UK seeks early 'adequacy decision' from the EU over post-Brexit data transfers

The move would give businesses certainty future personal data transfers between the UK and EU, it said in a new 'future partnership' paper outlining its proposed approach to the exchange and protection of personal data post-Brexit (15-page / 262KB PDF).

"Given that the UK will be compliant with EU data protection law and wider global data protection standards on exit, and given the important role of continued regulatory cooperation as part of a future economic relationship, the UK believes that a UK-EU model for exchanging and protecting personal data could provide for regulatory cooperation and ongoing certainty for businesses and public authorities," the government said. "This could build on the existing adequacy model."

"The UK’s data protection law will fully implement the most up-to-date EU framework, and this will remain the case at the point of the UK’s withdrawal from the EU. On this basis, the government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and UK from the point of exit until such time as new and more permanent arrangements come into force," it said.

"Early certainty around how we can extend current provisions, alongside an agreed negotiating timeline for longer-term arrangements, will assuage business concerns on both sides and should be possible given the current alignment of our data protection frameworks," the government said.

Current UK data protection laws in force are drawn from the EU's Data Protection Directive. That Directive will be replaced by the General Data Protection Regulation (GDPR) when it begins to apply in May 2018. The GDPR was finalised last year, and the UK government has confirmed that the new Regulation will be applied in the UK despite the country's move towards Brexit.

The UK government is expected to publish a new Data Protection Bill in September to update existing legislation and align with the GDPR. It published a statement of intent in respect of the contents of the Bill earlier this month. Amongst other things, the statement of intent confirmed the government's intention to draw up new rules on processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA).

One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.

Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.

Other mechanisms for businesses to transfer personal data outside of the trading bloc to countries that do not benefit from an adequacy decision are provided for in EU law. These include inserting model clauses into contracts to stipulate conditions over the handling of personal data when transferred outside of the EU.

However, in its paper, the UK government said "simply extending these provisions or establishing new ones to cover personal data transfers between the UK and the EU would be more burdensome for businesses and public authorities in both the UK and the EU".

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said a new EU-UK model for exchanging and protecting personal data could take a form similar to the existing EU-US Privacy Shield, which facilitates and governs data transfers from the EU to the US to US-based businesses that self-certify to a range of privacy principles.

Scanlon said a third option, which may be more attractive to UK ministers, would be for the UK and EU to agree a bespoke framework to facilitate the transfer of personal data between the two jurisdictions. He said an UK-EU data transfers framework could work in a similar way to the EU-US Privacy Shield that already applies.

Scanlon said: "The EU is world renowned for its detailed controls over the transfer of personal data outside of the European Economic Area (EEA). The continued exchange of data across the EEA from the UK needs to be seamless post-Brexit to give comfort and confidence to all businesses who engage with the EU market."

"Given that the EU has agreed to a bespoke arrangement with the US, there is good reason for the UK, given its current status as an EEA member, to go after an arrangement that has its own unique features like the Privacy Shield does – the main feature being ensuring that privacy standards are held at the same high level both for the UK and the EEA," he said.

In its paper, the government acknowledged that UK businesses and public authorities "may still be required to meet GDPR standards for their processing of EEA personal data" post-Brexit.

It also outlined its ambition for the UK's data protection watchdog, the Information Commissioner's Office (ICO), to play a "continued role" in "EU regulatory fora".

"A continued role for the ICO will support cross-border business and activity between the UK and the EU by promoting a common understanding of the regulatory challenges and issues faced by businesses, the public sector and individuals," the government said. "The UK would be open to exploring a model which allows the ICO to be fully involved in future EU regulatory dialogue. An ongoing role for the ICO would allow the ICO to continue to share its resources and expertise with the network of EU data protection authorities, and provide a practical contribution at EU level which will benefit citizens and organisations in both the UK and the EU."