On 24 August 2017, the UK Government’s Department for Exiting the European Union published a future partnership paper outlining its proposal for a shared approach to data protection following Brexit. The paper represents a welcome initiative from the UK Government as it seeks to preserve the UK’s position, participation and influence in EU data protection fora and presents an argument for an early mutual recognition of data protection frameworks between the EU and UK to allow for the continued flow of personal data following Brexit. Whilst the themes of the paper are encouraging, it remains to be seen whether these new and innovative mechanisms will be accepted by the EU.
The future partnership paper begins by acknowledging the importance of cross-border data flows to:
- the UK and EU economies;
- the continued cooperation between the UK and EU including with respect to law enforcement; and
- providing confidence to data subjects regarding the security of their personal data.
The paper then summarises the UK’s involvement in the development of the current EU data protection laws, and emphasises that at the point of the UK’s exit from the EU, the UK’s data protection laws will be aligned with the EU data protection framework.
The paper’s main purpose is to set out the UK’s wish to allow continued free flow of personal data between the EU and the UK following Brexit. The proposal builds upon the adequacy model with two key enhancements. By way of background, the adequacy model is a mechanism that allows the European Commission to recognise a country outside the EU as having an adequate level of protection of personal data to allow data to flow from the EU to recipients in that country without additional safeguards such as contractual solutions to be put in place. The adequacy model is recognised in both the current Data Protection Directive and the new GDPR which will apply from May 2018.
The UK’s suggested enhancements to the adequacy model are:
1. Regulatory Cooperation
The future partnership paper proposes that following Brexit, the UK data protection supervisory authority, the ICO, would have an ongoing role in the EU regulatory fora. The paper highlights the important work that the ICO has undertaken in the practical application of EU data protection law to date, and suggests that an ongoing role for the ICO would allow the ICO to continue to contribute its resources and experience to the network of other EU data protection authorities. However the paper is light on how this might be achieved and there is no obvious mechanism in the GDPR for allowing such participation in fora such as the European Data Protection Board by the supervisory authority of a non-member state.
The commitment to regulatory cooperation is balanced by the statement that: “The UK Government will continue to have responsibility for the content and direction for the content and direction of data protection policy and legislation within United Kingdom”. Given the key role that supervisory authorities play in interpreting and applying data protection laws, and thereby establishing data protection policy, this statement is slightly at odds with the idea that the ICO will continue to have an active and cooperative role in the EU data protection fora. Presumably any cooperation will be two way, particularly if it involves a role in the GDPR’s consistency mechanism, so, to a significant extent, data protection policy in the UK will continue to be strongly influenced by activity at EU level and will not be the sole preserve of the UK Government.
2. Certainty and Stability
The recognition that the future partnership paper gives to the importance of providing certainty and stability to businesses regarding data flows between the UK and EU can only be welcomed. The paper proposes that the EU and UK work together to provide ongoing certainty to businesses and citizens that the laws relating to cross-border data flows between the EU and UK will not unexpectedly change. The UK proposes that:
- the UK and EU agree to an interim mutual recognition of each other’s data protection frameworks and such recognition be in place when Brexit occurs; and
- in parallel to the interim mutual recognition of data protection frameworks, a negotiating timeline for longer-term arrangements be agreed between the UK and EU so as to assuage any business concerns relating to future data flows
Although the paper doesn’t specifically say that the UK will be seeking an adequacy finding, it points strongly in the direction of an enhanced adequacy relationship. The paper contains both a detailed explanation of how the European Commission takes adequacy decisions and the UK’s argument for how it meets the test for an adequacy finding.
With respect to data flows between the UK and countries with existing EU adequacy findings, the future partnership paper states that the UK will liaise directly with those countries and seek to ensure that the flows of personal data to those countries can continue on the same basis following Brexit.
Whilst it is encouraging to see the UK’s proposals for EU-UK cross-border data flows following Brexit, the enhancements to the adequacy model suggested by the paper are ambitious and would require unprecedented arrangements being made for the UK. It remains to be seen how the EU will react to those innovative proposals and it may be they are too forward-thinking and untested. These issues will no doubt be considered as part of the broader Brexit discussions, and the associated political uncertainties mean that the final solution for the continued flow of personal data between the UK and EU will remain unclear for some time to come.