On the 24 August 2017, the UK Department for Exiting the European Union published its position paper ‘The Exchange and Protection of Personal Data – A Future Partnership Paper’. The position paper outlines the importance of maintaining the free flow of personal data between the remaining EU member states and the UK post-Brexit. The importance of a ‘new, deep and special partnership’ between the EU and the UK is highlighted throughout the position paper and it is acknowledged that a key consideration in the development of such a relationship is the General Data Protection Regulation (the ‘GDPR’). The GDPR will dramatically alter the protection of data across EU Member States when it enters into force on the 25th May, 2018. Given the present timeline for the UK’s departure from the EU, the GDPR will enter into force ahead of the UK’s departure.
The position paper sets out that the UK intends to introduce a Data Protection Bill which will implement the GDPR. The GDPR has European Economic Area (the ‘EEA’) relevance and the UK will need to fully adopt the GDPR should it intend to join the EEA following its departure from the EU. The UK government published its Statement of Intent on the Bill on 7 August 2017 which sets out the parameters of the Data Protection Bill in more detail. The document outlines that while the UK government will implement the GDPR, it fully intends to exercise the available derogations in the GDPR. While it is clear that the UK government will endeavour to introduce domestic legislation which is GDPR compliant, the position paper suggests that maintaining the UK interests will be a key concern.
It is stated that at the point of the UK’s exit from the EU, the ‘UK’s domestic data protection rules will be aligned with the EU data protection framework’. The position paper notes that new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed. The UK government intends to build on the existing adequacy model, focusing in particular on regulatory co-operation and ensuring certainty and stability.
- Regulatory co-operation
The position paper acknowledges that the GDPR will continue to apply to UK businesses offering goods or services to individuals in the EEA. The UK government envisages that a new relationship between the UK and EU could enable an ongoing role for the UK’s Information Commissioner’s Office (the ‘ICO’). It is hoped that the ICO will be allowed to continue to share ‘resources and expertise’ with EU Data Protection Authorities. It remains to be seen whether the EU Member States would be willing to allow a relationship whereby resources and knowledge are shared while the UK remains autonomous in terms of its data protection.
- Certainty and stability
The UK government highlights that it would be in the interest of both the UK and EU to agree early in the process to ‘mutually recognise each other’s data protection frameworks’. The position paper calls for an ‘agreed negotiation timeline’. The position paper also identifies that a key concern will be maintaining the flows of data between the UK and third countries with existing EU adequacy decisions can continue.
Existing EU processes
The position paper outlines the current ‘adequacy’ arrangement whereby the European Commission can formally accept the data protection system of a country outside of the EU as of an ‘adequate’ level. Should the UK obtain such a determination, any barriers to the transfer of personal data between the UK and the remaining EU Member States would be removed. It is noteworthy that a finding of adequacy is difficult to obtain at present there is no guarantee that it will be forthcoming from the European Commission post-Brexit.
The position paper notes that ‘any disruption in cross-border data flows would be economically costly to both the UK and the EU’. It is clear that maintaining the free flow of personal data between the UK and the EU would be economically beneficial for both the UK and remaining EU Member States. While the position paper suggests that the UK government will endeavour to draft domestic legislation which is GDPR compliant, the envisaged ‘adequacy’ determination is not guaranteed. As with all matters Brexit, watch this space!
Read our full insight on Brexit - The Road Travelled, the Path Ahead and the Bandit in the Bush here.