On 24 August 2017, the UK government published the latest of a series of position papers related to the future relationship between the European Union (the “EU”) and the UK after Brexit. The paper proposes a future partnership between the UK and the remaining 27 Member States with respect to the exchange and the protection of personal data (click here for paper).
While the UK remains a member of the EU, personal data can flow freely between organisations located in the UK and the rest of Europe. However, many businesses are concerned about whether and how this flow of personal data will continue following the withdrawal of the UK from the EU.
The UK government’s paper analyses the current EU and UK data protection frameworks and sets out the UK government’s priorities in building a future EU-UK partnership. This document follows the announcement by the UK government of a new Data Protection Bill which, once passed, will replace the current Data Protection Act 1998. The Data Protection Bill will implement the EU General Data Protection Regulation (the “GDPR”) into UK law. According to the UK government, the Data Protection Bill will ensure that the UK’s legal framework for data protection is aligned with the new EU data protection standards under the GDPR (at least upon its inception). The new bill will introduce, inter alia, stricter standards for consent, new powers for the ICO (the UK Data Protection Authority), and enhanced rights for data subjects.
After its withdrawal from the EU, the UK will be considered to be a non-EU country. This means that companies located in the EU that transfer personal data to the UK will, unless the EU Commission decides the UK has an adequate data protection regime, have to rely on a data transfer mechanism to transfer personal data from the EU to the UK. Data transfer mechanisms provided by the GDPR include, among other methods, Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”). While the SCCs are adopted by the EU Commission and are signed by two companies for the purpose of sending personal data out of the EU, BCRs are legally binding arrangements which can be used within a group of undertakings.
As mentioned above, the EU Commission has the power to determine that a third country guarantees an adequate level of protection for personal data. Specifically, the EU Commission can adopt a so-called “adequacy decision” which enables the free flow of data between the EU and a third country. In this case, companies are allowed to transfer personal data to recipients in the relevant third country without the need to sign specific agreements such as the SCCs. The EU Commission has already adopted 12 adequacy decisions which include, amongst others, countries such as Argentina, Brazil, Israel, Switzerland and New Zealand.
In order to adopt an adequacy decision, the EU Commission will examine the third country’s domestic data protection legislation and its compliance with relevant international standards and assesses whether that country ensures standards of protection which are essentially equivalent to those in force in the EU.
The UK position paper identifies an adequacy decision as the best way to ensure a stable EU-UK model for continuing the exchange of personal data post-Brexit. According to the UK government, an adequacy decision would allow co-operation between the EU and the UK regulators, especially in law enforcement matters, and will ensure trust for consumers and a stable legal framework for businesses.
It remains to be seen, in practice, how UK-based entities will continue to transfer personal data to EU countries post-Brexit.
From a UK perspective, the future EU-UK model for exchanging and protecting personal data will aim at: (a) maintaining the free flow of data between the EU and the UK; (b) ensuring stability for businesses, public authorities and citizens; (c) ensuring co-operation between regulatory authorities; (d) protecting the privacy of individuals; (e) avoiding unnecessary costs and burdens for companies; and (f) respecting UK sovereignty.
The UK paper identifies that placing restrictions on the free flow of data between the remaining 27 Member States and the UK would be harmful to their respective economies and requests the EU Commission to “agree early in the process to mutually recognise each other’s data protection frameworks”.
Without an adequacy decision from the EU Commission, post-Brexit businesses will need to develop alternatives mechanisms (such as by adopting agreements based on the SCCs) or restructure parts of their data processing activities to enable the transfer and use of personal data between the UK and Europe to continue in compliance with EU data protection law