UK calls for new data-sharing model with EU

Although the standard adequacy approach is an effective means of ensuring free flow of data from the EU to third countries, it would not reflect the breadth and depth of the UK-EU relationship, according to the latest proposals published by the UK Brexit negotiating team.

While the adequacy approach is informing the UK’s negotiations on the withdrawal agreement, the proposal states this approach would not enable national data protection authorities to cooperate effectively to enforce data protection principles.

“We therefore believe a new model would better deliver both UK and EU interests, and could provide more stability and certainty as an agreement between governments,” the proposal states.

The UK is therefore proposing a new agreement between the EU and UK that builds on standard adequacy to “better deliver” on shared interests and provide UK and EU citizens with greater confidence in data protection rules and standards.

In addition to maintaining the free and unhindered flow of personal data and offering enhanced stability and confidence for individuals, businesses and public authorities, the agreement should reassure citizens that their personal data is subject to robust protection and should not impose unnecessary additional costs to businesses.

It should also provide for the ongoing regulatory cooperation between the EU and the UK on current and future data protection issues to ensure the framework “effectively meets the needs of our unique relationship”, the proposal states.

In particular, the proposal calls for an “appropriate role” for the Information Commissioner’s Office (ICO) on the European Data Protection Board and assurances for UK businesses and consumers that they are effectively represented under the EU’s one-stop-shop mechanism for resolving data protection disputes.

“The ICO is deeply committed and embedded in the EU regulatory community. And that is the message I’ve been giving to parliamentarians when giving evidence to committees looking at the implications of Brexit,” information commissioner Elizabeth Denham told the recent IAPP Data Protection Intensive conference in London.

The proposal notes that the ICO is the largest data protection authority in the EU, that it is recognised by other European data protection authorities as a well-resourced and highly valued centre of expertise, that it plays a “leading and influential” role in EU policy development, and is an is an effective enforcer of EU rules, with a strong record of independence.

The UK negotiating team argues that the ICO’s continued role in Europe will benefit consumers and businesses in the EU and UK because it will bring its expertise, resource, experience and global influence to bear, it ensures a consistent approach to interpretation and implementation of data protection principles, it reduces the regulatory burden on businesses with UK and European operations, and it helps EU consumers bringing complaints against UK companies and protects the rights of individuals.

According to the document, the new agreement it outlines is a “pragmatic approach” that would reflect the UK and EU’s shared interests and unique relationship for mutual benefit.

A legally binding agreement would provide strong privacy protections for UK and EU citizens whose data flows between the UK and EU, underpin continued partnership on economic issues and security, provide greater certainty for consumers, businesses, law enforcement and other public authorities, and improve joined-up regulatory enforcement of data protection standards.