The UK Government has today published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a ‘post-Brexit’ settlement. In a chapter entitled ‘Ensuring free trade with European markets’, the white paper outlines the Government’s intention to retain data protection standards in the UK which are equivalent to those in the EU.
The free flow of data between the UK and continental Europe is an important foundation of cross-border trade, and a fact of life for many UK and EU businesses and consumers. EU law, both in its current form through Directive 95/46/EC, and in the General Data Protection Regulation (“GDPR“), which will apply from May 2018 onwards, restricts the transfer of personal data from the EU to ‘third countries’ which do not have a level of data protection recognised as equivalent by the European Commission. This is expressly addressed in the white paper, which commits the Government to seek a solution which preserves stable data transfers between the UK and EU once the UK officially becomes a third country:
8.39 The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.
8.40 As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.
Whilst an equivalency decision is not specifically referred to as the Government’s goal, this is a strong indication that the UK is not planning to deviate significantly from the GDPR standards which it will adopt, whilst it is almost certainly still a member of the EU, in May 2018.
The statements contained in the white paper are the latest in a line of public pronouncements which have helped to give a degree of clarity and reassurance around the UK Government’s plans for data protection law in the UK in the wake of Brexit. In her first speech as the new Information Commissioner in September 2016, Elizabeth Denham talked about the ‘fundamental importance’ of data flows between the UK and the EU, and about the need for consistency of law and standards. More recently, the UK’s Data Protection Minister, Matt Hancock, confirmed in evidence given to the House of Lords Home Affairs sub-committee that (i) the UK will implement the GDPR in full in May 2018; and (ii) that, as and when the UK revaluates its legal framework post-Brexit, it needs to prioritise data sharing with international partners.
Given the potential for upheaval caused by Brexit across a whole range of areas which are based, directly or indirectly, on EU law, it is encouraging to be given an indication that the UK is leaning towards a strategy of stability and equivalence in the field of data protection. The GDPR represents a once-in-a-generation change in data protection and privacy law, which the UK Government, the ICO and businesses have been gearing up to for several years. The inference from these latest statements is that that preparation will not be in vain, and that the broad framework of the GDPR will be the basis for UK data protection law both in sixteen months’ time, and in the eventual post-Brexit landscape.