bluedesign - Fotolia

European Commission calls for free flow of data after Brexit

EC digital leader says EU must avoid “data nationalisation” after the UK leaves – but also warns EU states

The European Union (EU) institutions want data flows between the UK and Europe to continue post-Brexit just as badly as the UK does.

Speaking at an event on trans-European dataflows in Estonia last week, Andrus Ansip, the European Commission (EC) vice-president in charge of the Digital Single Market, criticised what he called “data protectionism”.

“Digital business is global business – we urgently need to address data localisation rules,” he said.

“Data is not only the basis of our digital future and prosperity, it is a valuable resource in itself. Keeping that resource unnecessarily stuck in national datacentres or in a certain geographic area means it cannot be used to its full potential. You could also call it data protectionism, or data nationalism.”

A report on post-Brexit data protection from the House of Lords’ EU Home Affairs Sub-Committee last week said there was “no prospect of a clean break” with Europe when it came to data flows.

“The committee was concerned by the lack of detail on how the government plans to maintain unhindered data flows post-Brexit,” said committee chairman Lord Jay.

In a rare show of agreement, that view is shared by senior officials in the European institutions.

But senior sources in the EC told Computer Weekly that there is, as yet, no clear indication what will happen after Brexit. One expert said: “It’s totally up to negotiations.”

Polish MEP Michal Boni, who was heavily involved in writing the General Data Protection Regulation (GDPR) and the current drafting of the ePrivacy Regulation, said it was a “big problem”.

“I have worked with my colleagues from the UK on the GDPR and we have started the work on ePrivacy, and the question is, after Brexit, will we require the special agreement between the EU and the UK as now we have with the US Privacy Shield?” he said.

“It’s a problem for all of us because it’s weakening the opportunities for our economy. It was the choice of the British people, but I think we are losing out in not having the UK aboard on digital issues.”

Read more about Brexit and technology

As the GDPR will come into force in May 2018, before the UK exits the EU, the UK will initially have to comply with the law on data transfers. The UK government has said it is committed to maintaining the GDPR after Brexit. But further down the line, many, like Boni, see the need for a Privacy Shield-style arrangement.

Privacy Shield is the work-around agreement between the EU and the US because the latter does not reach the EU’s adequacy requirements on data protection. Essentially, US companies sign up to the Privacy Shield register and promise to adhere to its rules, which are then enforceable by the US Federal Trade Commission.

However, the Lords sub-committee is urging the UK government to seek such an adequacy decision from the EU, describing it as the “least burdensome” option.

“We were persuaded by the Information Commissioner’s view that the UK is so heavily integrated with the EU – three-quarters of the UK’s cross-border data flows are with EU countries – that it would be difficult for the UK to get by without an adequacy arrangement,” said the report.

However, such an adequacy approval from the EU is by no means a foregone conclusion. It cannot even be discussed until after the UK has left the EU, and the UK may fall foul of many of the problems with national security surveillance that have dogged the US.

Privacy Shield in doubt

Even the current EU-US Privacy Shield in in doubt. Members of the European Parliament’s civil liberties committee were in Washington last week to take stock of the current arrangement and concluded that many “deficiencies must be urgently resolved”.

Labour MEP and head of the committee Claude Moraes said: “Several key positions still need to be filled under the new US administration in order to meet the conditions of the adequacy decision. These would include some of the necessary functions of the Federal Trade Commission, the Privacy and Civil Liberties Oversight Board, which is currently lacking four of its five commissioners, and the Ombudsperson, who is currently only in an acting capacity.”

In Estonia, Ansip was still railing against data localisation: “The core of the problem remains the same: national requirements on processing, storage and transfer of data. If we can get rid of needless national and local barriers to data flows, as well as address the underlying uncertainties, then everyone stands to gain – companies, governments and consumers.”

He was even critical of the EU itself, saying: “How optimistic should we be in looking at key data flows? We had the idea to allow this three years ago already and we have not been able to deliver – not only across the EU, but also third countries.”

Referring to the EU as “fragmented Europe” on the issue, Ansip said the message to startups would be clear: “Stay at home or go to the US.”

The EC plans to establish free movement of data within EU borders as a basic principle in EU law and will put forward proposals before the end of the year.

UK technology industry trade body TechUK has called on the government to make free flow of data a priority in Brexit negotiations. ...................................................................................................

Read more on Privacy and data protection