Delphotostock - Fotolia
Greater friction around data transfers between the UK and European Union (EU) after Brexit could present a non-tariff trade barrier and hinder police and security co-operation, according to a report by a Lords’ committee.
The report is based on the findings of an inquiry by the House of Lords EU Home Affairs sub-committee into the implications of Brexit with regard to the EU’s data protection rules.
The inquiry is part of a series of short investigations by the House of Lords EU committee and its six sub-committees examining the key issues that will arise in the Brexit negotiations.
The report, Brexit: the EU data protection package, noted that the UK government has indicated that it wishes to secure “unhindered” and “uninterrupted” flows of data between the UK and the EU after Brexit to facilitate both trade and cooperation in law enforcement.
Both of these rely on shared standards of data protection, and if the government’s objectives are not achieved, the UK could be at a competitive disadvantage, the report said.
In testimony to the inquiry in February 2017, digital minister Matt Hancock said the UK planned a full implementation of the EU General Data Protection Regulation (GDPR) and was confident of agreements with the US to ensure uninhibited data exchanges with the EU and the US post-Brexit.
“The government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome,” the report said.
According to the report, the most effective way to achieve unhindered and uninterrupted flows of data would be to apply an “adequacy decision” from the European Commission to confirm that the UK’s data protection rules offered a standard of protection equivalent to the EU’s.
This would provide the least burdensome and most comprehensive platform for sharing data with the EU, and would offer stability and certainty for businesses, the report said, noting that alternative mechanisms to allow data to flow out of the EU for commercial purposes were less effective than an adequacy decision.
Read more about the House of Lords EU Home Affairs sub-committee inquiry
Considering that three-quarters of the UK’s cross-border data flows are with EU countries, the report said it would be difficult for the country to get by without an adequacy arrangement.
Failure to secure an adequacy finding would leave companies having to rely on standard contractual clauses and binding corporate rules to ensure data flows between the EU and the UK, but the report warned that these mechanisms may not be available to some types of companies and were currently subject to legal challenge.
The report warned that if an adequacy decision was not agreed, there were no apparent fall-back options for law enforcement purposes that would enable data to be shared with the EU. This raised concerns about the UK’s ability to maintain deep police and security cooperation with the EU after Brexit.
In the light of these findings, the report urged the UK government to ensure that a transitional arrangement was agreed until an adequacy decision could be taken, to avoid a cliff-edge for data transfers when the UK leaves the EU.
“We urge the government to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK,” the committee report said.
Committee chairman Lord Jay said the maintenance of unhindered data flows was crucial for business and effective police co-operation in view of the fact that the volume of data stored electronically and moving across borders had grown hugely over the past 20 years.
“The committee was concerned by the lack of detail on how the government plans to maintain unhindered data flows post-Brexit,” he said.
Rules could diverge
Lord Jay said the committee was also concerned by the risk that EU and UK data protection rules could diverge over time after the UK has left the EU.
“To avoid this, the committee urges the government to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board [EDPB],” he said.
The EDPB will replace the Article 29 Data Protection Working Party and will have a similar membership, mainly comprising EU data protection authorities, but with an independent secretariat. It will have the status of an EU body with extensive powers to determine disputes between national supervisory authorities, to give advice and guidance and to approve EU-wide codes and certification.
Because of EU rules for onward transfers, securing unhindered flows of data with the EU may also require the UK to demonstrate that it has put arrangements in place with the US that give the same level of protection as the Privacy Shield and the Umbrella Agreement, the report said.
As regards data-sharing for commercial purposes, the report noted the approach taken by Switzerland, which has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement with the US.
Finally, the report noted that in the longer term, it is possible that an international treaty on data protection could emerge as the end product of greater co-ordination between data protection authorities in the world’s largest markets.
The UK government’s long-term objective should be to influence the development of such a treaty, the report said.
“Given the relative size of the UK market compared to the EU and US markets, and its alignment with EU rules at the point of exit, the government will need to work in partnership with the EU to achieve that goal – again underlining the need to adequately replace existing structures for policy co-ordination,” the report said.