52.Outside an agreement where the UK data protection regime is essentially equivalent to that of the EU, organisations that wish to transfer data between the UK and the EU would have to fall back on alternative data transfer mechanisms.93 These include specific arrangements, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms.94
53.We asked our witnesses about the drawbacks of the alternatives, should the UK not receive a data adequacy decision. We were told that the bureaucratic burden would be placed on to individual businesses.95 Elizabeth Denham said:
If the UK and the EU cannot come to an agreement, then there would have to be reliable mechanisms put in place, but it would be more burdensome than having a bespoke agreement, a treaty or an adequacy finding.96
54.Furthermore, Ms Denham pointed out that there is a current legal challenge against standard contractual clauses,97 which “is probably the mechanism that a lot of particularly small and medium businesses would use in this scenario.” If the challenge was successful, and in the absence of an agreement or adequacy decision, she said “We would have to rely on those other transfer mechanisms, which is consent on a transactional basis for the transfer of data. Again, that is a burden on business”.98 Large multinational companies are better placed than small businesses to manage such bureaucratic burdens.99 Frederick Erixon, ECIPE, told us:
If you are a big multinational, you are going to find a way to deal with it. It is going to cost you money but you are going to find a way to deal with it. If you are a small company, it is another thing.100
55.Mr Mullock described the extent of the burden:
They required papers to be signed. They require, in the case of standard contractual clauses, an individual agreement to be put in place between a company that is transferring data and the business that receives it. In the case of binding corporate rules, they require a company to implement a policy to GDPR level and to have that approved; that is a very time-consuming process.101
He said it could take “at least 18 months” for his clients to clear that process, and it would be for any UK business receiving data from Europe to have to put in place such a mechanism to be able to receive data from the EU.102
56.Mr Hurley explained that BT would have to identify which of its 18,000+ suppliers, that move data to and from the EU, would require standard contractual clauses to be put in place. The contractual clauses are in a set form, not designed to deal with modern business practice, and quite cumbersome.103 Giles Derrington gave the example when Safe Harbour collapsed and one very large techUK member company had to put in place two million standard contractual clauses, and he said that the “cost, time and effort that took was very significant”.104
57.The alternative legal processes for enabling data transfers, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms, are unsatisfactory substitutes for an agreement that data protection rules in the UK are essentially equivalent to that of the EU. Such alternatives would represent a considerable change from the status quo, would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses.
58.There is a clear relationship between trade and data, in terms of cross border portability of data and the ability to be able to market and provide certain services in another country.105 This is important for the future UK-EU trading relationship but also for future UK trade deals with other countries. Giles Derrington told us that “you cannot open up any market if you cannot have free flow of data.”106 The UK Government has said that, after it leaves the EU, it wishes to ensure data flows between the UK and third countries with existing EU adequacy decisions.107
59.The European Commission is considering how to reconcile the two objectives of data protection and facilitating trade. It has drafted “horizontal provisions for cross-border data flows and for personal data protection” to be part of trade agreements with the aim of trying to reduce barriers to trade, such as forced data localisation in a state’s territory. However, the proposals have not been discussed by the Council (but published on the Council’s website).108 It is apparent that there are parts of the Commission which consider data to be a matter for trade and parts which consider data protection to be a fundamental right.109
60.Recent attempts to include data as part of an EU trade deal have not worked. Giles Derrington of techUK explained that the original draft text of the EU-Mexico agreement had a holding paragraph to include data, but this subsequently dropped from later text. The same thing happened with the EU-Japan trade negotiations,110 resulting in falling back on an adequacy process.111 When the EU and Japan Economic Partnership Agreement was finalised in December 2017, the European Commission announced that data protection was being dealt with separately. It said that privacy and security of personal data was a fundamental right, “a central factor of consumer trust in the digital economy,” and that the EU and Japan would continue to engage on data adequacy talks.112 The EU has said it is discussing data adequacy with South Korea.113
61.David Henig, Director of the UK Trade Policy Project at the European Centre for International Political Economy, said his assumption was that including data in an agreement with the EU:
will be extremely painful […] because the EU is really not comfortable with sharing data. It is increasingly putting more conditions on it. I have not gone into this in detail. They have not actually published what they are going to be moving towards in trade agreements, but, for example, the plurilateral Trade in Services Agreement is essentially held up over differences in allowing data to flow between the EU and the US. It is something that we will need to do some work on, to make sure that we are in a good place on it.114
Elizabeth Denham said it would be preferable for the EU-UK data agreement to be a standalone treaty on data and not part of a trade agreement “because of the fundamental rights element of data protection.”115
62.While there are signs that the EU is moving to the inclusion of data in trade agreements, the current pattern appears to be for a trade agreement to be negotiated separately and in parallel to the process of an adequacy decision. The process for considering an application for data adequacy is not hampered or delayed by being subject to trade negotiations.
63.The Government should state if its intention is to negotiate a single agreement covering the economic and the security aspects of the relationship, or to separate them into more than one agreement so the data aspect of the security relationship is not subject to the procedure for the economic agreement.
93 Q1572
94 European Commission, Notice to Stakeholders. Withdrawal of the UK from the Union and EU Rules in the Field of Data Protection, 9 January 2018; No adequacy decision, no panic - PwC comments on the latest European Commission statement on Brexit and EU Data Protection Law, 10 January 2018
95 Q1574
96 Q1569
97 Facebook Ireland and Schrems C311/18; The European Court of Justice to rule on the validity of standard contractual clauses, Linklaters, 30 May 2016
98 Q1568
99 Q1575–1577
100 Q525
101 Q1574
102 Q1574
103 Q1575
104 Q1574
105 Q520
106 Q1588
109 Q1576
110 Q1585
111 Q1586
113 Press statement by Commissioner Vĕra Jourová, Mr. Lee Hyo-seong, Chairman of the Korea Communications Commission and Mr. Jeong Hyun-cheol, Vice President of the Korea Internet & Security Agency, Brussels, 20 November 2017
114 Qq1282–1283
115 Q1564, Q1581
Published: 3 July 2018