The Government should pursue full regulatory equivalence with the European Union (EU) with respect to data protection in order to ensure unhindered data flows between the UK and the EU post-Brexit, offer stability and certainty for businesses and maintain police and security co-operation. That’s the considered view of the EU Home Affairs Sub-Committee as outlined in its latest report.
Maintaining unhindered and uninterrupted data flows between the UK and the EU following Brexit is an important aim, as any arrangement that results in greater friction could present a non-tariff trade barrier that places the UK at something of a competitive disadvantage and hinders police and security co-operation.
Although the Government has stated that it “will seek to maintain the stability of data transfers between the EU, Member States and the UK”, little detail has so far been offered by the Conservative Party in terms of how the Government plans to deliver this outcome.
By looking at four elements of the EU’s data protection package in its report, the EU Home Affairs Sub-Committee examines the options available to the Government for securing uninterrupted data flows between the UK and the EU after the UK leaves the EU. These elements are the General Data Protection Regulation, the Police and Criminal Justice Directive, the EU-US Privacy Shield and the EU-US Umbrella Agreement.
Lord Jay of Ewelme, chairman of the EU Home Affairs Sub-Committee, stated: “The volume of data stored electronically and moving across borders has grown hugely over the last 20 years. Between 2005 and 2012 alone, Internet traffic across borders increased eighteen-fold. The maintenance of unhindered data flows is therefore crucial, both for business and for effective police co-operation.”
Lord Jay continued: “The Committee was concerned by the lack of detail on how the Government plans to maintain unhindered data flows post-Brexit. It was concerned, too, by the risk that EU and UK data protection rules could diverge over time when the UK has left the EU. To avoid this, the Committee urges the Government to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.”
Key findings of the report
There’s consensus among witnesses that the most effective way to achieve unhindered flows of data would be to secure adequacy decisions from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive, thereby confirming that the UK’s data protection rules would offer an equivalent standard of protection to that available within the EU.
EU adequacy decisions can only be taken in respect of third countries – ie countries that are not EU Member States – and there will therefore be legal impediments to having such decisions in place at the moment of exit. If there’s no transitional arrangement on data protection post-Brexit, this could put at risk the Government’s objective of securing uninterrupted flows of data, thereby creating a ‘cliff edge’ scenario.
Without a transitional arrangement, the lack of ‘tried and tested’ fall-back options for data sharing in the area of law enforcement would raise concerns about the UK’s ability to maintain deep police and security co-operation with the EU and its Member States in the immediate aftermath of Brexit.
Even if the UK’s data protection rules were aligned with the EU regime to the maximum extent possible at the point of Brexit, there remains the prospect that, over time, the EU would amend or update its rules. Maintaining unhindered data flows with the EU post-Brexit could therefore require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting.
It’s imperative that the Government considers how best to replace those structures and platforms that have allowed it to influence EU rules on data protection and retention. According to the Committee, and as stated, the Government should kick-start this process by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.