There will be an unprecedented level of alignment on data protection laws between the UK and the EU on Brexit, with the UK’s draft Data Protection Bill implementing the GDPR expected shortly. At the same time, any ongoing elements of regulatory uncertainty – such as restrictions on EU-UK or UK-EU data flows - have the potential to damage businesses on both sides. This could take the form of putting them to unnecessary expense and time in contingency planning or causing them to renegotiate what may be less favourable contractual arrangements. The constructive approach taken in the Paper will be welcomed by businesses eager to avoid unnecessary cost and change.
On 24 August the UK Government published a future partnership paper (the “Paper”) on the exchange and protection of personal data following the UK’s withdrawal from the European Union. The Paper is part of a series setting out key issues setting out the Government’s objectives for the future relationship between the UK and EU.
International transfers of personal data
Under EU law, personal data may not be transferred to countries outside of the EEA unless a legal mechanism is in place to ensure that they are adequately protected in their destination country, or specific derogations are relied on. Legal mechanisms commonly used to provide adequate protection for personal data include:
- Country or sector-specific adequacy decisions adopted by the European Commission. These decisions may be adopted where the Commission determines that the laws of a country, or sector with a country, are substantially similar to those of the EU. Personal data may flow to such “white listed” countries on the same terms as to EEA countries. The white list currently includes, for example, Argentina, Canada, Israel and Switzerland.
- Standard contractual clauses issued by the European Commission. By entering into these standard contractual clauses – in an unamended form – the exporting EU-based party can ensure that data transfers are undertaken in compliance with EU law.
The Paper states that one of the Government’s key objectives is to avoid regulatory uncertainty for businesses in the UK, EEA and EU by reaching an early agreement to mutually recognise each other’s data protection frameworks. As the UK’s laws are likely to be substantially similar to those in force in the EU at the time of withdrawal, the Government proposes that this mutual agreement could build on the existing adequacy model outlined above. The Government also wants to ensure the UK continues to recognise EU adequacy decisions post-Brexit, indicating that for the purpose of compliance with UK law, the standard contractual clauses, as well as the EU-U.S. Privacy Shield, will likely continue to be available in the UK for international data transfers.
If the Government’s aims are realised following the withdrawal negotiation process, businesses could benefit from a largely unchanged regulatory environment, meaning little change to contracts in the short term. Organisations should still be assessing the compliance of their existing international transfer mechanisms as part of their GDPR preparedness projects.
An ongoing role for the UK Information Commissioner
The Paper also sets out the Government’s aim to establish a system of regulatory cooperation between the Information Commissioner’s Office and the supervisory authorities of other EEA member states that would allow the UK regulator to be “fully involved in future EU regulatory dialogue.” The Government considers this essential since businesses operating in the UK or the EEA are likely to find themselves subject to both the EU and UK legal regimes. While in practice the close alignment between future UK law and the EU regime may mean that the obligations on entities are substantially similar, there is potential for data protection authorities to take different approaches to enforcement. It is clearly preferable therefore that some form of cooperation exists.