Out-Law News | 31 May 2018 | 11:03 am | 3 min. read
The UK's proposed agreement (20-page / 304KB PDF) would go beyond "the standard adequacy approach" that the EU has adopted with 'third' countries for ensuring the free flow of personal data to those locations.
It would also provide for an "appropriate ongoing role" for the UK's data protection authority, the Information Commissioner's Office (ICO), on the European Data Protection Board (EDPB), and the ICO's participation in the EDPB's 'one stop shop' framework for resolving data protection disputes of a cross border nature.
The new model would be of mutual benefit to the UK and EU, the government said in its paper.
However, in a speech in Lisbon on Saturday, Michel Barnier rejected the UK proposal.
"Brexit is not, and never will be, in the interest of EU businesses," Barnier said. "And it will especially run counter to the interests of our businesses if we abandon our decision-making autonomy. This autonomy allows us to set standards for the whole of the EU, but also to see these standards being replicated around the world… We cannot, and will not, share this decision-making autonomy with a third country, including a former member state who does not want to be part of the same legal ecosystem as us."
The UK's plans "pose real problems" and raise a number of legal questions, according to Barnier.
He said: "Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR (General Data Protection Regulation)? Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR? How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?"
"The United Kingdom needs to face up to the reality of the European Union. It also needs to face up to the reality of Brexit. The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges. And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision," he said.
EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA).
One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
There is concern, however, over whether the UK's data protection regime would be deemed 'adequate' by the European Commission, according to data protection law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law.com.
Edwards cited previous statements from the Commission which stated that the UK's Data Protection Act 1998 failed to properly implement the EU's Data Protection Directive. The 1998 Act and the underlying EU Directive have recently been superseded by a new UK Data Protection Act and the GDPR, respectively.
"There has been ongoing dialogue since 2005 regarding what the Commission has perceived as defects in the UK’s implementing legislation," Edwards said. "Information about the 'defects' are not clearly identified in the public domain, but they were originally thought to be in the high teens in number, although subsequent commentary has suggested that there are four significant defects in the Commission's eyes remaining to be addressed."
"If the European Commission perceives those issues to still be present in the UK's implementation of the GDPR then it is likely that the UK's data protection framework will be judged defective. Elizabeth Denham, the UK's information commissioner, recently admitted to a UK parliamentary committee exploring 'fake news' that there would be challenges to the UK obtaining an adequacy decision," she said.
Other mechanisms for businesses to transfer personal data outside of the trading bloc to countries that do not benefit from an adequacy decision are provided for in EU law. These include inserting model clauses into contracts to stipulate conditions over the handling of personal data when transferred outside of the EU.
"If the challenges of obtaining an adequacy designation win out then business will face a further wave of work to ensure that all data transfers between the EEA and the UK are compliant, as this will require further documents to be put in place between the parties," Edwards said.
The European Commission confirmed earlier this year that the UK will be considered a 'third country' from the point that Brexit takes effect for the purposes of data transfers as things stand currently. Unless EU and UK officials agree on transitional arrangements in the interim, businesses will no longer be able to automatically transfer personal data to the UK from 30 March 2019 and be sure that those arrangements comply with EU data protection laws, it said.