Accepting the jurisdiction of the Court of Justice of the EU (CJEU) to shape data protection law in the UK could help the country retain an element of influence over how data protection law develops and is enforced in Europe post-Brexit, the Exiting the European Union (Brexit) Committee has suggested in a new report.
The UK government has said that it is seeking a bespoke agreement on data protection with the remaining 27 EU member states to account for Brexit. The UK's proposals would go beyond "the standard adequacy approach" that the EU has adopted with 'third' countries for ensuring the free flow of personal data to those locations, and further provide for an "appropriate ongoing role" for the UK's data protection authority, the Information Commissioner's Office (ICO), on the European Data Protection Board (EDPB), and the ICO's participation in the EDPB's 'one stop shop' framework for resolving data protection disputes of a cross border nature.
The agreement could also include "amendment, dispute resolution and termination provisions" – the UK government has previously said that the direct jurisdiction of the CJEU in the UK will end at the point of Brexit, although it has accepted that UK legislation and case law could still be influenced by rulings of the EU court.
However, in May, the EU27's chief Brexit negotiator, Michel Barnier, rejected the UK's proposal.
The Brexit Committee said, though, that if the UK government changed its stance on the CJEU's jurisdiction it could cause the EU to reconsider its position on UK membership of the EDPB and participation in the 'one stop shop'.
"The EU appears to consider the UK proposals to be an attempt to retain influence on the EU regulatory regime from the position of a third country," the Brexit Committee said. "The UK should accept, to increase the prospects of securing the prime minister’s objectives of continuing membership by the information commissioner on the European Data Protection Board and representation under the European one-stop shop, that the CJEU will continue to have jurisdiction over aspects of data protection law in the UK after exiting the EU."
The Brexit Committee also urged the UK government to prioritise obtaining an 'adequacy decision' from the European Commission rather than pursuing a bespoke agreement on data protection.
EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
"Following the passage of the Data Protection Act, the UK’s data protection law will be aligned with EU law on the day the UK leaves the EU," the Brexit Committee said. "As a result, the UK will be in a very strong position when it seeks a declaration of essentially equivalent data protection. However, it is seeking an unprecedented agreement which will be subject to negotiation."
"The UK government should be preparing for the adequacy process and ensuring that there is no risk of a gap in legal provision for transferring data between the UK and the EU after December 2020 [the proposed end of the Brexit transition period]. This would have serious implications for businesses and consumers on both sides. The UK government needs to establish with the Commission whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay. It needs to provide concrete assurances that data will be able to flow between the UK and the EU after December 2020 on the same terms as now," it said.
"Beyond this, the UK should explore the possibility of negotiating a bespoke agreement with the EU allowing much closer cooperation in data protection and data sharing which once achieved could replace the third party arrangements conferred by a simple adequacy decision," it said.
Other mechanisms for businesses to transfer personal data outside of the trading bloc to countries that do not benefit from an adequacy decision are provided for in EU law. However, the Brexit Committee described these options are "unsatisfactory".
It said: "The alternative legal processes for enabling data transfers, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms, are unsatisfactory substitutes for an agreement that data protection rules in the UK are essentially equivalent to that of the EU. Such alternatives would represent a considerable change from the status quo, would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses."