have an “unprecedented” alignment with the EU data protection framework (since the UK will be required to comply with GDPR prior to Brexit)
- new EU-UK arrangements will be needed to govern the free flow of data, which could be in the form of an adequacy decision to mutually recognise both sets of law
- to ensure certainty, putting in place an agreed negotiating timeline for longer-term arrangements will assist organisations with business concerns.
Further comments
As well as the points set out above, the UK government also suggests that the ICO could, following Brexit, maintain an ongoing role in the EU regulatory fora relating to data protection, such as the Article 29 Working Party (which will become the European Data Protection Board), in order to preserve existing regulatory co-operation between national supervisory bodies.
Notably absent from the paper is commentary on the UK’s Investigatory Powers Act, which presents challenges to EU data protection principles with regards to surveillance by the state. It will be interesting to see how this piece of legislation is proposed to be dealt with during any potential submissions for an adequacy decision by the UK Government.
By publishing its data protection principles in this paper, the UK government is attempting to ensure a smooth transition to avoid any administrative burdens that might disrupt commercial organisations and national security agencies from utilising data, whilst ensuring the highest levels of protection for individuals.
The highly publicised and continuing issues of the transatlantic data sharing agreement between the US and EU (firstly Safe Harbour and now its replacement; the Privacy Shield) will not provide much comfort for businesses. However, it is a real benefit that UK and EU laws will, following the implementation of GDPR, be harmonised upon Brexit and that the ICO is determined to maintain a role in shaping EU data protection laws post-Brexit.