The UK Government’s Department for Exiting the European Union (EU) has set out its plans for arrangements that could ensure personal data would continue to move back and forth between the UK and the EU in the future in a safe and properly regulated way. In the latest of a series of position papers examining the UK’s future partnership with the EU after the UK has left, the Government has considered the case for a unique approach that could allow data to continue to be exchanged in order to ensure ongoing competitiveness, innovation and job creation.
The document outlines how the UK is considering an ambitious model for the protection and exchange of personal data with the EU that reflects the unprecedented alignment between British and European law and recognises the high data protection standards that will be in place at the point of exit.
This would allow the UK to work more closely with the EU, providing continuity and certainty for the business community, allowing public authorities – including law enforcement authorities – to continue their close co-operation, protecting people’s data and privacy and providing for ongoing regulatory co-operation between the UK and EU data protection authorities.
These proposals are said to “provide a stable base” for the Government to deliver on its commitment to turn Britain into the best and safest place to be online.
Matthew Hancock, the Minister for Digital, explained: “In the modern world, data flows increasingly underpin trade, business and all relationships. We want the secure flow of data to be unhindered in the future as we leave the EU. A strong future data relationship between the UK and the EU, based on aligned data protection rules, is in our mutual interest. The UK is leading the way on modern data protection laws and we’ve worked closely with our EU partners to develop world-leading data protection standards. This new position paper sets out how we think our data relationship should continue. Our goal is to combine strong privacy rules with a relationship that allows flexibility in order to give consumers and businesses certainty in their use of data.”
Digital economy and the UK’s economy
The digital economy is important to the UK’s economy. In 2015, it was worth £118.4 billion (or 7.1% of the UK’s total GVA). This relies on data being able to flow freely back and forth. Any disruption to these cross-border data flows could be costly for both Britain and the EU.
As the UK and the EU build a new, deep and special partnership, it’s essential that there’s agreement on a UK-EU model for exchanging and protecting personal data that:
*allows data to continue to be exchanged in a safe and properly regulated way
*offers sufficient stability and confidence for businesses, public authorities and individuals
*provides for ongoing regulatory co-operation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection
*continues to protect the privacy of individuals
*respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection
*doesn’t impose unnecessary additional costs to business
*is based on objective consideration of evidence
Administrative and financial burdens
Commenting on the UK Government’s position paper, Stewart Room (PwC’s global data protection legal services leader) said: “UK businesses will be pleased to see the Government’s confirmation that it will seek an ‘adequacy decision’ from the European Commission in order to maintain the free flow of personal data from Europe to the UK after Brexit, lowering the administrative and financial burdens for business and other organisations. This will mean that the UK’s data protection framework will be fully aligned with the EU’s at the date of Brexit.”
Room continued: “The paper makes it crystal clear that data protection is now a priority issue for the UK and its economy and for the fight against serious crime and terrorism. Successful delivery of the General Data Protection Regulation (GDPR) will be a critical part of the UK’s success after Brexit. With this in mind, the paper sends a clear message to all data controllers and data processors in the UK that they must embrace the requirements of the GDPR.”
In addition, Room told Risk UK: “As the position paper has pointed out, it’s vital that the UK regulator, ie the Information Commissioner’s Office (ICO), maintains an influential role post-Brexit. The ICO will need to be properly invested in if it’s going to be able to fulfil its resource-sharing requirements. We would expect to see the UK seeking a seat on the new European Data Protection Board in order to help maintain its influence.”
In conclusion, Room asserted: “One area that the position paper doesn’t tackle is the concern in parts of the EU that our domestic surveillance laws are challenging to EU data protection principles. The possibility of partial adequacy decisions could help overcome this, with the UK potentially seeking to ring-fence purely economic activity within an adequacy decision rather than all forms of data processing.”