Walter McCahon, Manager, Data Policy, UK Finance
Yesterday the UK government issued a broad proposal: Framework for the UK-EU partnership, Data protection, expanding on an August 2017 government paper.
The proposal highlights the importance of cross-border data flows, emphasising, in particular, the economic importance of data. It also calls out the vital nature of data sharing to the prevention and detection of terrorism and other serious criminal activities. These are two areas where the UK and the EU are closely integrated.
The most interesting part of the proposal is in the detail of how the government sees the ideal post-Brexit data sharing framework.
An ‘adequacy decision’ is the standard means by which the European Commission recognises a non-EU country’s data protection framework as meeting appropriate standards. This is a unilateral decision by the Commission, rather than an agreement between the Commission and the third country. EU firms are allowed to transfer personal data to ‘adequate’ countries without needing to implement additional safeguards, which can be costly and complex.
The UK is fully implementing General Data Protection Regulation (GDPR), (though there will probably need to be tweaks to move powers from EU institutions to UK institutions post-Brexit). So the UK could presumably reciprocate with a kind of ‘UK adequacy decision’ for the EU, allowing UK firms to transfer personal data freely to the EU.
Instead of this model, HMG would like to see a new kind of agreement with the EU, rather than conventional unilateral ‘adequacy decisions’. Government views an agreement between the UK and the EU as providing more certainty. It could also include procedures for resolving disputes, amending the agreement and potentially terminating it.
Nonetheless, HMG accepts that the European Commission would assess the ‘essential equivalence’ of the UK’s data protection framework. This means a very similar evaluation to conventional adequacy. Because the UK is fully implementing the GDPR (and Law Enforcement Directive, covering police forces’ use of personal data), it is in a strong position. Draft enhancements proposed to the Investigatory Powers Act proposed by the Home Office in November 2017 would also assist. It is anticipated that additional changes may be required to reflect a recent UK High Court ruling regarding the addition of judicial oversight and limiting the use of certain powers to the prevention of serious crime.
Perhaps the most interesting components of the proposed final data relationship relate to regulatory cooperation. Government would like to see the UK Information Commissioner’s Office (ICO) retain an ‘appropriate ongoing role’ on the European Data Protection Board. Presumably this could be a full seat at the table, or perhaps an ‘observer’ function. HMG would also like to see the ICO integrated into the GDPR’s ‘One Stop Shop’ mechanism, which is used to help EU data protection authorities (like the ICO) collaboratively resolve issues and complaints that cross national borders.
The ambitious proposals to develop a closer level of regulatory cooperation and set up processes for dispute resolution etc, are interesting and worth exploring. Nonetheless, it is important that discussions between the UK and the EU progress quickly, to ensure that a sensible resolution that preserves data flows – whether via conventional adequacy decisions or a novel agreement – can be reached soon. Businesses, both in the UK and in the EU, need certainty that data flows will be able to continue, so they don’t feel compelled to begin implementing complex contingency plans in the fear that a deal might not be reached in time.