The House of Lords European Union Committee (the “committee”) has published a which looks at the upcoming changes to the EU’s data protection laws and the implications on data transfers between the UK and EU after the UK leaves the European Union.
The key points from the report include:
- The committee supports the UK government’s position in maintaining unhindered data flows post-Brexit but is concerned by the lack of detail on how the UK government will deliver its aims.
- If a post-Brexit arrangement leads to contention around UK-EU data flows, this could pose a non-tariff barrier to trade and therefore put the UK at a competitive disadvantage.
- The UK government should confirm that the UK’s data protection rules offer an equivalent standard of protection to that offered within the EU and should put in place provisions to cover the transition period of leaving.
- Recommendations for the UK government to retain UK influence and secure a continuing role for the UK Information Commissioner’s Office on the European Data Protection Board.
The report looks at the impact of Brexit on the following upcoming changes:
- General Data Protection Regulation (GDPR): this legislation will become directly applicable in all EU member states from 25 May 2018.
- The Police and Criminal Justice Directive (PJC Directive): EU member states must transpose the PCJ Directive into their national laws by 6 May 2018.
- The EU-US Privacy Shield: this enables personal data transfers from the EU to the US for commercial purposes and replaces the Safe Harbour agreement.
- The EU-US Umbrella Agreement: this establishes a framework for the protection of personal data between the EU and US for criminal law enforcement purposes.
After Brexit, the UK will become a “third country” no longer bound by EU data protection laws and will not be part of the EU-US Privacy Shield or EU-US Umbrella Agreement. However, it is still important to consider the upcoming changes because the EU's rules on data transfers to third countries (i.e. the UK) require them to meet an "adequate" level of protection.
Data transfers after Brexit
UK – EU data transfers
- Although the committee supports maintaining unhindered and uninterrupted data flows post-Brexit, the UK government needs to provide more detail on achieving delivery.
- Any post-Brexit arrangement that leads to friction around UK-EU data flows could pose a non-tariff barrier to trade, putting the UK at a competitive disadvantage.
- The UK should pursue adequacy decisions to facilitate cross-border data flows with the EU. The adequacy decision would show that the UK’s data protection rules offer an equivalent standard of protection to that available within the EU.
- An adequacy decision should be sought under Article 45 of the GDPR. This is the most practical and straightforward. However, it was queried whether the UK would be able to achieve adequacy in light of national security concerns.
- Standard contractual clauses were considered but concluded to be less effective and would put UK firms at a competitive disadvantage.
- Binding Corporate Rules (BCRs) were also an option. BCRs allow a multinational company, or a group of companies, to transfer data from the EU to their affiliates outside the EU. It was considered that BCRs would take too long and would be impractical for SMEs.
- Data sharing is important to police and security co-operation, for example access to databases such as the Schengen Information System and the European Criminal Records Information System.
- An adequacy decision should be sought under Article 36 of the PCJ Directive. If there is no adequacy decision, the UK could seek a new treaty arrangement. The government should also put in place transitional arrangements to cover the gap between leaving the EU and obtaining an adequacy decision.
- Bilateral agreements with EU member states and trade agreements were also options but it was concluded that these would hinder data flows and overly complicate data transfers.
UK – US data transfers
- The EU-US Umbrella Agreement will cease to apply post-Brexit.
- The UK could get an adequacy decision for the UK as a third country but the EU may also require that the UK demonstrate that it has arrangements in place with the US that give the same level of protection as the Privacy Shield and the Umbrella Agreement.
UK data protection policy after Brexit
- Post-Brexit, the UK will need to continue to align its domestic data protection rules with any changes in EU data protection laws. Any changes would potentially alter the standards which the UK would need to meet to maintain an adequate level of protection.
- Under the GDPR, controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK. This means that UK businesses that handle EU data will be affected.
- The GDPR allows the UK to carve out and develop its own policies, for example in relation to children and the age of consent, but within the overall framework of the GDPR.
- The UK government should consider how best to retain UK influence, such as securing a continuing role for the UK Information Commissioner’s Office on the European Data Protection Board.