Brexit - UK says it’s great at data protection, hopes that’s enough for EU
- Summary:
-
A Brexit paper released by the British government sets out its aims for a future data flow relationship with the European Union. Does it stand up?
The paper outlines how the UK is a significant player in global data flows. It estimates that around 43 per cent of all large EU digital companies are started in the UK , and that 75 per cent of the UK’s cross-border data flows are with EU countries.
It adds that the UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population. As a result, the paper states, “any disruption in cross-border data flows would therefore be economically costly to both the UK and the EU”.A thinly veiled warning to Brussels.
The document goes on to recall the UK’s track record in recent decades of going above and beyond the EU’s data protection requirements and reaffirms its future commitment to complying with the EU’s forthcoming General Data Protection Regulation (GDPR) framework - in the form of the UK’s new Data Protection Bill.
Essentially, the UK is making a plea to the European Commission that its track record on data protection is solid and is arguing that it is in everyone’s interests for it to just let the UK carry on being a free trade partner when it comes to data flows.
Minister for Digital Matt Hancock, said:
In the modern world, data flows increasingly underpin trade, business and all relationships. We want the secure flow of data to be unhindered in the future as we leave the EU.
So a strong future data relationship between the UK and EU, based on aligned data protection rules, is in our mutual interest.
The UK is leading the way on modern data protection laws and we have worked closely with our EU partners to develop world leading data protection standards.
The paper published today sets out how we think our data relationship should continue. Our goal is to combine strong privacy rules with a relationship that allows flexibility, to give consumers and businesses certainty in their use of data.
Being granted adequacy
The UK is basically hoping to achieve data adequacy status once it leaves the European Union - or at some point after a transitional period - so that it can continue to trade freely with member states and other non-EEA territories that have been granted a similar status.
Data adequacy is granted when the European Commission feels that a territory that is not part of the EU has data protection laws and practices that are aligned to the EU’s high standards. Currently ten countries have been granted the status, including Israel and New Zealand. The USA and Canada have only been deemed to be partially adequate, and the data sharing with the USA is governed by the 2016 Privacy Shield agreement.
The UK is arguing that because it already complies with EU data protection laws, being part of the EU currently, it is started from an “unprecedented position” and that “the future deep and special partnership between the UK and the EU could productively build on the existing adequacy model”.
However, given the Commission’s previous track record with regards to the time it takes to make a decision on adequacy, it could be years before the UK is granted the status - meaning that a transitional arrangement is key.
The paper released today states that the UK “would be open to exploring a model” which allows its Information Commissioner’s Office to be involved in future regulatory dialogue. It states that this “responds to the Commission’s call to develop international co-operation mechanisms to facilitate effective cooperation and enforcement of data laws by data supervisory authorities”.
However, it quickly adds that “the UK Government will continue to have responsibility for the content and direction of data protection policy and legislation within the United Kingdom”.
The proposal
Under the headline of “Certainty and Stability”, the Brexit paper gets to the nitty gritty of what is actually being proposed by the British government, claiming that an EU-UK model for exchanging data “could provide an opportunity to give greater ongoing certainty to business and citizens in both the UK and the EU”. In other words, don’t argue too much, this is in everyone’s interests.
The proposals are also prefaced by comments that it is “essential” to avoid uncertainty for businesses and public authorities in the UK, EU and EEA, and that any uncertainty could “ force businesses on both sides to incur unnecessary expense and time in contingency planning, or put them under pressure to renegotiate what may be less favourable contractual arrangements”.
Simply put, the UK is pushing for certainty upon exiting the EU (which is entirely sensible, of course). The British government is asking for the following three things:
- The UK’s data protection law fully implements the EU framework, and this will remain the case at the point of our exit from the EU. On this basis, the Government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.
- Early certainty around how current provisions could be extended, alongside an agreed negotiating timeline for longer-term arrangements, should assuage business concerns on both sides and should be possible given the current alignment of both data protection frameworks, it argues.
- As well as ensuring that data flows between the UK and the EU can continue freely, the UK also wants to make sure that flows of data between the UK and third countries (such as the USA) with existing EU adequacy decisions can continue on the same basis after the UK’s withdrawal, given such transfers could conceivably include EU data.
Potential problems
Despite the fact that I think the UK is being a bit presumptuous (read: arrogant) in this Brexit document, is there any reason why the EU may not deem it an adequate destination to freely trade data with? After all, the UK’s point about being very closely aligned at point of exit is true.
However, think tank, Institute for Government, raises some very interesting points that could cause some problems for the UK’s negotiations - and shouldn’t be ignored. In a blog post it states:
The ECJ recently ruled a piece of UK legislation, the Investigatory Powers Act, as illegal on the grounds of providing insufficient data protection. If the UK chooses to enforce this act after Brexit, the Commission is less likely to find that the UK offers adequate protection.
The House of Lords report also highlighted a “lax approach” to the future transfer of data to other non-EEA countries as a risk. For example, the UK would no longer be part of the EU–US Privacy Shield, leading to fewer restrictions on the transfer of data from the UK to the USA. It is possible that data could be transferred from the EU to the UK, then passed on to the USA where EU principles could be violated.
If the UK pursued a data sharing agreement with the USA that allowed for this kind of data transfer, it is likely the EU would declare the UK as “not adequate”. This scenario could also occur with other countries, particularly those with which the UK has close security ties, but which do not protect data sufficiently in the Commission’s view, such as Australia and Canada.
My take
Well, the UK has said what it sees as the sensible option. We wait to see if the EU agrees...