The UK’s Exiting the EU Committee has published a report on data flows and data protection. It proposes a pragmatic way forward, to try to solve the current impasse in negotiations.
Unsurprisingly, the report notes that the ability to move data between the UK and the EU is hugely important, particularly in the services industry - an area of comparative UK advantage. To put this in perspective, 75% of the UK’s cross border data flows are with EU countries.
The Committee recognises that the UK’s preferred approach is to seek a bespoke and legally binding agreement with the EU for data protection (see our previous report here), it recommends that the UK begins the process of applying for an ‘adequacy’ decision without delay. The EU Commission can declare non-EU countries’ data protection regimes ‘adequate’ - ie equivalent to the EU regime. If the Commission granted an adequacy decision for the UK, personal data could flow between the UK and the EU after Brexit as if the UK were still in the EU. But adequacy decisions are hard to get and are currently only held by a few countries, including New Zealand, Switzerland and Argentina. The US is a notable exception. Without a legally binding agreement or an adequacy decision, it would be very hard for businesses to transfer personal data between the UK and the EU on the same scale that exists today.
The Committee’s recommendation comes partly because the EU Commission’s current negotiating position is not to offer the UK a legally binding agreement. The Committee says that, although it hopes the Commission will change its mind, the UK should start its adequacy application soon because the process could take several years. The Committee recommends continuing to explore the possibility of a bespoke agreement, which could ultimately replace an adequacy decision.
The UK government’s preferred agreement would expand on the adequacy decision, bringing extra benefits like legal certainty and co-operation between data protection authorities. The government also wants the UK’s Information Commissioner to be part of the European Data Protection Board and the regulatory ‘one-stop shop’. The Committee concludes that, to increase the chances of all this being agreed, the UK would have to accept that the EU Court of Justice would continue to have jurisdiction over aspects of data protection law in the UK after Brexit. But that is - of course - likely to be a political sticking point for many.