77.The Government has been unequivocal about the need to maintain stability and ensure “unhindered” and “uninterrupted” data flows between the UK and the EU post-Brexit. Baroness Williams of Trafford, Minister of State at the Home Office, told us that “in a world of increasing mobile threats … data and data-sharing is one of our first lines of defence”, and that it was therefore “absolutely vital that law enforcement agencies work together across borders to share information in order to protect the public.” The Government’s White Paper on The United Kingdom’s exit from and new partnership with the European Union notes that “the stability of data transfer is important for many sectors”, and that the UK “will seek to maintain the stability of data transfers between the EU, Member States and the UK.”
78.But although the Government is clear that it wants unhindered and uninterrupted data flows with the EU post-Brexit, how it intends to achieve that goal is less apparent. Matt Hancock MP, Minister of State for Digital, told us that “there are many different ways this could work”, but did “not want to stress any particular option.” Lady Williams has also suggested that “it is too early to say what the future arrangements might look like.”
79.In the meantime, the Government has announced its intention to implement the GDPR and the PCJ Directive in full, and argued that doing so will put the UK in an optimal position for the negotiations with the EU-27: “On the date of departure, the UK’s data protection arrangements will be in perfect alignment with those of the continuing EU … [and] that will be a good basis for continuing negotiations”, according to David Jones MP, then Minister of State at the Department for Exiting the European Union. Lady Williams also emphasised the UK’s “unique position” at the point of exit in being a third country “that has fully implemented the EU’s provisions on data protection.”
80.There was consensus among our witnesses that seeking an adequacy decision from the Commission under Article 45 of the GDPR and Article 36 of the PCJ Directive would provide the most comprehensive platform for the UK to continue receiving data from the EU post-Brexit. The Information Commissioner, Elizabeth Denham, told us that an adequacy decision would be “the best way forward” and “the most straightforward arrangement for the commercial sector and certainly for citizens and consumers.” Although some other countries manage without an adequacy decision, the level of integration between the UK and the EU in terms of data protection standards meant that there was “no comparator to the UK. The UK has been so heavily integrated in the EU that it is difficult to say that the UK can get by without an adequacy decision.”
81.Rosemary Jay of Hunton & Williams confirmed that an adequacy decision was “the strongest guarantee of the free flow of data in terms of the commercial environment.” Stewart Room of PricewaterhouseCoopers also saw benefit in seeking an adequacy decision, noting that it “would give certainty to businesses and to the economy.” He also warned that after Brexit, “the critical consideration will be the extent to which the UK is perceived to be adequate, from the EU’s perspective, for data protection.” Mr Room listed “three key factors”, which he anticipated the European Commission would take into consideration to determine whether the UK’s data protection rules provided an adequate level of protection: “the overall strength of the legal framework; the effectiveness of the regulator; and [the UK’s] international commitments.” Although both the Directive and the Regulation gave the European Commission the authority to determine that a third country did not provide an adequate level of protection, Mr Room predicted that for the UK “a declaration of non-adequacy would be surprising.”
82.Rosemary Jay was less sanguine. She highlighted a “popular cultural view” in Europe that the UK was “soft on regulation, including data protection”, even though that perception was not borne out “on a hard analysis.” Ruth Boardman, of Bird & Bird, also warned that “within the EU, it will be a tough ask to persuade other … Member States … that we are the gold standard because we are widely perceived as being the pragmatic, moderating voice rather than the country which is pushing at the edge of this.”
83.Ms Boardman noted that when the EU had considered adequacy decisions for territories with UK-inspired data protection legislation, such as Jersey and Guernsey, “the Article 29 working party had to give an opinion on the adequacy of the laws there, and it expressed concerns about some of their laws precisely because they replicated UK law.” She emphasised that while the UK was a member of the EU, it was “automatically adequate”, but such instances showed that the UK was “not seen as being the gold standard.”
84.There is a paradox here, in that higher standards of data protection may be required of third countries than are required of EU Member States. When considering an adequacy decision, the European Commission will look at a third country’s data protection framework in the round, including looking at national security legislation (which is a national competence for EU Member States). As Ruth Boardman noted, as long as the UK is a member of the EU, “national security concerns cannot be used as a reason to prevent a free flow of data” with the EU. However, once the UK in no longer a member of the EU, national security concerns “could be used as a reason for arguing that the UK ought not to be adequate.”
85.Professor Mitsilegas pointed out that, since the ruling in the Schrems case, the CJEU had been “raising the bar on adequacy”:
“The Court of Justice in Schrems—which involved the US so we are not talking about some third country with no system—said that the two systems need to be essentially equivalent. The Court said … that it is not enough to tick-box the legislation. You have to examine how this works in practice and ensure that data protection is provided in an effective manner. The benchmark is high.”
86.Professor Mitsilegas also highlighted the ongoing role of the CJEU and the continued relevance of the Charter of Fundamental Rights in relation to adequacy decisions:
“In the field of data protection, we should not forget that the Court of Justice interprets the instruments, the Regulation and the Directive, in conformity with the EU Charter of Fundamental Rights, which is part of the EU law … This means that compatibility, equivalency or adequacy under the Data Protection Directive or Regulation will be assessed by the Commission in light of the interpretation of these instruments by the Court of Justice. However you define the legal relationship and the impact of the court … the Court of Justice’s case law must be taken into account.”
87.The Government is non-committal about whether it plans to seek an adequacy decision. Mr Hancock acknowledged that “an adequacy decision could work” as a way of achieving the Government’s objectives, but emphasised that there were “many different ways in which you could make this work.” Lady Williams told us that “an adequacy agreement is certainly an option, but I cannot say, in the context of other options that might be available, what the end point will look like.”
88.There was consensus among our witnesses that although alternatives to an adequacy decision are available, those alternatives would be less effective in reducing friction around data flows. The Information Commissioner, Elizabeth Denham, told us that alternative mechanisms were “not as broad, all-encompassing and clear as an adequacy agreement”, and “not as straightforward.” Antony Walker, of TechUK, told us that the impact of not having an adequacy decision would be felt “economy-wide”, and listed a series of drawbacks:
“The first would be a significant increase in the amount of red tape that businesses have to deal with as they would have to put other mechanisms in place to lawfully transfer data. That means cost because there will be significant legal costs associated with putting those measures in place. There is also an element of uncertainty which is about the future legality of some of the mechanisms … Finally, there is an issue around competitive disadvantage for UK firms. If [UK] firms have to jump through a whole set of additional legal hoops in order to transact and do business with firms or customers across the European Union, they will be at a disadvantage versus their competitors who are based in the European Union and do not have to go through all those steps.”
89.Under the GDPR, in the absence of an adequacy decision data transfers can take place to a third country or international organisation only if the data controller or processor has appropriate safeguards in place, and “enforceable data subject rights and effective legal remedies for data subjects are available.” Box 2 sets out the alternative legal mechanisms permissible under the GDPR.
Under Article 46 of the GDPR, the following mechanisms constitute appropriate safeguards, without requiring any specific authorisation from a supervisory authority:
Mechanisms are also available under the GDPR for transferring data, subject to authorisation from the competent supervisory authority. These are:
Source: Article 46 (2) (a)-(f) and 46 (3) (a) and (b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (, 4 May 2016)
90.The main mechanisms in the GDPR permitting data transfers out of the EU to countries or organisations that are not covered by an adequacy decision are Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Our witnesses agreed that although these mechanisms were less good than an adequacy decision, they did provide a viable alternative in some cases. Ruth Boardman told us that SCCs were “the most commonly used way of transferring data because [they require] less effort … you sign a contract and then you have a mechanism for transferring data.”
91.The Information Commissioner raised concerns that mechanisms like SCCs would “not [be] easy for businesses, particularly small and medium-sized businesses.” Antony Walker agreed that SMEs, would face “significant legal costs associated with putting [SCCs] in place.” Such mechanisms would be “a significant impediment to doing cross-border trade” and a “significant disincentive” for SMEs to expand into international markets or partner with other firms in other markets. Ms Boardman told us that even for larger organisations, SCCs added “cost and complexity.”
92.Ruth Boardman also noted that SCCs were not a practical option for businesses that sell directly to consumers in the EU. In such cases, “there will not be two parties to enter into the contract”, meaning that SCCs were “not really possible for that kind of organisation.”
93.Antony Walker and Ruth Boardman were also concerned that SCCs could potentially be precluded by virtue of an ongoing legal challenge initiated by Max Schrems. Ms Boardman told us this could be “particularly significant for the UK because, if those data transfer agreements are held to be invalid, the main alternative way that businesses would use to allow data to be shared with the UK would suddenly cease to be valid.” Antony Walker added that you could “quite quickly” get into “a scenario where you run out of options”, while Ruth Boardman noted that data flows could be “massively disrupted.”
94.BCRs are designed to allow a multinational company, or a group of companies, to transfer data from the EU to their affiliates outside the EU. Ruth Boardman told us that BCRs required “fairly sophisticated approaches to data protection”, making them difficult for SMEs. Moreover, the participating company’s data protection standards would have to be authorised by a data protection authority, which required a “presence in an EU member state.” This meant that “if you are just a UK company, you could not use that mechanism.” Antony Walker highlighted the case of one company that had been seeking authorisation for its BCRs “for more than five years” and had still not received authorisation, casting doubt on whether BCRs could offer a prompt solution for UK firms in the absence of an adequacy decision.
Under the PCJ Directive, data transfers can take place in the absence of an adequacy decision to a third country or international organisation where “(a) appropriate safeguards with regard to the protection of personal data are provided for in a legally binding instrument; or (b) the controller has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with regard to the protection of personal data.” In the absence of both an adequacy decision and appropriate safeguards, the Directive allows for derogations for specific situations under which Member States may still transfer data for law enforcement purposes. These are:
95.Professor Mitsilegas warned that, while there might be viable alternatives to an adequacy decision in the commercial sphere:
“In the field of law enforcement, things become more complicated, because even if the United Kingdom wanted to proceed into bilateral agreements with EU member states, when EU member states act externally they are bound by EU law. They cannot cooperate with third countries if these countries are not perceived to provide an equivalent level of protection. There, I think, adequacy would be more important for the UK and for public security.”
96.As for other alternatives, trade agreements have recently emerged as a means of regulating cross-border data flows. One example is the Trans-Pacific Partnership Agreement (TPP), which imposes limits on the extent of data protection regulation that signatories can provide in their national laws. Antony Walker suggested that if the UK was not “really committed” to seeking an adequacy decision, it could seek “a new treaty arrangement” with the EU, either as part of the “overall new relationship or in a specific data protection treaty.”
97.The Government appears to envisage uninterrupted data flows, with data transfers the day after withdrawal continuing much as before. The Information Commissioner agreed that “if there is a way to negotiate either a transition arrangement or something so that there is not a cliff-edge on day one, that is in the best interests of everyone.” However, she also questioned whether this would be feasible: “Achieving adequacy on day one after exiting the EU may be challenging because there is a legal process involved.” Rosemary Jay emphasised that reaching an adequacy decision was “a legislative process”, and that it was “not simply within the [Commission’s] gift to [deliver an adequacy decision] in some informal way.” She could “see no way” to foreshorten the process, noting that under EU law the UK needed to become a third country before it could be subject to an adequacy decision.
98.Other witnesses raised concern about the length of time it might take to secure an adequacy decision. Stewart Room noted: “The point about there being only nine [jurisdictions that have adequacy decisions from the EU] is also an indicator of the amount of time and complexity that attaches to the development of an adequacy decision.” Adequacy decisions could “take many years” to negotiate. Antony Walker agreed that it was “quite a lengthy process”, which would “take in the range of about two years to go through the various stages.” Mr Walker also warned of a “real risk” that legal challenges before the CJEU could coincide with the end of the Brexit negotiations, leading to “real uncertainty.”
99.Stewart Room acknowledged the challenge of sequencing, but emphasised that “the mutual interest is absolutely clear.” He suggested that “the essential point about data protection is that all of Europe … believes in [it] … There is an interest for all EU member states to maintain strong data protection. The 27 would want to see strong data protection for their citizens who remain in [the UK] afterwards.”
100.Antony Walker also identified a shared interest in managing the transition: “There are many businesses across the European Union which are just as concerned that there is a smooth transition as UK firms are.” He therefore hoped that transition could “be managed in a positive way” and emphasised the need for a transitional agreement to avoid a ‘cliff-edge’. He wanted “to see an extension of current processes up until the point that a new relationship enters into force.”
101.The type of agreement that the UK establishes with the EU to facilitate UK-EU data transfers after Brexit may also affect data flows between the UK and other third countries. An adequacy decision would require the UK to transfer the personal data of EU data subjects only to countries or organisations that meet EU data protection standards. The Information Commissioner, Elizabeth Denham, explained: “If the Government decide to proceed and obtain an adequacy finding for the UK as a third country, that will limit how much manoeuvre we have”, adding that “when you bind yourself to an adequacy decision, the European Commission will put constraints in place.” Stewart Room agreed that in order to receive an adequacy decision from the EU, the UK might “have to put up some barriers in relation to third countries.” As Ruth Boardman put it:
“If the UK gets adequacy, it is a ship in which it is safe to put EU data. If our rules on onward transfers are too lax, then there are lots of holes in the ship and that data can escape, so it affects your own adequacy decision. That is an incentive … for trying to follow the EU approach very closely, unless there is a good reason to depart from it.”
102.These factors will be relevant when the Government considers whether to replace the EU-US Privacy Shield and the EU-US Umbrella Agreement, which will cease to apply to the UK when it ceases to be a member of the EU.
103.The Government’s objective for UK-US data transfers is similar to its objective for UK-EU data transfers. The Minister told us:
“We must have a view both on our future position with the EU and on our future position with other jurisdictions that have high-quality data protection regimes, the US being the most obvious example. We must make sure that we have a free flow of data with them, too. Currently, we do that through the EU, but we will have to do it directly instead.”
104.Currently UK and US organisations share data either via mechanisms such as SCCs and BCRs or under the EU-US Privacy Shield. The Privacy Shield will no longer apply to the UK post-Brexit, and we therefore asked whether the UK would need to replace it with an equivalent agreement between the UK and the US.
105.The Information Commissioner, Elizabeth Denham, was clear that “[we] will need to strike our own agreement with the US.” Ruth Boardman observed that many of the firms that had signed up to the EU-US Privacy Shield from the US were “large firms that are doing large volumes of data transfer”; she saw the Privacy Shield as “the easiest mechanism to enable UK- and US-based firms to transfer data lawfully.” The Information Commissioner stressed that for SMEs in particular the Privacy Shield was better than the alternatives, such as SCCs.
106.Rosemary Jay suggested Switzerland as a possible model for the UK: “Switzerland has an adequacy finding, so it is regarded as equivalent and adequate, and then it has a mirror of the Privacy Shield agreement with the US.” This meant that the “flow of data from Europe through to Switzerland, through to the US and back round again is unimpeded” The Information Commissioner also saw merit in the Swiss model, and did not see why the UK would need to “completely reinvent the wheel.” Professor Mitsilegas noted that if the UK had an adequacy decision from the EU, the Government could even propose a “tripartite venture” with the EU and the US.
107.Asked whether the UK should seek an umbrella-style agreement with the US, the Information Commissioner told us: “Any arrangement that gives us a strong harmonised approach for protection of personal data and facilitates the appropriate transfer of data is a good thing.” Baroness Williams of Trafford, Minister of State at the Home Office, told us that the Government intended to “explore what we do going forward.”
108.We also asked whether there would be appetite from the US to conclude either a privacy shield-type agreement or an umbrella-type agreement with the UK. The Information Commissioner described the question as “theoretical” at this stage. For law enforcement, she emphasised that having something in place would be “fundamentally important”, and that she “would expect the public to want us to all get on with this and make sure [that] data is protected.” Antony Walker, of TechUK, noted that “data protection and privacy and so on are becoming fundamental enablers to trade”, and suggested that there might be some appetite to include data protection in a UK-US free trade agreement. However, Mr Walker warned that “We simply do not know what US trade policy is going to be yet”, and that it was “too early to judge.”
109.Professor Mitsilegas told us that the attractiveness of a UK-US Privacy Shield for the US would partly depend on the “commercial interests” at stake. Antony Walker noted that “compared to other EU member states, the UK has a higher proportion of US firms that are based and located in the UK and … a lot of the data transfers between the US and the EU emanate from the UK.”
110.The Government has said that it wishes to secure unhindered and uninterrupted flows of data between the UK and the EU post-Brexit, to facilitate both trade and law enforcement cooperation. We support this objective, and note that any arrangement that resulted in greater friction around data transfers between the UK and the EU post-Brexit could hinder police and security cooperation. It could also present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. The Government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome. We were struck by the lack of detail in the Government’s assurances thus far.
111.There was consensus among our witnesses that the most effective way to achieve unhindered flows of data would be to secure adequacy decisions from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive, thereby confirming that the UK’s data protection rules offered an equivalent standard of protection to that available within the EU.
112.Although other legal mechanisms to facilitate cross-border flows of data are available, we were persuaded by the Information Commissioner’s view that the UK is so heavily integrated with the EU—three-quarters of the UK’s cross-border data flows are with EU countries—that it would be difficult for the UK to get by without an adequacy arrangement. We therefore recommend that the Government should seek adequacy decisions to facilitate UK-EU data transfers after the UK has ceased to be a member of the EU. This would provide the least burdensome and most comprehensive platform for sharing data with the EU, and offer stability and certainty for businesses, particularly SMEs.
113.Adequacy decisions can only be taken in respect of third countries, and there are therefore legal impediments to having such decisions in place at the moment of exit. In the absence of a transitional arrangement, this could put at risk the Government’s objective of securing uninterrupted flows of data, creating a cliff-edge. We urge the Government to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK.
114.In the absence of such transitional arrangements, the lack of tried and tested fall-back options for data-sharing in the area of law enforcement would raise concerns about the UK’s ability to maintain deep police and security cooperation with the EU and its Member States in the immediate aftermath of Brexit.
115.The need for transitional arrangements also extends to the commercial sector. Although there are alternative mechanisms to allow data to flow out of the EU for commercial purposes, these are sub-optimal compared to an adequacy decision, and may not be available to some types of companies, for instance small companies or those dealing directly with consumers. Some are also currently subject to legal challenge, notably the Schrems II case against Standard Contractual Clauses, underlining the need for a transitional arrangement.
116.The EU-US Privacy Shield and the EU-US Umbrella Agreement will cease to apply to the UK post-Brexit. Because of EU rules for onward transfers, securing unhindered flows of data with the EU may require the UK also to demonstrate that it has put arrangements in place with the US that afford the same level of protection as the Privacy Shield and the Umbrella Agreement. As regards data-sharing for commercial purposes, we note the approach taken by Switzerland, which has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement with the US.
83 Department for Exiting the European Union, The United Kingdom’s exit from and new partnership with the European Union, Cm 9417, February 2017, paras 8.38 and 8.40:
85 HL Deb, 30 March 2017,
86 HC Deb, 18 January 2017, . See also .
93 Article 45, Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (, 4 May 2016, pp 1–88) and Article 36, Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (, 4 May 2016, pp 89–131) list three areas which “the Commission shall, in particular, take account of” when assessing the adequacy of the level of protection. These are “(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral …as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation …case law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects …(b) the existence and effective functioning of one or more independent supervisory authorities in the third country …with responsibility for ensuring and enforcing compliance with the data protection rules…(c) the international commitments the third country …has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.”
94 Written evidence from Stewart Room (), para 17 and 24
104 See paras 46, 93 and 115 on the Schrems II case.
106 Article 46(1), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/E (, 4 May 2016, pp 1–88)
107 SCCs are also sometimes referred to as Model Contracts or Model Clauses.
108 Article 46, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (, 4 May 2016, pp 1–88) lists other options as mentioned above (see Box 2) but our witnesses identified these two as the main mechanisms for third countries and organisations to transfer data in the absence of an adequacy decision.
115 On 31 May 2016 the Irish Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court to seek a reference to the CJEU as to the validity of the SCC mechanism. This case has its roots in a complaint about Facebook made to the DPC by privacy advocate Max Schrems in 2013 in light of disclosures made by Edward Snowden about the US Government’s PRISM programme. As of 16 March 2017 the Irish High Court had not delivered its ruling as to whether or not a reference should be sought from the CJEU. See Data Protection Commissioner, Update on litigation involving Facebook and Maximillian Schrems: Explanatory Memo, (16 March 2017): [accessed 10 April 2017]
122 Article 37(1)(a)-(b), Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (, 4 May 2016, pp 89–131)
123 Article 38(1)(a)-(e), Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (, 4 May 2016, pp 89–131)
125 UNCTAD, Data protection regulations and international data flows: implications for trade and development, (2016), p37: [accessed 5 July 2017]