UK will have an “independent policy on data protection”, but will seek adequacy decision from EU

The British government this week outlined its negotiating position to secure a free trade agreement with the EU during the Brexit transition period, which is set to conclude at the end of this year. However, in a speech to MPs, Michael Gove has said that the government is prepared to walk away from trade talks in June unless there is a broad outline of a deal. 

This would mean the UK would fall back on trading with the EU on WTO terms, which would introduce a great deal of friction when compared with a comprehensive free trade agreement. 

However, whilst the UK is seeking an FTA that allows for divergence from EU rules, the EU has said that it would expect the UK to “uphold common high standards, and corresponding high standards over time with Union standards as a reference point”. 

Simply put, the next few months are going to be incredibly trying for the two negotiating teams, which appear to be starting from two completely different positions. 

The UK this week published its approach to negotiations in the form of a document called ‘The Future Relationship with the EU’. The document covers many aspects of what it would expect a free trade agreement to include and is worth looking over in full. 

However, one point of particular interest is regarding the UK’s data protection policy. As Chris Middleton wrote for diginomica/government earlier this week, divergence on data policy - or the failure to secure a free trade agreement that includes data - could have serious implications. He notes: 

But there is another challenge in all the political grandstanding over trade and immigration, one that can be expressed in a single word: data. No deal on trade would also mean no deal on data transfer, hosting, storage, and processing. And regulatory divergence could mean breaking EU rules on data governance, privacy, and protection, which would be the same as no deal. With an estimated 80 percent of UK organisations having data in the EU at least some of the time, that would be a massive problem.

As the Information Commissioner’s Office (ICO) put it at a Westminster conference on GDPR last year, crashing out of the EU with no deal or no regulatory equivalence could mean enterprises, charities, and public sector organisations sending their data to the EU but not getting it back. Because in 2020, trade isn’t only about fish and computer chips, it’s also about bits and bytes. And it isn’t just about money, but also a free exchange of information, ideas, and research.

As Chris notes in his piece, DCMS’s response to defining its position on a post-Brexit data protection policy was less that than satisfactory, with the department’s deputy director of domestic data protection policy preferring instead to ramble on about physics. 

However, the government’s document this week provides a bit more clarity. What’s interesting is that under Theresa May’s tenure as Prime Minister, the government was clear that it would align with the EU’s GDPR - allowing for a smooth data transition in a post-Brexit world. 

Boris Johnson’s government, however, appears to be favouring control to set its own agenda, instead simply seeking an adequacy decision from the EU. 

Data adequacy is granted when the European Commission feels that a territory that is not part of the EU has data protection laws and practices that are aligned to the EU’s high standards. Currently ten countries have been granted the status, including Israel and New Zealand. The USA and Canada have only been deemed to be partially adequate, and the data sharing with the USA is governed by the 2016 Privacy Shield agreement.

The UK will not commit to regulatory alignment 

The UK has said that it intends to set its own data agenda. The document released this week states: 

The UK will have an independent policy on data protection at the end of the transition period and will remain committed to high data protection standards.

To maintain the continued free flow of personal data from the EU to the UK, the UK will seek ‘adequacy decisions’ from the EU under both the General Data Protection Regulation and the Law Enforcement Directive before the end of the transition period. These are separate from the wider future relationship and do not form part of trade agreements. This will allow the continued free flow of personal data from the EEA States to the UK, including for law enforcement purposes. The European Commission has recognised a number of third countries globally as providing adequate levels of data protection.

On a transitional basis, the UK has allowed for the continued free flow of personal data from the UK to the EU. The UK will conduct assessments of the EEA States and other countries under an independent international transfer regime.

In addition the UK has said that it will seek appropriate arrangements to allow continued cooperation between the UK Information Commissioner’s Office and EU Member State data protection authorities. 

The UK may succeed in its approach, as not granting an adequacy decision would also impact EU member states that trade with the UK. That being said, the EU is concerned about the UK gaining a competitive advantage through diverging regulation, so it’s far from a done deal. 

Michael Gove made it clear this week that sovereignty is the primary aim of the UK’s negotiating position. He said: 

To be clear: we will not be seeking to dynamically align with EU rules on EU terms governed by EU laws and EU institutions.

The British people voted to take back control, to bring power home, to have the rules governing this country made by those who are directly accountable to the people of this country. And that is what we are delivering.