The future UK-EU relationship on professional and business services Contents

Chapter 9: Digital trade and data flows

The need for data transfers

185.Witnesses impressed upon us the importance of digital trade—defined by techUK as the “cross-border transfer of data, products, or services by electronic means”—both for their day-to-day business operations and to drive innovation in their sectors.249

186.This applies across the professional and business services landscape. For instance:

Similar remarks were made by Simon Hart in relation to management consulting and accountancy, and by the Law Society of Scotland on legal services.253

187.From the end of 2020 the ease of UK-EU data transfers will depend to a large extent on whether, as envisaged in the October 2019 Political Declaration on future UK-EU relations, the two sides have taken the necessary steps, in accordance with their respective data protection regimes, to facilitate transfers between them of personal data.254 As part of the trade negotiations, the Government and EU are also seeking to agree commitments to reduce barriers to data flows for business purposes.

Data adequacy

188.In the EU, the handling of personal data by individuals and organisations, and data transfers to a third country, are governed by the 2016 General Data Protection Regulation (GDPR).255 Under the GDPR, the Commission may issue an ‘adequacy’ decision confirming that a third country provides a level of data protection comparable to that in EU law. As we explained in our July 2017 report Brexit: the EU data protection package, “the practical effect of an adequacy decision is that cross-border data transfers” to the relevant third country “can take place without any further safeguards”.256

189.Discussions between the Commission and the Government on the EU’s assessment of the UK’s data adequacy formally started on 11 March 2020.257 On 13 March the Government published a suite of explanatory documents on the UK’s data protection framework, aimed to aid the Commission’s assessment.258

190.The PBSC and the Advertising Association underlined the importance of data adequacy, with the PBSC calling on the Government to “continue to push” for an adequacy decision under any scenario.259 Professor John Bryson said a lack of data adequacy would be a “major stumbling block” for professional and business service providers.260

191.As the PBSC told us, the data adequacy process is “separate from the bilateral trade negotiations”.261 This means that, in principle, the UK could receive a positive data adequacy decision (and could grant such a decision in respect of the EU) even if the Government and EU failed to conclude a trade agreement. But as with equivalence decisions, techUK saw a risk that “political disruption spilling over from the main FTA negotiations or from the wider political sphere in the UK or the EU” could make a positive adequacy decision “challenging”.262

192.A key risk is that the Commission might refuse to grant data adequacy due to tensions between the UK’s surveillance framework and EU data protection rules. Sally Jones told us:

“The real question is whether the UK’s legislative framework in the round, not just GDPR but as a collection, ensures that EU citizens have the same level of protection over their personal data post the UK leaving as they do [now]. The answer in the round is that, arguably—I am not making any kind of political point—no, it does not.”263

193.Oliver Patel, Research Associate and Manager, UCL, drew attention to the potential implications for the UK’s data adequacy assessment of the Schrems II case. This, he explained, questioned the legality of the EU-US data-sharing arrangement known as ‘Privacy Shield’, due to a “clash between U.S. national security and surveillance laws and EU data protection standards and fundamental rights”. He argued that the CJEU’s judgement “could render it virtually impossible for the Commission to grant the UK an adequacy decision”.264 We note that, on 16 July 2020, the CJEU rendered its judgment in the Schrems II case, striking down Privacy Shield.265 We also note the views expressed that recent decisions of the CJEU may further increase the risk that the Commission does not grant the UK a data adequacy decision.266 At the time of writing, the knock-on effects on the UK’s data adequacy process (if any) remained unclear, but it is important to underline, as our former Home Affairs Sub-Committee concluded in 2017, that as a third country the UK will no longer benefit from the national security exemption afforded to Member States under the Treaty on the Functioning of the European Union. The UK could thus “find itself held to a higher standard as a third country than as a Member State”.267

The loss of adequacy

194.Oliver Patel was clear that a lack of data adequacy would not put a stop to UK-EU data transfers or UK-EU digital trade. Firms would, however, need to put in place “ad hoc legal mechanisms” to meet the requirements of the GDPR. techUK clarified that “every business in the UK and the EU that exchanges personal data” would become subject to these obligations.268

195.The GDPR provides several mechanisms for enabling data transfers to a third country in the absence of an adequacy decision.269 Based on the evidence we received, the most relevant to professional and business service providers are:

196.The Law Society of England and Wales said that these alternative mechanisms had “serious shortcomings, as compared with data adequacy”, for example that businesses would be “subject to regulatory responsibilities (and associated costs)” and exposed to “sanctions and fines” in case of non-compliance.273 Oliver Patel note that such sanctions would have reputational as well as financial implications for businesses.274

197.SMEs could be hit particularly hard. Neil Ross, Policy Manager, techUK, warned that SMEs “do not have the time or necessarily the expertise to put [the GDPR] provisions in place”.275 Research by the Federation of Small Businesses confirms that “only a small proportion of small businesses are aware of [standard contractual clauses] as a legal means to transfer data internationally”.276 Such concerns bear out the conclusion in our 2017 report: “Although there are alternative mechanisms to allow data to flow out of the EU for commercial purposes, these are sub-optimal compared to an adequacy decision.”277

198.More broadly, Neil Ross, Policy Manager, techUK, was concerned that UK businesses could be “viewed as less competitive”, given the “extra burdens” associated with data transfers.278 Oliver Patel also felt that a lack of data adequacy could lead to a reduction in UK-EU digital trade, with EU firms choosing EU-based service providers over UK competitors and the prices of services sold from the EU to the UK increasing.279 The Chartered Institute of Public Relations believed that a failure to secure an adequacy decision could “undermine trust” in the UK’s data protection framework, and in “UK business in general”.280

Data adequacy in UK law

199.Regulations made in 2019 have replicated the data adequacy process in UK law, granting the power to adopt ‘adequacy regulations’ (decisions) to the Secretary of State for Culture, Media and Sport. The Regulations also recognised the data adequacy of EU and other EEA countries on a transitional basis—thus ensuring the uninterrupted free flow of data from the UK to these countries.281 The Minister told us that the Government would “keep our transitional adequacy arrangements under review and complete these reviews within four years of the arrangement coming in to effect”.282

The Government’s position

200.The Government acknowledged that a data adequacy decision from the Commission was “of key importance in day-to-day business operations of data heavy sectors”. At the same time, it felt that “for most organisations—including SMEs”, the implementation of Standard Contractual Clauses in the event of no adequacy decision “should not be excessively costly”.283 Carl Creswell, Director, Professional Business Services, BEIS added that the UK’s Information Commissioner’s Office (ICO) had “produced quite a lot of guidance for businesses, which they can draw on”.284 Similarly, the ICO referenced the “extensive guidance” already available to businesses “on the various alternative transfer mechanisms available in the event of no adequacy decision”, including an “interactive web tool” for creating standard contractual clauses.285

201.Asked about progress in the Commission’s adequacy assessment of the UK, the Minister declined to speculate.286 He was nonetheless “confident that an adequacy agreement [could] be reached with the EU by the end of the transition period”,287 and hoped that the issue would “not be politicised”.288

202.The free flow of data between the UK and EU is vital to professional and business service providers. Reciprocal UK and EU data adequacy assessments would be the most effective way to support such data flows. While their absence would not pose an absolute barrier, the alternative arrangements prescribed by the GDPR, in particular Standard Contractual Clauses, can be cumbersome to implement and would expose businesses to the risk of sanctions and fines. All of this could add complexity to, and potentially reduce, UK-EU digital trade in professional and business services. We reiterate the conclusion in our July 2017 report Brexit: the data protection package that the reciprocal granting of adequacy decisions is by far the preferred mechanism to support continuing UK-EU data transfers.

203.We are concerned that there is a possibility that the Commission may not grant the UK a data adequacy decision. We call on the Government to push for the assessment to be concluded as soon as possible, to give businesses in the UK and EU legal certainty and time to prepare. We note that the UK has granted the EU data adequacy on a transitional basis.

204.Smaller operators in the UK remain unprepared for the possibility of no adequacy decision, with some unaware of the potential requirement for standard contractual clauses. We welcome the work already done by the ICO to inform businesses, including SMEs, about the implications if no decision to grant adequacy is forthcoming, but call on the Government and ICO to step up their engagement efforts in coming weeks.

Data flows under a UK-EU agreement

205.The Government and EU are separately negotiating, as part of the wider discussions on the future UK-EU relationship, provisions aimed at reducing barriers to transfers of personal and non-personal information for business purposes.

206.A key benefit of such an agreement would be a prohibition on the imposition of data localisation rules, requiring companies from one Party exporting to the other Party to store data in the latter’s territory. Simon Conington argued that such rules posed “a barrier against working smarter and against digitalisation”, and could “cause difficulties” to UK service exporters.289 Similarly, the Law Society of Scotland described data localisation requirements as a potential “barrier to trade”.290

207.Neil Ross reassured us that both the EU’s and UK’s proposals would prevent signatories to the agreement from imposing data localisation requirements “unless in very extreme circumstances”.291 techUK, on the other hand, identified some differences between the Government’s and EU’s proposals on data flows. In particular, while the Government had put forward a “positive obligation to allow cross-border data transfers for business purposes”, the EU was taking a “more precautionary approach with a much greater focus on personal data protection”.

208.According to techUK, the Government’s proposed commitments on data flows were much more akin to arrangements in the United States-Mexico-Canada Agreement, US-Japan Digital Trade Agreement and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, than to those in the EU’s current trade agreements.292 Neil Ross reflected on the implications for UK trade policy of such differences, warning that any commitments made by the Government in future trade agreements with third countries, for example “to transferring personal data as part of business contracts without additional checks or safeguards on personal data”, could “have a very large impact” on a UK-EU agreement, as well as on data adequacy arrangements.293

209.Separate to the data adequacy process, the Government and EU are negotiating provisions aimed to reduce barriers to data transfers for business purposes as part of a future relationship agreement. We welcome the fact that both Parties are seeking a commitment not to impose data localisation requirements, which were highlighted in evidence as a potential barrier to trade and innovation in the professional and business services sectors.

249 Written evidence from techUK (PBS0050)

251 Written evidence from the REC (PBS0022)

253 Q 40; written evidence from the Law Society of Scotland (PBS0039)

254 HM Government, Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom, paragraph 9: [accessed 22 September 2020]

255 Regulation (EU) of 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1, 27 April 2016

256 European Union Committee, Brexit: the EU data protection package (3rd Report, Session 2017–19, HL Paper 7)

257 Written evidence from BEIS (PBS0024)

258 HM Government, Explanatory framework for adequacy discussions, 13 March 2020: [accessed 22 September 2020]

259 Written evidence from the PBSC (PBS0007) and from the Advertising Association (PBS0016)

260 Written evidence from Professor John Bryson(PBS0017)

261 Written evidence from the PBSC (PBS0007)

262 Written evidence from techUK (PBS0050)

264 Written evidence from Oliver Patel (PBS0029)

265 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Judgement of the Court (Grand Chamber), 16 July 2020, C-311/18

266 La Quadrature du Net, French Data Network, Federation des fournisseurs d’access a internet associatifs, v Premier ministre, Garde des Sceaux, ministre de la Justice, Ministre de l’Intérieur, Ministre des Armées, interveners:Privacy International, Center for Democracy and Technology (6 October 2020) ECLI:EU:C:2020:791 and Privacy International v Secretary of State for Foreign and Commonwealth Affairs, Secretary of State for the Home Department, Government Communications Headquarters, Security Service, Secret Intelligence Service (6 October 2020) C-263/17

267 European Union Committee, Brexit: the EU data protection package (3rd Report, Session 2017–19, HL Paper 7), para 165

268 Written evidence from techUK (PBS0050)

269 Written evidence from the PBSC (PBS0007)

270 Written evidence from Oliver Patel (PBS0029)

271 Ibid.

273 Written evidence from the Law Society of England and Wales (PBS0019)

274 Written evidence from Oliver Patel (PBS0029)

275 European Union Committee, Brexit: the EU data protection package (3rd Report, Session 2017–19, HL Paper 7)

276 Written evidence from the FSB (PBS0051)

277 European Union Committee, Brexit: the EU data protection package, para 115

279 Written evidence from Oliver Patel (PBS0029)

280 Written evidence from the CIPR (PBS0035)

281 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, (SI 2019/419)

283 Written evidence from BEIS (PBS0024)

284 Q 82 (Carl Creswell)

285 Written evidence from the ICO (PBS0053)

290 Written evidence from the Law Society of Scotland (PBS0039)

292 Written evidence from techUK (PBS0050)

© Parliamentary copyright 2020