UK House Of Lords Issues Report On Post-Brexit EU Data Transfers

King & Spalding
Contact

On July 18, 2017, the UK’s House of Lords European Union Committee published a report on EU data protection standards and the impact on the U.K. in the wake of Brexit. The House of Lords’ report, entitled, Brexit: the EU data protection package, and available here (the “Report”), states that the UK government “has said that it wants to maintain unhindered and uninterrupted data flows with the EU post-Brexit,” but concludes that there is a “lack of detail” on how to achieve that objective. Per the Report, the stakes are high surrounding EU-UK data transfers in the aftermath of Brexit, as discord on the topic could result in a “non-tariff trade barrier” and make police and security cooperation across national borders more difficult.

The Report examines four components of the EU data protection regime: the Police and Criminal Justice Directive, the General Data Protection Regulation, the EU-U.S. Umbrella Agreement, and the EU-U.S. Privacy Shield.  After Brexit, the UK’s status will change to that of a third country for purposes of EU rules, and it will no longer be bound by those instruments.  The Report recommends that, to continue exchanging data with the EU effectively, the UK obtain an adequacy decision from the European Commission, which would certify that the UK “provides a standard of protection which is ‘essentially equivalent’ to EU data protection standards.” The Report states that since three quarters of the UK’s international data transfers involve EU countries, “an adequacy decision would provide the most comprehensive mechanism for the UK to share data with the EU in an unhindered way.”  The Report notes that moving data across borders is critical to trading relationships and, “although alternatives to an adequacy decision are available, those alternatives would be less effective in reducing friction around data flows.”

The Report continues that, the UK, as a non-Member State, could be held to a higher standard by the European Commission when considering adequacy decisions. For instance, the European Commission will review a third country’s complete data protection apparatus—including its national security framework—and the UK “would no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the UK’s data retention and surveillance regime is tested before the Court of Justice of the European Union.”

The Report further cautions that the UK would need to maintain adequacy following such a decision and changes to the country’s data protection policies could have an impact on adequacy status. For example, the Report notes that, “a lax approach to onward transfers of data to third countries would put that adequacy decision at risk.”

Finally, the Report points out that, post-Brexit, the UK’s influence on the direction of EU data protection rules might wane. The Report urges the UK government to maintain influence by replacing “the institutional platforms currently used to exert influence and find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and global level.”

The UK’s House of Lords European Union Committee published the Report in the wake of the recent issuance of the UK’s Information Commissioner’s Office (“ICO”) international strategy for 2017-2021, examined in more detail in a recent article available here. The ICO international strategy, which details the UK’s plan for its relationship with the EU on data security matters, acknowledges that Brexit negotiations will shape the UK’s role in the data protection arena, and also sets forth the operations of an effective data protection authority both prior to and subsequent to the UK exit from the EU. The ICO states the UK’s objective is to maintain its reputation as a data protection authority and sets a challenge of maintaining high data protection standards to “enable the ICO to be recognized as a leading regulatory partner and to enable international data flows.” The ICO international strategy sets a priority for the UK to be “a country with a high standard of data protection law, which is effectively interoperable with different legal systems that protect international flows of data.”

We will continue to monitor developments in this important area as they arise.

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.