EU officials said earlier this year that, unless an agreement is reached on transitional arrangements in the interim, businesses will no longer be able to automatically transfer personal data to the UK from 30 March 2019 and be sure that those arrangements comply with EU data protection laws.
One way in which personal data could continue to flow freely between the EU and UK post-Brexit is if the European Commission designates the UK's data protection framework as providing for adequate protection of personal data. To issue a so-called 'adequacy decision', the Commission would have to be satisfied that the UK's data protection standards are essentially equivalent to those that apply within the EU.
UK digital minister Matt Hancock has previously explained that the UK is seeking "an enhanced mechanism" beyond the adequacy decision model that will provide for the continued flow of personal data between the UK and remaining EU countries post-Brexit.
In its report, however, the Home Affairs Committee said that is concerned the UK government "is not yet engaging sufficiently with the implications of an EU data adequacy assessment, nor preparing properly for such an assessment to take place".
The committee said evidence suggests that the UK may not benefit from an EU adequacy decisions before the proposed end date of the Brexit transition period in December 2020.
"We have serious concerns about the number of potential obstacles to the UK achieving an EU adequacy decision within two years," the committee said. "The government’s position – that the UK’s current compliance with EU data protection law should enable consistency after Brexit Day – takes no account of the different rules governing third countries’ access to EU data. At best, this response is evasive; at worst, it suggests that the government is worryingly complacent about the UK’s future access to EU data."
"The government must make necessary preparations for a long-term adequacy decision as early as possible in the Brexit process, to ensure that UK law enforcement authorities do not face a ‘cliff-edge’ in their ability to exchange data with their EU counterparts," it said.
The committee said "substantial contingency planning" should be undertaken to allow for the possibility that an arrangement on future data flows is not reached in line with the UK's objectives or until after the Brexit transition period has passed.
"The government should be carrying out an impact assessment, in conjunction with the EU, of the consequences of failing to find a resolution to this important issue," it said.
In its report, the committee also called on the government to incorporate fundamental EU principles on the protection of personal data into UK data protection laws. Doing so could help the UK to obtain an EU adequacy decision, it said.
The committee said that, as part of considering the UK's 'adequacy' on data protection matters, EU officials at the European Commission are likely to scrutinise the "Five Eyes intelligence-sharing capabilities". Those capabilities refer to data sharing between the UK, US, Australia, Canada and New Zealand.
"We recommend that the government works proactively with EU institutions to ensure that the UK’s onward data transfer regime to the USA and other Five Eyes countries allows both for an EU adequacy decision and for the continuance of the existing Five Eyes relationship," the committee said. "We urge the EU to recognise the value of these parallel security relationships, and to work flexibly to come to an agreed solution."
The committee also said the UK's data protection framework will continue to be influenced by EU data protection law and rulings of the Court of Justice of the EU (CJEU) post-Brexit, and that the government as a result should not insist that the CJEU has no jurisdiction under any new security treaty.