The exchange and protection of personal data, the UK government’s paper, published today, suggests that it is important to agree now a UK-EU model for international data transfers in order to avoid any disruption to business in the future.
The government believes ‘it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.’
It suggests that the UK and the EU should agree a negotiating timeline for longer-term arrangements, which should be possible given the current alignment of the data protection frameworks. The government points out that the UK has agreed to implement the GDPR, and in fact had a data protection law in place in 1984 before the EU Data Protection Directive was adopted in 1995.
The government says that it is exploring a model which would allow the UK’s Data Protection Authority, the Information Commissioner’s Office to be fully involved in future EU regulatory dialogue. The logical implication is that the UK would have a seat on the European Data Protection Board.
With regard to third countries with existing EU adequacy decisions, transfers should continue on the same basis after the UK’s withdrawal from the EU, the government says. The EU has indicated it would have an adequacy decision in place with Japan by early 2018, and has also engaged in discussions with South Korea. The countries that currently have an adequacy decision are Andorra, Argentina, Canada (for transfers to commercial organisations which are subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US (for certified companies). All are subject to routine review.
The exchange and protection of personal data: