Her Majesty’s Government last week published a position paper outlining its preferred post-Brexit landscape for data protection. The high-level takeaways are hardly surprising: the
government stresses that it intends to “remain a global leader on data protection” and, as we already know, the UK’s Data Protection Bill, announced in the Queen’s Speech, will implement the EU’s General Data Protection Regulation (GDPR).
The paper’s top priority is the frictionless movement of personal data between the UK and the EU. The government sets out the Schrems test – i.e., that standards in a non-EU country must be “essentially equivalent” to those applied in the EU – and emphasises that the UK will be in an “unprecedented position” at Brexit, as the UK will have fully implemented the GDPR and so have the same data protection standards as the remaining EU member states. The government priority, then, is for the UK and the EU “to agree early in the process to mutually recognise each other’s data protection frameworks” to allow the free flow of personal data to continue at the time of Brexit. This bespoke interim solution would be followed up with agreed timelines about longer-term arrangements, with the paper suggesting that the UK will ultimately seek an adequacy decision.
Interestingly, the paper outlines international ambitions for the Information Commissioner’s Office (ICO), the UK’s data protection authority. The paper proposes “an ongoing role for the UK’s ICO in EU regulatory fora” (essentially, the European Data Protection Board) and suggests that the ICO can be “fully involved in the EU regulatory dialogue”. However, it is unclear just how “fully” the ICO could participate – currently, EEA members have a seat at the table in shaping policy at the Article 29 Working Party but not a vote on the final decisions, and it is altogether unclear whether the remaining EU data protection authorities would be open to this model for the ICO. At the same time, the paper notes in no uncertain terms that the UK government will continue to be responsible for the content and direction of data protection policy and legislation within the UK.
Crucially, the government tries to tie data protection to trade. The paper cites a 2013 report which suggests that “if cross-border data flows between the EU and the US were seriously disrupted, the EU’s GDP could reduce by between 0.8 and 1.3 per cent”. It also notes that “[The EU] recently announced plans to conclude its adequacy decision with Japan by early 2018. This stems from a desire to achieve progress in the ongoing EU-Japan trade deal negotiations”.
The UK is taking steps to try to assuage business concerns but, as with all things in these negotiations, the talks take time. Ultimately, this is as much about politics as it is about personal data.
To read our original take on this, right after the referendum, click here