UK stands by 'adequacy-plus' Brexit data protection proposals

Out-Law News | 13 Jul 2018 | 10:31 am | 2 min. read

Businesses and consumers stand to gain if the UK and remaining EU countries can reach "an extensive agreement on the exchange of personal data", the UK government has said.

The government reiterated its call for a new 'adequacy-plus' style deal with the EU27 on data protection to apply post-Brexit in its white paper published on Thursday.

EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.

Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be automatically compliant with EU data protection laws. Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.

However, the UK government said it is looking for an agreement on data protection with its EU neighbours that builds on the traditional 'adequacy' arrangements but goes further "in two key respects".

"On stability and transparency, it would benefit the UK and the EU, as well as businesses and individuals, to have a clear, transparent framework to facilitate dialogue, minimise the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe; and on regulatory cooperation, it would be in the UK’s and the EU's mutual interest to have close cooperation and joined up enforcement action between the UK's Information Commissioner's Office (ICO) and EU data protection authorities," the government said.

"The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the implementation period at the latest [scheduled for the end of December 2020], to provide the earliest possible reassurance that data flows can continue," it said.

It said "ongoing cooperation" between the ICO and other data protection authorities across the EU would help reduce administrative burdens for businesses and "avoid unnecessary complexity and duplication, and overcome barriers for EU citizens and UK nationals in enforcing their rights across borders and accessing effective means of redress".

"The UK believes its proposals on regulatory cooperation between data protection authorities are in line with the EU’s developing thinking on cooperation with third countries on data protection," it said.

However, after the government set out similar plans earlier in the negotiating process, the EU's chief Brexit negotiator Michel Barnier appeared to reject the proposals.

At the time, Barnier said: "It will especially run counter to the interests of our businesses if we abandon our decision-making autonomy. This autonomy allows us to set standards for the whole of the EU, but also to see these standards being replicated around the world… We cannot, and will not, share this decision-making autonomy with a third country, including a former member state who does not want to be part of the same legal ecosystem as us."

He also said the UK's plans posed "real problems" and raise a number of legal questions.

He said: "Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR (General Data Protection Regulation)? Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR? How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel? …The UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision," he said.