52.Outside an agreement where the UK data protection regime is essentially equivalent to that of the EU, organisations that wish to transfer data between the UK and the EU would have to fall back on alternative data transfer mechanisms. These include specific arrangements, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms.
53.We asked our witnesses about the drawbacks of the alternatives, should the UK not receive a data adequacy decision. We were told that the bureaucratic burden would be placed on to individual businesses. Elizabeth Denham said:
If the UK and the EU cannot come to an agreement, then there would have to be reliable mechanisms put in place, but it would be more burdensome than having a bespoke agreement, a treaty or an adequacy finding.
54.Furthermore, Ms Denham pointed out that there is a current legal challenge against standard contractual clauses, which “is probably the mechanism that a lot of particularly small and medium businesses would use in this scenario.” If the challenge was successful, and in the absence of an agreement or adequacy decision, she said “We would have to rely on those other transfer mechanisms, which is consent on a transactional basis for the transfer of data. Again, that is a burden on business”. Large multinational companies are better placed than small businesses to manage such bureaucratic burdens. Frederick Erixon, ECIPE, told us:
If you are a big multinational, you are going to find a way to deal with it. It is going to cost you money but you are going to find a way to deal with it. If you are a small company, it is another thing.
55.Mr Mullock described the extent of the burden:
They required papers to be signed. They require, in the case of standard contractual clauses, an individual agreement to be put in place between a company that is transferring data and the business that receives it. In the case of binding corporate rules, they require a company to implement a policy to GDPR level and to have that approved; that is a very time-consuming process.
He said it could take “at least 18 months” for his clients to clear that process, and it would be for any UK business receiving data from Europe to have to put in place such a mechanism to be able to receive data from the EU.
56.Mr Hurley explained that BT would have to identify which of its 18,000+ suppliers, that move data to and from the EU, would require standard contractual clauses to be put in place. The contractual clauses are in a set form, not designed to deal with modern business practice, and quite cumbersome. Giles Derrington gave the example when Safe Harbour collapsed and one very large techUK member company had to put in place two million standard contractual clauses, and he said that the “cost, time and effort that took was very significant”.
57.The alternative legal processes for enabling data transfers, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms, are unsatisfactory substitutes for an agreement that data protection rules in the UK are essentially equivalent to that of the EU. Such alternatives would represent a considerable change from the status quo, would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses.
58.There is a clear relationship between trade and data, in terms of cross border portability of data and the ability to be able to market and provide certain services in another country. This is important for the future UK-EU trading relationship but also for future UK trade deals with other countries. Giles Derrington told us that “you cannot open up any market if you cannot have free flow of data.” The UK Government has said that, after it leaves the EU, it wishes to ensure data flows between the UK and third countries with existing EU adequacy decisions.
59.The European Commission is considering how to reconcile the two objectives of data protection and facilitating trade. It has drafted “horizontal provisions for cross-border data flows and for personal data protection” to be part of trade agreements with the aim of trying to reduce barriers to trade, such as forced data localisation in a state’s territory. However, the proposals have not been discussed by the Council (but published on the Council’s website). It is apparent that there are parts of the Commission which consider data to be a matter for trade and parts which consider data protection to be a fundamental right.
60.Recent attempts to include data as part of an EU trade deal have not worked. Giles Derrington of techUK explained that the original draft text of the EU-Mexico agreement had a holding paragraph to include data, but this subsequently dropped from later text. The same thing happened with the EU-Japan trade negotiations, resulting in falling back on an adequacy process. When the EU and Japan Economic Partnership Agreement was finalised in December 2017, the European Commission announced that data protection was being dealt with separately. It said that privacy and security of personal data was a fundamental right, “a central factor of consumer trust in the digital economy,” and that the EU and Japan would continue to engage on data adequacy talks. The EU has said it is discussing data adequacy with South Korea.
61.David Henig, Director of the UK Trade Policy Project at the European Centre for International Political Economy, said his assumption was that including data in an agreement with the EU:
will be extremely painful […] because the EU is really not comfortable with sharing data. It is increasingly putting more conditions on it. I have not gone into this in detail. They have not actually published what they are going to be moving towards in trade agreements, but, for example, the plurilateral Trade in Services Agreement is essentially held up over differences in allowing data to flow between the EU and the US. It is something that we will need to do some work on, to make sure that we are in a good place on it.
Elizabeth Denham said it would be preferable for the EU-UK data agreement to be a standalone treaty on data and not part of a trade agreement “because of the fundamental rights element of data protection.”
62.While there are signs that the EU is moving to the inclusion of data in trade agreements, the current pattern appears to be for a trade agreement to be negotiated separately and in parallel to the process of an adequacy decision. The process for considering an application for data adequacy is not hampered or delayed by being subject to trade negotiations.
63.The Government should state if its intention is to negotiate a single agreement covering the economic and the security aspects of the relationship, or to separate them into more than one agreement so the data aspect of the security relationship is not subject to the procedure for the economic agreement.
97 ; The European Court of Justice to rule on the validity of standard contractual clauses, Linklaters, 30 May 2016
115 Q1564, Q1581
Published: 3 July 2018