In a new report, a House of Lords committee warned that trade and security could be impacted if the flow of data is disrupted at the point of Brexit.
To enable data to flow between the UK and EU post-Brexit, the EU Home Affairs Sub-Committee urged the UK government to seek a so-called 'adequacy' decision from the European Commission, which would recognise the UK's data protection regime as essentially equivalent to the EU's post-Brexit.
However, the Committee noted that the UK would have to leave the EU before it could obtain an adequacy decision and so called for the UK to ensure transitional arrangements are in place at the point of Brexit.
"Adequacy decisions can only be taken in respect of third countries, and there are therefore legal impediments to having such decisions in place at the moment of exit," the Committee said. "In the absence of a transitional arrangement, this could put at risk the government’s objective of securing uninterrupted flows of data, creating a cliff-edge. We urge the government to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK."
"In the absence of such transitional arrangements, the lack of tried and tested fall-back options for data-sharing in the area of law enforcement would raise concerns about the UK’s ability to maintain deep police and security cooperation with the EU and its member states in the immediate aftermath of Brexit. The need for transitional arrangements also extends to the commercial sector. Although there are alternative mechanisms to allow data to flow out of the EU for commercial purposes, these are sub-optimal compared to an adequacy decision, and may not be available to some types of companies, for instance small companies or those dealing directly with consumers," it said.
The Committee also noted that some of the legal mechanisms that businesses currently rely on to support the transfer of personal data outside of the EU, such as model contract clauses, are "subject to legal challenge". This underlines "the need for a transitional arrangement", it said.
In its report, the Committee said an adequacy decision "would provide the least burdensome and most comprehensive platform for sharing data with the EU, and offer stability and certainty for businesses, particularly SMEs", post-Brexit. It said, though, that the UK could be forced to separately agree arrangements for protecting personal data when transferred from the UK to the US in order to gain an adequacy decision from the European Commission.
"The EU-US Privacy Shield and the EU-US Umbrella Agreement will cease to apply to the UK post-Brexit," the Committee said. "Because of EU rules for onward transfers, securing unhindered flows of data with the EU may require the UK also to demonstrate that it has put arrangements in place with the US that afford the same level of protection as the Privacy Shield and the Umbrella Agreement. As regards data-sharing for commercial purposes, we note the approach taken by Switzerland, which has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement with the US."
The Committee's report also looked ahead to potential divergences between EU and UK data protection law in future. The UK government has already said that the EU's General Data Protection Regulation (GDPR) will apply in the UK, like in the rest of the EU, from 25 May 2018. After Brexit occurs, however, the UK could find itself forced to follow future updates to EU data protection laws to "maintain an adequate level of protection" to retain any adequacy decision granted to it, it said.
The Committee said that the UK "could find itself held to a higher standard as a third country than as a member state" under such a situation because the UK will lose the "national security exemption" it currently has in EU law when it leaves its membership of the EU.
Data protection law expert Kristina Holt of Pinsent Masons, the law firm behind Out-Law.com, said that, after Brexit, the UK is likely to be in a similar position to the one the US is in at the moment in terms of having to negotiate a new deal with the EU for data sharing between law enforcement and security agencies. New UK surveillance laws finalised last autumn are also likely to be the subject of legal challenge, she warned.
To continue to exert influence over EU data protection policy in future, the UK government should strive to ensure that the UK's data protection watchdog, the Information Commissioner's Office (ICO), retains its position on the European Data Protection Board (EDPB) post-Brexit, the Committee said.
The EDPB will replace the existing committee of data protection authorities from across the EU, the Article 29 Working Party, when the GDPR takes effect. It has defined supervisory and enforcement duties under the new Regulation.
The UK government should also ensure look to "influence the development" of any new international treaty on data protection that "could emerge as the end product of greater coordination between data protection authorities in the world’s largest markets", the Committee said.
"Given the relative size of the UK market compared to the EU and US markets, and its alignment with EU rules at the point of exit, the government will need to work in partnership with the EU to achieve that goal – again underlining the need to adequately replace existing structures for policy coordination," it said.