In February this year, the UK Government published a white paper outlining its approach to the on-going negotiations on exiting the European Union (“EU“). In response, the House of Commons Exiting the European Union Committee (“the Committee“) has issued a report on the Government’s negotiation strategy which, inter alia, supports the Government’s intention to ensure the uninterrupted flow of personal data between the UK and the EU, by retaining the same data protection standards as the EU.
The Committee’s report recognises that many parts of the UK economy are heavily reliant on the stability of cross-border data flows. During a roundtable held by the Committee, with representatives of the digital and tech sector in London in January 2017, the need to ensure uninterrupted data flows between the UK and the EU following Brexit was a common priority. The Committee emphasised the importance of the Government protecting uninterrupted data flows between the UK and the EU, by securing a data adequacy agreement with the EU before the aforementioned negotiations conclude.
EU rules support data sharing between Member States, outlining the rights of EU citizens and the obligations to which companies must adhere when processing and transferring their data. The Committee acknowledges that, while there is a ‘strong operational argument’ for the UK to retain unimpeded access to EU data, the extent to which this proposition materialises will depend on the UK’s commitment to ensuring that its data protection provisions remain aligned with those of the EU, and what arrangements can be agreed around the databases. It is suggested that the level of access ultimately agreed may not equate to the level currently enjoyed within the EU.
According to teckUK, the trade association for the digital sector, in its report on The UK Digital Sectors after Brexit:
‘Failure to secure adequacy may force the “localisation” or redirection of data flows on EU citizens (that requires storage and/or processing outside the UK), risking fragmented communications links and data flows between the UK and European partners. In addition, many UK businesses will need to implement costly alternative legal mechanisms, many of which are subject to ongoing legal challenge and uncertainty. Continued uncertainty over EU–UK data flows could also see companies restrict the amount and type of data processed in the UK. Such an outcome could impact data infrastructure and in particular data centres in the UK, which are among the region’s and the world’s most active.’
It will ultimately be for the EU Commission to decide whether UK law and its enforcement is adequate once the UK leaves the EU. An adequacy decision allows personal data to flow from the EU to a third country without further safeguards, which is important for enabling the import and export of data. Currently, UK overseas territories such as the Isle of Man, Jersey and Guernsey are countries which benefit from such a decision. Understandably, businesses want confirmation of the Government’s approach prior to the UK’s exit, in order to maintain business certainty. Should the UK fail to secure an adequacy decision, the Committee’s report suggests that its competitiveness and attractiveness as a destination for investment may diminish, if all sectors of the UK economy are unable to rely upon international data flows between the UK and the EU.
The UK will almost certainly still be a Member State in May 2018 when the General Data Protection Regulation (“GDPR“) comes into force. The Government’s white paper provides a strong indication that the UK will not deviate significantly from the GDPR standards following its exit from the EU, at least in the medium term. Adopting standards which mirror, or are closely aligned with those of the EU, could make an adequacy decision regarding UK law more likely following Brexit, but not necessarily certain.
James Clark, Associate and Elinor Cavil, Vacation Scheme Student, DLA Piper UK LLP
On March 21, 2017, senior representatives of the Office of the Privacy Commissioner of Canada (OPC) met with privacy practitioners to provide updates on policy, legal, compliance and enforcement activities of the OPC. The information disseminated at this annual meeting is important to all businesses collecting personal information of Canadians for two reasons:
- It highlights what the OPC believes to be its most significant actions from the prior year; and
- It signals the policy and enforcement priorities of the OPC for the current year.