Data protection is an issue which affects nearly all businesses.
Any organisation that handles, processes, or stores the personal data of an EU resident is covered by the EU Data Protection rules. The issue of how this will continue post-Brexit is important not only for UK companies, but also for multinationals who have operations in the UK.
The business community has not been shy about voicing its concerns on this topic, calling on the UK government to secure data protection adequacy status as soon as possible.
Data adequacy is granted when the European Commission is satisfied that a territory outside the EU has data protection laws and practices that are aligned to the high standards set by the EU.
There are currently ten countries in the world that have been granted adequacy status. The USA and Canada have been deemed to be partially adequate, and data sharing with the USA is governed by the Privacy Shield agreement.
The UK government has taken some welcome steps forward in clarifying its position. The Data Protection Bill published over the summer will bring into force the EU’s General Data Protection Regulation, bringing UK legislation in line with that of the EU.
In addition, the UK government has issued its own paper on plans for a data sharing agreement with the EU. Pointing to the fact that it already complies with EU data protection laws, it is starting from what it describes as an ‘unprecedented position’ pointing out that the ‘future deep and special partnership between the UK and the EU could productively build on the existing adequacy model’.
The paper points to the UK’s position as a major player in global data flows, accounting for 11.5 per cent of global cross-border data flows in 2015.
It also estimates that 75 per cent of the UK’s cross-border data flows are with EU countries. The paper states that any disruption in cross-border data flows would therefore be economically costly to both the UK and the EU.
There are three goals of the UK government in a data sharing agreement with the EU:
- The UK’s data protection law fully implements the EU framework, and this will remain the case at the point of exit from the EU. On this basis, the government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU and other EU adequate countries and the UK from the point of exit, until new and more permanent arrangements come into force.
- Early certainty around how current provisions could be extended, alongside an agreed negotiating timeline for longer-term arrangements, should assuage business concerns on both sides and should be possible given the current alignment of both data protection frameworks, it argues.
- As well as ensuring that data flows between the UK and the EU can continue freely, the UK also wants to make sure that flows of data between the UK and third countries such as the USA, with existing EU adequacy decisions, can continue on the same basis after the UK’s withdrawal, given such transfers could conceivably include EU data.
Questions remain on some key issues, such as the application of the rulings of the ECJ on data protection cases, and the status of the UK’s Investigatory Powers Act which fell foul of a recent ECJ ruling.
If the UK enforces this Act post-Brexit, the European Commission may feel that they cannot grant a declaration of adequacy.