1.The Committee on Exiting the European Union published its Seventh Report of Session 2017–18, The progress of the UK’s negotiations on EU withdrawal: Data, (HC 1317), on 3 July 2018. On 6 September 2018, the Committee received the Government response to the Report. It is appended below.
1.Data flows and data protection are fundamental to the modern way of life and, increasingly, to the functioning of the economy, particularly in areas of UK comparative advantage such as services. The objective in the negotiations for the UK Government must be to maintain high standards of data protection and ensure that data can continue to be transferred across borders as it is now. (Paragraph 7)
The UK is a global leader in strong data protection standards and protecting the privacy of individuals will continue to be a priority for the UK. The UK demonstrated this commitment with the successful passage of the new Data Protection Act 2018, which applies and implements the General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED) respectively in UK law. It further strengthens UK data protection standards, ensuring they are fit for the modern age, and implements the EU’s new data protection framework into UK domestic law. Our data protection laws will therefore be aligned with the EU’s at our point of exit.
As the Prime Minister said in her Mansion House speech, achieving a deal on data protection is one of the foundations that must underpin the UK-EU trading relationship. In a globalised digital economy, data flows envelop all trade in goods and services as well as other business and personal relations. They are critical for both sides in a modern trading relationship. The ability of law enforcement agencies to transfer data both within the EU and with third countries is crucial in our efforts to fight cross border crime and prevent terrorism.
The UK wants to secure an agreement with the EU that provides stability and confidence for EU and UK business, public bodies and individuals to achieve our aims in maintaining and developing the UK’s strong economic and security links with the EU. That is why we are seeking to build on the standard adequacy model and want to see ongoing regulatory cooperation and joined up enforcement action between UK and EU data protection authorities. This will ensure UK and EU businesses and citizens continue to benefit from greater cross-border cooperation for resolving data protection disputes.
2.The EU’s existing arrangements for providing for data flows with third countries typically involve a decision of adequacy from the European Commission. Since the CJEU decision on the US-EU Safe Harbour agreement, a decision of adequacy will require the third country to provide protection of fundamental rights essentially equivalent to that provided in the EU. A range of countries have received an adequacy decision, ranging from Switzerland to Argentina to New Zealand. The United States and Canada have limited arrangements. (Paragraph 16)
As the Committee notes, under current arrangements, a third country can request the Commission considers them for an Adequacy Decision.
The Commission can then assess whether that country’s data protection rules, and the means for ensuring their effective supervision and enforcement, are sufficient to provide an adequate level of protection. In making its assessment of a third country’s data protection rules, the Commission will scrutinise that country’s domestic legislation and practice, as well as compliance with relevant international standards, in order to ascertain whether the data protection standards in the third country are ‘essentially equivalent’ to those applied in the EU (a test set by the Court of Justice of the European Union [CJEU] in its Schrems judgment). The UK will be assessed by the Commission against these standards.
The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the implementation period at the latest, to provide the earliest possible reassurance that data flows can continue. The UK and the EU start from a position of trust in each other’s standards and regulatory alignment on data protection. We are strongly committed to protecting the personal data of all citizens and will continue to be a global leader in this area, as demonstrated by the passage of the Data Protection Act 2018. The Act strengthened UK standards in line with the EU’s General Data Protection Regulation (GDPR) and the Law Enforcement Directive, providing a unique starting point for an extensive agreement on the exchange of personal data that builds on the existing adequacy framework.
3.The UK’s proposals accept that the EU will need to assess the adequacy of the UK data regime. The UK is asking for this to be on the basis of a two-way agreement—rather than solely a one-way decision of the European Commission—and in the form of an international agreement—a Treaty. The UK should provide more information on the distinction between the procedure for an adequacy decision and the procedure that it expects both parties to go through to secure an international agreement on data. (Paragraph 30)
The UK Government has been clear that we are not seeking to avoid the adequacy process or to fetter the EU’s decision making autonomy. We are ready to begin preliminary discussions on an adequacy assessment now, as set out in the White Paper published on 12th July 2018 (available on gov.uk).1
The EU’s adequacy framework provides the right starting point for the UK’s future relationship with the EU on data protection. However, the UK wants to build on this model in two respects. It would be mutually beneficial to have a clear framework to facilitate dialogue and support a stable relationship between the UK and EU to protect personal data. It would also benefit the UK and the EU to have close cooperation between the UK’s Information Commissioner’s Office and EU Data Protection Authorities.
On 22 May 2018, UK government officials presented slides to the European Commission outlining a framework for a UK-EU future partnership on data protection (available on gov.uk).2 A further paper was presented by the UK government to the Commission in June 2018, which set out the benefits to the EU of the UK’s proposals (available on gov.uk).3 These publications set out the distinction between what an Adequacy Decision can provide for and the additional benefits of the UK’s proposals.
4.The EU negotiating guidelines on the future relationship provide that data protection should be governed by EU rules on adequacy. The public statements from Michel Barnier have consistently said that the EU will not share its regulatory autonomy with a third country. The UK has said it does not wish to interfere with the EU’s decision-making autonomy and respects the fact that certain EU bodies are subject to CJEU jurisdiction. The EU appears to consider the UK proposals to be an attempt to retain influence on the EU regulatory regime from the position of a third country. The UK should accept, to increase the prospects of securing the Prime Minister’s objectives of continuing membership by the Information Commissioner on the European Data Protection Board and representation under the European One-stop shop, that the CJEU will continue to have jurisdiction over aspects of data protection law in the UK after exiting the EU. (Paragraph 31)
The Prime Minister has been clear that by leaving the EU, we will end the jurisdiction of the CJEU in the UK. However, EU law and the decisions of the CJEU will continue to affect us and we will continue to follow the rule of law and abide by our international obligations. The UK will explore with the EU the terms on which we could remain part of the relevant bodies and the UK accepts that this would mean abiding by the rules of those bodies and making an appropriate contribution. If we agree the UK should continue to participate in an EU body, the UK would respect the remit of the CJEU in that regard. The UK Parliament would remain ultimately sovereign, and so could in principle decide not to accept these rules, but with consequences for our membership of the relevant body. As the Committee recognises, the UK is not seeking decision-making power over future EU laws, has no intention to impede EU policy making in data protection, and respects the fact that certain EU bodies are subject to CJEU jurisdiction.
5.The EU have said as a third country the UK cannot have continued participation on the European Data Protection Board or One-stop shop. No non-EU states are represented on the European Data Protection Board; and while non-EU EEA countries such as Norway are within the internal market on data they do not participate on the European Data Protection Board. The EU wishes to retain its decision-making autonomy, and the UK may be put in a position where it does not have a role in helping to frame future EU wide rules on data. (Paragraph 36)
6.As things currently stand, UK businesses will be outside the provisions of the new One-stop shop, a coordination mechanism designed to reduce cost and bureaucracy to businesses across the EU. (Paragraph 37)
Cross-border cooperation between domestic data protection authorities is valuable to the UK and the EU. The breadth and depth of the EU-UK relationship, and volume of personal data flows that underpin it, are unmatched by any other third country. What we are proposing is beneficial to both the UK and the EU. As we set out in the White Paper, the UK believes its proposals are in line with the EU’s thinking in this space. The Commission’s January 2017 Communication recognised that “enhancing cooperation with relevant privacy enforcement and supervisory authorities of third countries is increasingly necessary” and “economic operators would benefit from a clearer legal environment where common interpretation tools and enforcement practices are developed at a global level”. On this basis, the Communication stated that “the Commission will develop international cooperation mechanisms with key international partners to facilitate effective enforcement”.4
7.The content of the UK proposal is unprecedented for an EU third country arrangement on data and there are no existing models for third country data exchange covering the degree of data sharing in criminal justice that the UK is seeking. The UK would need an adequacy decision to be able to engage in data sharing for law enforcement purposes. It would also have to accept the jurisdiction of the CJEU. It is not in the interests of the people and governments of Europe for there to be a reduction in cooperation in respect of policing and law enforcement. We urge both sets of negotiators to find a way to secure continued high level cooperation on this incredibly important and sensitive matter. (Paragraph 43)
In regard to our Future Security Partnership with the EU, the Security, Law Enforcement and Criminal Justice Future Partnership Paper5 published in September last year - as well as the presentation6 on the UK’s proposed Framework for the UK-EU Security Partnership and the recently published White Paper7—have been clear in setting out our ambitious vision for our future security relationship with the EU; one which protects our shared operational capabilities by providing for practical operational cooperation; facilitates data-driven law enforcement; and allows multilateral cooperation through EU agencies.
The ability of law enforcement agencies to transfer data both within the EU and with
third countries is important to our collective security. It helps keep people safe by maximising the effectiveness of law enforcement agencies and bringing more criminals to justice.
The UK believes that the EU’s adequacy framework provides the right starting point for the arrangements the UK and the EU should agree on data protection, and we want to go beyond the framework in some respects. The UK and the EU start from a position of trust in each other’s standards and regulatory alignment on data protection.
8.There is a high chance of a legal challenge to any proposed UK-EU data international agreement. A legal challenge could create regulatory gaps and uncertainty for business. (Paragraph 47)
As the Committee notes, the Commission has the ability to withdraw Adequacy Decisions and the CJEU has the ability to rule on the validity of Adequacy Decisions and data agreements. In the Schrems case, the Commission’s partial Adequacy Decision underlying the EU-US Safe Harbor agreement, was challenged (rather than the Adequacy Decision framework as a whole). The Commission sought to address some of the concerns raised by the CJEU in the Schrems judgment in the GDPR, which contains a new adequacy framework, including the requirement for regular reviews.
The UK is starting from a position of unique alignment with the EU’s data protection laws with the successful passage of the Data Protection Act 2018, which implements the EU’s new data protection framework in UK domestic law. The UK was fully involved in the drafting of GDPR and worked with Member States to shape it. The UK will continue to work closely with the EU and other partners to tackle future questions and challenges surrounding data protection.
9.The UK should accept the provisions in Title 7 of the draft Withdrawal Agreement providing assurance about the future protection of personal data already in the UK at the time of withdrawal. Following the passage of the Data Protection Act, the UK’s data protection law will be aligned with EU law on the day the UK leaves the EU. As a result, the UK will be in a very strong position when it seeks a declaration of essentially equivalent data protection. However, it is seeking an unprecedented agreement which will be subject to negotiation. The UK Government should be preparing for the adequacy process and ensuring that there is no risk of a gap in legal provision for transferring data between the UK and the EU after December 2020. This would have serious implications for businesses and consumers on both sides. The UK Government needs to establish with the Commission whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay. It needs to provide concrete assurances that data will be able to flow between the UK and the EU after December 2020 on the same terms as now.
Beyond this, the UK should explore the possibility of negotiating a bespoke agreement with the EU allowing much closer cooperation in data protection and data sharing which once achieved could replace the third party arrangements conferred by a simple adequacy decision. (Paragraph 51)
The UK Government is holding discussions with the European Commission on Title VII of the Withdrawal Agreement and we have made progress.
Both sides agree that it is important that the data and information, which has been exchanged before the end of the Implementation Period (and on the basis of the Withdrawal Agreement), is protected in accordance with high data protection standards. We want to move swiftly to discussing in more detail our future data protection partnership with the EU.
The UK Government believes it is in the best interests of citizens and businesses throughout the EU and the UK that we move quickly to provide the earliest possible reassurance that data flows can continue, uninterrupted, after the Implementation Period ends. That is why we have said that we are ready to begin preliminary discussions on an adequacy assessment straight away.
The UK agrees with the Committee that an agreement on data protection that provides for cooperation between data protection authorities would be mutually beneficial for both the EU and the UK.
10.The alternative legal processes for enabling data transfers, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms, are unsatisfactory substitutes for an agreement that data protection rules in the UK are essentially equivalent to that of the EU. Such alternatives would represent a considerable change from the status quo, would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses. (Paragraph 57)
As the Committee acknowledges, without an Adequacy Decision or new model in place, it is still possible for personal data to be transferred to third countries. The GDPR and the LED set out alternative methods of transfer, which companies and public authorities may use to transfer data to third countries in the absence of an Adequacy Decision. While these alternatives to adequacy are available under the EU framework, they may be costly and burdensome for data controllers and processors. The government will continue to engage with businesses, including in the digital and tech sectors, to help them understand how they would need to operate under a range of outcomes on data protection.
11.While there are signs that the EU is moving to the inclusion of data in trade agreements, the current pattern appears to be for a trade agreement to be negotiated separately and in parallel to the process of an adequacy decision. The process for considering an application for data adequacy is not hampered or delayed by being subject to trade negotiations. (Paragraph 62)
12.The Government should state if its intention is to negotiate a single agreement covering the economic and the security aspects of the relationship, or to separate them into more than one agreement so the data aspect of the security relationship is not subject to the procedure for the economic agreement. (Paragraph 63)
The process for an adequacy assessment is the same under the Law Enforcement Directive and the GDPR, and the UK is ready to begin preliminary discussions on an adequacy assessment straight away.
It is in the best interests of citizens and businesses throughout the EU and the UK that we move quickly to provide the earliest possible reassurance that data flows can continue. However, the shape of the future UK-EU data protection agreement is a matter for negotiations.
1 The future relationship between the United Kingdom and the European Union’, 12 July 2018, <https://www.gov.uk/government/publications/the-future-relationship-between-the-united-kingdom-and-the-european-union>
2 ‘Framework for the UK-EU Partnership Data Protection’, 23 May 2018, <https://www.gov.uk/government/publications/framework-for-the-uk-eu-partnership-data-protection>
3 ‘Technical Note on Data Protection’, 7 June 2018, <https://www.gov.uk/government/publications/technical-note-on-data-protection>
4 ‘Exchanging and Protecting Personal Data in a Globalised World’, January 2017, <https://www.eesc.europa.eu/en/our-work/opinions-information-reports/opinions/exchanging-and-protecting-personal-data-globalised-world>
5 ‘Security, law enforcement and criminal justice - a future partnership paper’, 18 September 2017, <https://www.gov.uk/government/publications/security-law-enforcement-and-criminal-justice-a-future-partnership-paper>
6 ‘Framework for the UK-EU Security Partnership’, 9 May 2018, <https://www.gov.uk/government/publications/framework-for-the-uk-eu-security-partnership>
7 The future relationship between the United Kingdom and the European Union’, 12 July 2018, <https://www.gov.uk/government/publications/the-future-relationship-between-the-united-kingdom-and-the-european-union>
Published: 14 September 2018