dc975 - Fotolia
The UK plans to cooperate closely with Europe on data protection rules to ensure a free flow of information between businesses and law enforcement organisations after it leaves the EU.
The strategy is detailed in the latest of a series of position papers by the government looking at the UK’s future partnership with the EU after Brexit.
Digital minister Matt Hancock said the UK was leading the way on modern data protection laws and had worked closely with EU partners to develop world-leading data protection standards.
“In the modern world, data flows increasingly underpin trade, business and all relationships. We want the secure flow of data to be unhindered in the future as we leave the EU, so a strong future data relationship between the UK and EU, based on aligned data protection rules, is in our mutual interest,” he said.
The latest position paper, said Hancock, sets out how the government thinks the UK’s data relationship with the EU should continue.
“Our goal is to combine strong privacy rules with a relationship that allows flexibility, to give consumers and businesses certainty in their use of data,” he said.
According to the document, the UK government will consider the case for a “unique approach” that could allow data to continue to be exchanged to ensure ongoing competitiveness, innovation and job creation.
The document outlines how the UK is considering what the government terms “an ambitious model” for the protection and exchange of personal data with the EU that reflects the unprecedented alignment between UK and European law and recognises the high data protection standards that will be in place at the point of exit.
This strategy is aimed at enabling the UK to work more closely with the EU, providing continuity and certainty for business, allowing public authorities, including law enforcement authorities, to continue their close cooperation in protecting people’s data and privacy, and providing for ongoing regulatory cooperation between the UK and EU data protection authorities.
Publication of the position paper comes just two-and-a-half weeks after the government announced plans for a new UK data protection law aligned with the EU’s General Data Protection Regulation (GDPR).
Hancock signalled the intention to align UK law with the GDPR in February 2017 when giving evidence to an inquiry about data protection following Brexit by the House of Lords’ EU Home Affairs sub-committee.
He said the UK would replace the 1988 Data Protection Act with legislation that mirrors the GDPR in an attempt to achieve the government’s goal of ensuring an unhindered exchange of data between the UK and the EU after Brexit.
Read more about GDPR
- With less than a year to go before the General Data Protection Regulation compliance deadline, many businesses are floundering, while others are embracing data-centric security to fast-track compliance.
- The GDPR is not only relevant to CISOs and DPOs, and has a massive impact on businesses.
- There is no time for businesses to delay in preparing for the GDPR, says the UK privacy watchdog.
- GDPR: One year to compliance and opportunity.
Responding to the position paper, the Confederation of British Industry (CBI) said the document was a step forward in recognising the importance of securing the free flow of data to the UK economy.
“From booking a hotel room to collaborating on medical research, data underpins international trade and the products and services consumers rely on,” said Tom Thackray, CBI director of innovation.
“The strong alignment between British and European data standards opens the door to crafting a robust framework that enables the uninterrupted flow of data. In the short term, a seamless transition deal is necessary to protect the free flow of information and provide legal certainty to businesses and consumers,” he said.
If no transition deal is agreed, the UK’s potential £240bn data economy between 2015 and 2020 is at risk of isolation, warned the CBI, which represents 190,000 businesses of all sizes and sectors across the UK.
IT industry trade body TechUK said the tech sector, and increasingly every businesses in the UK that does business internationally, needs a clear legal basis for data transfer post-Brexit.
“We are pleased that the government acknowledges the urgent need for a solution to this problem or it risks serious harm to both businesses and consumers,” said Antony Walker, deputy CEO at TechUK.
“This is a complex problem, but there is a well-understood solution. That would be for the UK and EU to agree a mutual ‘adequacy’ agreement that provides a watertight legal framework for data transfers. It is not yet clear whether the government’s ‘unique’ solution would go down this route.
“Securing an adequacy agreement, or any other unique arrangement, will take time. The fastest adequacy decision ever given by the EU took 18 months. This again underlines the need for a significant, time-limited, interim period that allows both government and businesses the time needed to adapt to a post-Brexit system,” said Walker.
The government recognises the importance of the digital economy to the UK’s economy in the position paper, saying that in 2015, the digital economy was worth £118.4bn, or 7.1% of the UK’s total value of goods and services.
This relies on data being able to flow freely back and forth. Any disruption to these cross-border data flows could be costly to both Britain and the EU, the government said.
According to the position paper, the government considers it essential to agree a UK-EU model for exchanging and protecting personal data. It said the model should:
- Allow data to continue to be exchanged in a safe and properly regulated way;
- Offer sufficient stability and confidence for businesses, public authorities and individuals;
- Provide for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection;
- Continue to protect the privacy of individuals;
- Respect UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection;
- Not impose unnecessary additional costs to business;
- Be based on objective consideration of evidence.
“We look forward to the EU outlining its own proposals in this area and taking forward discussions in future negotiations,” the government said in a statement.