Summary
The Government has said that it wants to maintain unhindered and uninterrupted data flows with the EU post-Brexit. The Government’s White Paper on The United Kingdom’s exit from and new partnership with the European Union, says, for example, that the UK “will seek to maintain the stability of data transfers between the EU, Member States and the UK.”
We support this objective, but were struck by the lack of detail on how the Government plans to deliver this outcome. Our analysis suggests that the stakes are high, not least because any post-Brexit arrangement that results in greater friction around data transfers between the UK and the EU could present a non-tariff trade barrier, putting the UK at a competitive disadvantage. Any impediments to data flows post-Brexit could also hinder police and security cooperation.
The importance of cross-border data flows to the UK cannot be overstated:
- Global Internet traffic across borders increased 18-fold from 2005 to 2012
- Services account for 44% of the UK’s total global exports, second only to the US
- Three-quarters of the UK’s cross-border data flows are with EU countries
In this report we look at four elements of the EU’s data protection package: the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US Privacy Shield and the EU-US Umbrella Agreement. Both the GDPR and the PCJ will enter into force in May 2018 while the UK is still a member of the EU. The EU-US Privacy Shield and EU-US Umbrella Agreement are already in force but will cease to apply to the UK post-Brexit.
For third countries looking to exchange data with the EU, the GDPR and PCJ provide for two broad options. The first would be for the UK to receive an ‘adequacy decision’ from the European Commission certifying that it provides a standard of protection which is “essentially equivalent” to EU data protection standards.
The second option would be for individual data controllers and processors to adopt their own safeguards offering an adequate level of protection to enable personal data to be transferred out of the EU. This would include tools such as Standard Contractual Clauses, and Binding Corporate Rules. We conclude that these would be less effective than an adequacy decision, and we note the legal challenge known as Schrems II against Standard Contractual Clauses. Given the potential uncertainty around the alternative measures and the level of integration between the UK and the EU—three quarters of the UK’s cross-border data flows are with EU countries—we recommend that the Government should seek adequacy decisions to facilitate future UK-EU data transfers.
Although an adequacy decision would provide the most comprehensive mechanism for the UK to share data with the EU in an unhindered way, such decisions are only taken in respect of third countries, and follow a set procedure. This poses a legal impediment to having a decision in place at the moment of exit. To ensure uninterrupted flows of data and to avoid a cliff edge, we urge the Government to ensure that transitional arrangements are agreed to cover the interim period. Not having a transitional agreement for data-sharing for law enforcement presents a particular challenge because fall-back alternatives are not apparent, and would need to be negotiated.
The UK could find itself held to a higher standard as a third country than as a Member State. When considering an adequacy decision, the European Commission will look at a third country’s data protection framework in the round, including national security legislation. If the UK were to seek an adequacy decision, the UK would no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the UK’s data retention and surveillance regime is tested before the Court of Justice of the European Union.
Even though the UK will no longer be bound by EU data protection laws post-Brexit, there is no prospect of a clean break. The legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK. This will necessarily affect UK businesses that handle EU data. If the UK were to obtain an adequacy decision, the way that EU institutions such as the new European Data Protection Board and the Court of Justice of the European Union interpret the EU’s data protection laws could have an effect, albeit indirectly, by altering the standards that the UK would need to meet to maintain an adequate level of protection. Maintaining adequacy also means that any future changes in national practice could affect the UK’s adequacy status. Even without an adequacy decision, as long as UK data controllers and processers wish to continue to receive personal data from the EU they will need to maintain data protection standards that continue to meet EU requirements for the transfer of personal data outside its territory.
Similarly, as long as the UK wants to continue to receive unhindered data flows from the EU, the UK will be affected by the EU’s data protection standards relating to the onward transfer of personal data to third countries. The UK’s departure from the EU-US Privacy Shield and the EU-US Umbrella Agreement may require the UK to demonstrate that it has protections in place with the US that ensure the same level of protection as provided for under the two agreements. If the UK were to obtain an adequacy decision, a lax approach to onward transfers of data to third countries would put that adequacy decision at risk.
The UK’s future ability to influence EU rules on data protection is in doubt. We conclude that the Government must retain UK influence, starting by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board. The Government will also need to replace the institutional platforms currently used to exert influence and find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and global level.