Brexit: UK seeks data transfer pact with EU
The UK will seek “new arrangements” with the EU in order to allow for the continued free flow of personal data, according to a government paper.
It argues the UK starts from “unprecedented” alignment with EU law, but acknowledges collaboration will be needed to protect British interests.
Many UK businesses and law enforcement agencies rely on EU data.
One legal expert said the paper was a “step forward” but overlooked some key points.
The paper puts forward the UK government’s position that a UK-EU model for exchanging and protecting data will be essential to maintain a “deep and special partnership” – a phrase used four times in the document.
Regarding how to achieve this, the government suggests that the Information Commissioner be “fully involved” in future EU regulatory discussions.
It also raises the possibility of the UK and EU mutually recognising each other’s data protection rules as the basis for allowing the free flow of data to continue.
And there should be an agreed timeline for implementing more long-term arrangements to reassure businesses, the government adds.
“It will help businesses who need to be able to plan their future – they need a sense of what the law will be,” said Dr Karen Mc Cullagh, a legal expert at the University of East Anglia.
However, the UK’s approach to surveillance might give EU negotiators cause for concern when considering business-as-usual, she added.
“[The paper overlooks] some important facts – the most important one being the Investigatory Powers Act which is likely to present a hurdle.”
On the idea that the Information Commissioner should still have access to EU regulatory dialogue, Dr Mc Cullagh said: “There will be a concern that [UK lawmakers] will lose the ability to influence if they’re not at the table, if they can’t shape future laws.”
Earlier this month, the government said that it would implement the EU’s overarching General Data Protection Regulation (GDPR) within British law.
These regulations allow for bigger fines on firms that flout the rules – and it will also be easier for consumers to control information about them online and in databases controlled by companies.
“We want the secure flow of data to be unhindered in the future as we leave the EU,” said Matt Hancock, Minister for Digital, on the publication of the paper.
“So a strong future data relationship between the UK and EU, based on aligned data protection rules, is in our mutual interest.”
Why are UK-EU data transfers important?
Many UK businesses, law enforcement agencies and research institutions rely on quick and easy access to EU data in order to do their work.
In fact, the UK has the largest internet economy as a percentage of GDP out of all the G20 countries, according to the Boston Consulting Group – and much of that relies on data flowing freely.
A House of Lords report recently found that if data transfers were hindered, “the UK could be put at a competitive disadvantage and the police could lose access to information and intelligence mechanisms”.
How are data transfers regulated now?
The GDPR means that – once implemented next year – data transfers across the EU will be updated and aligned between member states.
At the moment, the UK’s access to EU data is largely safeguarded, but upon leaving the union and – potentially – the European Economic Area, it will need to show that it still protects data properly.
An assessment that the UK meets data “adequacy” requirements will have to come from the European Commission and it is currently unclear whether such a decision will be made quickly when the UK leaves.
Another important factor is the EU-US Privacy Shield, which was set up to tighten controls after Edward Snowden’s revelations about US intelligence agency snooping.
What issues could arise?
The UK’s position has its complexities – not least thanks to the Investigatory Powers Act, which Sir Tim Berners-Lee has called a “security nightmare”.
“Unless the Investigatory Powers Act 2016 is amended, it is highly likely that the UK will not be granted an adequacy decision and data flows will be blocked,” says Dr Mc Cullagh.
Plus, once out of the EU, the UK will also depart the EU-US Privacy Shield – meaning that the EU could raise concerns about data it passes to the UK.
Might it, for example, be transferred to the US without EU-worthy oversights?
These are potential stumbling blocks for Britain as it moves out of the EU – but seeks to retain the same access to data that it had as a member state.