Delphotostock - Fotolia
Although the standard adequacy approach is an effective means of ensuring free flow of data from the EU to third countries, it would not reflect the breadth and depth of the UK-EU relationship, according to the latest proposals published by the UK Brexit negotiating team.
While the adequacy approach is informing the UK’s negotiations on the withdrawal agreement, the proposal states this approach would not enable national data protection authorities to cooperate effectively to enforce data protection principles.
“We therefore believe a new model would better deliver both UK and EU interests, and could provide more stability and certainty as an agreement between governments,” the proposal states.
The UK is therefore proposing a new agreement between the EU and UK that builds on standard adequacy to “better deliver” on shared interests and provide UK and EU citizens with greater confidence in data protection rules and standards.
In addition to maintaining the free and unhindered flow of personal data and offering enhanced stability and confidence for individuals, businesses and public authorities, the agreement should reassure citizens that their personal data is subject to robust protection and should not impose unnecessary additional costs to businesses.
It should also provide for the ongoing regulatory cooperation between the EU and the UK on current and future data protection issues to ensure the framework “effectively meets the needs of our unique relationship”, the proposal states.
Read more about GDPR
- Use GDPR to propel business forward, says ICO.
- One month to GDPR compliance deadline.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- GDPR focus shifts from the sanctions to the benefits.
- How to be prepared for GDPR by 25 May.
In particular, the proposal calls for an “appropriate role” for the Information Commissioner’s Office (ICO) on the European Data Protection Board and assurances for UK businesses and consumers that they are effectively represented under the EU’s one-stop-shop mechanism for resolving data protection disputes.
“The ICO is deeply committed and embedded in the EU regulatory community. And that is the message I’ve been giving to parliamentarians when giving evidence to committees looking at the implications of Brexit,” information commissioner Elizabeth Denham told the recent IAPP Data Protection Intensive conference in London.
The proposal notes that the ICO is the largest data protection authority in the EU, that it is recognised by other European data protection authorities as a well-resourced and highly valued centre of expertise, that it plays a “leading and inﬂuential” role in EU policy development, and is an is an eﬀective enforcer of EU rules, with a strong record of independence.
The UK negotiating team argues that the ICO’s continued role in Europe will benefit consumers and businesses in the EU and UK because it will bring its expertise, resource, experience and global influence to bear, it ensures a consistent approach to interpretation and implementation of data protection principles, it reduces the regulatory burden on businesses with UK and European operations, and it helps EU consumers bringing complaints against UK companies and protects the rights of individuals.
According to the document, the new agreement it outlines is a “pragmatic approach” that would reflect the UK and EU’s shared interests and unique relationship for mutual benefit.
A legally binding agreement would provide strong privacy protections for UK and EU citizens whose data flows between the UK and EU, underpin continued partnership on economic issues and security, provide greater certainty for consumers, businesses, law enforcement and other public authorities, and improve joined-up regulatory enforcement of data protection standards.
Data protection partnership
Antony Walker, deputy CEO at TechUK, said the tech industry association strongly supports the government’s proposal for a data protection partnership.
“TechUK has long argued that it is in the interests of both the UK and the EU to have continued alignment and a close relationship on data protection. The UK Data Protection Act 2018 has just received Royal Assent, demonstrating the UK’s commitment for close alignment with EU data protection rules,” he said.
The newly-enacted legislation will be the UK’s version of the EU’s General Data Protection Regulation (GDPR) as it applies to the UK and replaces the Data Protection Act 1998.
The government proposals make a “strong and compelling” case for why the UK and the EU should agree a close partnership on data protection, said Walker.
“Data flows are a vital underpinning of international trade in a global digital economy, and the continued free flow of data – via mutual adequacy agreements – between the UK and the EU post-Brexit is crucial for organisations of every size and sector,” he said.
“We encourage the EU to recognise the mutual benefits of a continued close relationship on data protection, and to commit to having those discussions now,” said Walker.