The free movement of personal data within the EEA is a cornerstone of the Single Market – crucial to businesses and consumers operating in the EEA and more important than ever in our increasingly globalised digital economy.
The UK government has confirmed that, should the Conservatives be re-elected in the UK general election, the UK will not be seeking membership of the Single Market as part of its Brexit negotiation strategy. It will be pursuing instead a new strategic partnership with the EU, which, on the face of it, would be incompatible with continued UK membership of the EEA or the EFTA.
So how can the UK successfully concede membership of the Single Market without affecting the frictionless free movement of personal data between the EEA and UK? What are the key challenges it is likely to face? Comments in the UK government’s white paper on principles underpinning its Brexit negotiation strategy and from Matt Hancock MP shed some initial light on how the UK government intends to tackle these issues.
The key messages:
- Continue business as usual – at least in the short term, Brexit should not raise any barriers to personal data flows between the UK and the EEA.
- Identify data flows, particularly EEA-UK data transfers – businesses will not be able to address potential changes to EEA-UK data transfers without a clear picture about how personal data flows through their organisations. Many businesses will already be mapping data flows as part of compliance projects for the EU General Data Protection Regulation (GDPR), which will apply across the EU, including the UK from 25 May 2018. For those who haven’t started to prepare for the GDPR yet, our message is: don’t panic yet, but the sooner you can start, the better. For more information on how to prepare for the GDPR see our detailed guide and infographic.
- Approach data protection policies and procedures across the EEA consistently, especially if your business is global – it will be easier to for businesses to tackle changes to EEA-UK data transfers from a starting position of harmonisation across the EEA.
- Assess flexibility in key contractual data processing provisions – check the level of flexibility provided by your key existing (and future) contracts (particularly those involving net EEA-UK data exports). Do they enable you to introduce alternative compliant data transfer provisions?
How would the UK’s departure from membership of the Single Market affect EEA-UK personal data flows?
Current and future EU data protection laws are, by default, designed to ensure the free movement of personal data: (a) between EU member states; and (b) between EU member states and European Economic Area (EEA) states that are not members of the EU (Iceland, Norway and Liechtenstein), but that are bound to comply with certain fundamental EU rules and restrictions in return for being included in the Single Market. Those laws restrict the transfer of personal data to “third countries” outside the EEA without adequate protections in place – the theory being that the fundamental privacy rights of citizens in the EEA could be eroded or bypassed when personal data is transferred outside the EEA “border” without adequate safeguards.
The UK will be regarded as a “third country” for data protection purposes under any Brexit model in which it falls outside of the EEA. Consequently, businesses would be restricted from transferring personal data from the EEA to the UK unless:
- the European Commission has deemed the UK to offer “adequate protection”;
- an EU-US Privacy Shield-style arrangement is agreed between the UK and the European Commission; or
- the business uses some other form of transfer mechanism in the same way as is currently permitted by the EU Data Protection Directive (e.g. standard contractual clauses).
In evidence from Matt Hancock MP – Minister of State for Digital and Culture, Department for Culture Media and Sport – to the EU Home Affairs Sub-Committee on 1 February 2017 (full recording available here) and in the UK government’s official white paper, setting out its plans for Brexit negotiations, the UK government confirmed that:
- it would aim to ensure that any new strategic partnership with the EU, including “an ambitious and comprehensive Free Trade Agreement” would “take in elements of current Single Market arrangements in certain areas” (which presumably could include free movement of personal data);
- it recognises the importance of the stability of EEA-UK data transfers for many sectors and that maintaining frictionless data flows between the EEA and UK is a core goal for the UK government in the Brexit negotiation process;
- implementing the GDPR fully into UK law so that it is harmonised with the European legislation is a key way that the UK can “maximise the ease” with which it can negotiate uninterrupted and unhindered EEA-UK data flows post-Brexit;
- it does not foresee any significant changes being made to UK data protection laws once the UK leaves the EU;
- it is aware of the European Commission’s ability to recognise data protection standards in third countries as being “essentially equivalent” to those in the EU; and
- whilst Brexit negotiations have yet to begin, it is unable to give any other details of what other arrangements the UK might put in place to ensure the seamless flow of personal data between the UK and EEA post-Brexit (including whether it will pursue an ‘adequacy decision’ or adopt another method to ensure the unhindered flow of personal data (presumably some sort of EU-US Privacy Shield style or similar arrangement)).
The success of the UK government’s Brexit discussions around data transfers will ultimately hinge on the UK securing a suitable solution to legitimise data transfers from inside the EEA to the UK. An adequacy decision from the European Commission would be a particularly attractive solution for the UK government, not least because it would allow personal data to flow freely between the EEA and the UK without any further safeguards. Under this solution, the UK would join an eclectic mix of “white listed” countries including Andorra, Argentina, Australia, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and the Eastern Republic of Uruguay.
However, the UK government is likely to face a number of political, legal and procedural challenges in securing an adequacy decision or alternative long-term data transfer solution (presumably some sort of EU-US Privacy Shield style arrangement). This is despite the UK’s close historical association with strict EU data protection laws, the UK government’s intention to implement the GDPR in the UK from 25 May 2018 and the UK data protection regulator’s public commitments to taking an active role in ensuring UK adequacy. The challenges could include the following:
- an adequacy decision will rely heavily on political will and will therefore be linked to the outcome of Brexit negotiations, and the tone of the negotiations themselves;
- a limited number of countries have obtained an adequacy decision – tellingly these do not include any of the key trading partners of the EU such as China, Japan, Russia and India;
- in light of the Schrems decision – in which the Court of Justice of the European Union overturned an assessment by the European Commission of the adequacy of the EU-US transfer mechanism known as Safe Harbor – the European Commission is likely to be particularly cautious and keen to ensure that its future adequacy decisions do not prove vulnerable to the same challenge;
- a particularly detailed and protracted assessment of the rule of law, access to justice and standards is therefore a strong possibility. Historically, adequacy decisions have taken months, if not years, and any assessment would need to be further revised on a regular basis. For example, “adequacy” proposals commonly involve (among other procedural hurdles) approval from the “Article 31 Committee” and College of Commissioners. They can also be amended or withdrawn at any time – indeed GDPR provides for periodic reviews of each decision, at least every 4 years;
- unless the UK implements the GDPR in such a way as UK data protection laws and the practice designed to ensure compliance with those rules are “essentially equivalent” to those set out under EU law, the chances of an adequacy decision for the UK will be prejudiced;
- the UK might be impeded by its track record of consistently having implemented key provisions of the European data protection laws in a more pragmatic and business-friendly way than most EU Member States. This might, in practice, place obstacles in the path of persuading a post-Brexit European Commission to accept that the UK already has “adequate” data protection laws; and
- another threat to an adequacy decision comes from the broad scope of the UK Government’s surveillance powers. In particular, mounting concerns have been raised about the enhanced powers and access to personal data conferred on UK government agencies under the Investigatory Powers Act 2016, which overhauled the previous regime. To the extent that they could be seen as allowing UK Government interference with the protections afforded to EU citizens, these powers risk exposing the UK to the same challenges faced by the US in negotiating the EU-US Privacy Shield. The UK may face an uphill struggle in convincing an already vigilant European Commission that these new UK powers would not jeopardise the essential equivalence between UK and EU data protection in any post-Brexit model.
When will we know more?
Following the UK general election on 8 June, formal talks between the UK and the EU are due to start on 19 June. However, while the UK government has said that it wants to negotiate the future UK/EU relationship at the same time as its exit arrangements, the EU is adamant that the first phase of talks will be solely about the UK’s exit. Only when “sufficient progress” has been made on exit arrangements does the EU want to discuss the future relationship.
It may, therefore, be some time before we get any certainty on what arrangements might be put in place to preserve EEA-UK data transfers. Until then, the key messages that we outline above will help you to ensure that any friction that is introduced into the data transfer regime do not bring your data flows to a halt.