donfiore - Fotolia

UK should pursue EU data protection adequacy post-Brexit, says ICO

Post-Brexit, the UK should seek EU data protection adequacy as well as special status regarding the EU Data Protection Board, says information commissioner

The UK should apply for a data protection adequacy finding by the European Commission (EC) post Brexit, says UK information commissioner Elizabeth Denham.

“The best way forward is to achieve an adequacy finding from the EC because it is the most straight-forward arrangement for data flows between the UK and the European Union to continue,” she told the House of Lords EU Home Affairs Sub-Committee.

However, like other experts presenting evidence to the committee, Denham said an adequacy finding is achieved only through a formal legislative process that takes time.

In fact, previous witnesses have said it could take up to three years for EC to assess whether the UK, as a third-party country, is deemed to have an adequate data protection regime in terms of legislation, custom and practice.

Denham said having an adequacy finding in place soon after Brexit is challenging, but she said the UK government may be able to negotiate a transitional arrangement. Avoiding a “cliff edge” at Brexit, she said would be in everybody’s best interest.

Failing such a transitional arrangement, she said companies will have to rely on standard contractual clauses and binding corporate rules to ensure data flows continue between the EU and UK until an adequacy finding is achieved.

While the Information Commissioner’s Office cannot determine the post-Brexit policy environment and is not directly involved in Brexit negotiations, Denham said she and her team are continually working to advise and support government ministers and senior staff in the policy analysis they are undertaking.

Digital minister Matt Hancock, who faced questions from the same sub-committee in February 2017, said the UK will replace the 1988 Data Protection Act with legislation that mirrors the General Data Protection Regulation (GDPR).

Read more about GDPR

Hancock said he was confident that this strategy would ensure the UK achieves its goal of free data flows with the EU post-Brexit.

Denham agreed that it would be a good strategy to ensure the UK should aim to set the “gold standard” in data protection to ensure an equivalent standing with the EU as well as the rest of the world.

“If we want to innovate with data and use it for effective public policy reasons, then we have to have a high level of trust from individuals, which means that we need the gold standard of data protection regulation and enforcement, which go hand in hand.

“So the right way forward from my perspective is to fully adopt the GDPR and put into effect the accompanying directive to protect citizens’ right to data protection whenever personal data is used by criminal law enforcement authorities.

“We have to build that level of trust and we can’t have people throwing rocks at us from the outside, so we have to have a very strong data protection regime that is enforced well,” she said.

While “weakening the law” and making it less burdensome on business seems attractive on the surface, she does not see “a sustainable business model to be lowering data protection regulation and practice, because that is likely to bite us in the long term”.

Compliance with data protection

Commenting on the impact of GDPR on business, Denham said it would depend on how much work they have done to comply with the 1988 Data Protection Act.

“The GDPR has higher standards, but they are evolved standards, and so if a company has not been doing anything on data protection for the past 10 years, the resource implications are going to be greater,” she said, adding that there are a lot of tools available to help.

The ICO has focused in particular on helping small to medium-sized enterprises by providing checklists, educational seminars and online tools.

However, Denham said UK businesses are starting to see the value in getting strong protection for their consumers and understanding that it is a necessary part of good business practice.

“It is a competitive advantage if you are doing the right thing with customers’ data, and playing fast and loose with customers’ sensitive personal data is not going to cut it,” she said.

Denham said it was very important in the context of the Brexit negotiation process that the government considers the ICO’s place and influence in the future European Data Protection Board.

The EDPB will replace the Article 29 Data Protection Working Party and have a similar membership, mainly of EU data protection authorities, but with an independent secretariat. It will have the status of an EU body with extensive powers to determine disputes between national supervisory authorities, to give advice and guidance and to approve EU-wide codes and certification.

The EDPB to have a large influence

Denham said that, unlike the Article 29 Working Party, the EDPB will be an adjudicator, not just an advisor, and will be very influential in future.

Unless the UK can negotiate some special status in the EDPB, Denham said the UK will be without influence, despite its full adoption of the GDPR.

“The EDPB will make decisions about the data processing of companies that impact on UK citizens, and if the ICO is nowhere close to those decisions it will be frustrating for citzens and government,” she said. Therefore, the government should do all it can to ensure the UK has at least observer status.

Denham said it is critical that the UK has some kind of influence in terms of the EDPB, in the same way that Norway – which has observer status as a member of the European Economic Area (EEA) – has been an active participant and even leader of the activities of the Article 29 Working Party.

But for the UK as a third country to have observer status or something similar with the EDPB, Denham said this would have to be negotiated between the UK and the EC.

“The EDPB is an important arena [in terms of exerting influence], but so is the International Conference of Data Protection Commissioners,” she said, of which the UK is an accredited member and will continue to be post-Brexit.

The UK, she said, also works with the Asia Pacific Privacy Authorities and is co-chair of a group of Commonwealth countries called the Common Thread Network.

“The end-game probably needs to be an international treaty on data protection if we recognise the global nature of data flows, because right now, we have a patchwork environment that requires some countries to apply to others for adequacy findings,” said Denham.

Read more on Security policy and user awareness