The UK Government has released a position paper, “The exchange and protection of personal data: A future partnership paper” as part of the ongoing Brexit negotiations.
This is one of many papers released by the UK Government last week but is a high priority for both the UK and the EU given the importance of data flows between the two. The continuing uncertainty surrounding data transfers to or through the UK given the country’s looming departure from the bloc is a matter of increasing concern for EU-28 based companies. As the position paper sets out, “any disruption in cross-border data flows would . . . be economically costly to both the UK and the EU.” The report goes on to estimate the cost of such disruption, which is estimated to range between 0.8% and 1.3% of EU GDP.
The paper sets out a plan to establish an “unprecedented alignment” between data protection laws in order to develop “a UK-EU model for exchanging and protection of personal data that maintains the free flow of personal data between the UK and the EU.” This would work within existing adequacy models – the so-called “white-listed countries” – with substantial involvement from the UK Information Commissioners Office and EU regulators to achieve an adequacy determination. An adequacy determination is a new instrument under the General Data Protection Regulation (GDPR) which would work as follows. The European Commission has the power under GDPR to determine whether a country outside the EU has an adequate level of data protection governing data flows from EU and EEA countries to third countries, without any additional safeguards being necessary to legitmise international transfers of personal data. The adoption of such an adequacy determination involves various stages of approval including through the Article 29 Working Party of Member States’ data protection authorities and the European Data Protection Supervisor.
It should be noted that the paper simply sets out the UK Government’s preferred route, so eyes will now be on the European Commission’s response. The UK’s position did not come as a great surprise given that earlier this month the UK’s Statement of Intent on the Data Protection Bill urged it to be consistent with the GDPR. The GDPR, which becomes enforceable on 25 May 2018, will expand the existing privacy rights of EU residents and impose a wide range of additional obligations on businesses operating both within and outside of the EU. The GDPR impacts any company that offers goods or services to individuals in the EU or that processes any EU personal data, or organisations that use external contractors to do so. The UK’s intent for the Data Protection Bill to be consistent with the GDPR is in alignment with it desired course.
The UK’s proposal must be seen in the wider international context on data transfers following the Schrems decision issued by the European Court of Justice (ECJ) in 2015. This decision struck down the EU-US Safe Harbor framework that covered the transfer of data between the EU and the US because, amongst other things, the ECJ concluded that the surveillance laws of the US allow the federal government to have access “to the content of electronic communications”. Challenges to the replacement for Safe Harbor, known as the EU-US Privacy Shield, have been made on similar grounds and have yet to be decided by the courts. An adequacy determination would therefore require an examination of UK law and international commitments to assess whether there is essential equivalence with the EU requirements on data protection, including government access to personal data. This examination will include a review of the UK Investigatory Powers Act 2016. In this context, it is noteworthy that the predecessor legislation (known as “DRIPA”), was struck down by the ECJ for reasons similar to those which led to the invalidation of EU Commission’s decision approving the EU-US Safe Harbor regime.
There are other procedural options open to the UK apart from an adequacy decision. If negotiations are amicable, a special transitional arrangement could be agreed upon, potentially allowing the UK to be treated the same as the remaining EU-27 for as long as the relevant transitional arrangements remain in place. This could be advantageous to both parties, but will likely come with tradeoffs and stringent conditions for the UK.
With only nine months to go before the GDPR becomes effective, this could have a real impact on businesses not only on both sides of the Channel but also on both sides of the Atlantic and beyond. For example, “onward transfers” through the UK from or to Europe will also be impacted, such as financial services transactions. Businesses will therefore need to monitor these negotiations carefully to understand how it may impact their business, and participate in the process to the extent possible in both the UK and on the Continent.