Report confirms Brexit’s boomerang logic on data protection

A U.K. parliamentary committee report backs the view that Brexit cannot constitute a “clean break” in data protection law terms with the European Union. Au contraire. The U.K. will likely have to continue mirroring EU data protection rules encore et encore, i.e. after it’s left the room where those rules are made and debated. Such is the boomerang logic of the Brexit vote for the U.K. to leave the European Union.

“The UK has a track record of influencing EU rules on data protection and retention,” the EU Home Affairs sub-committee writes in a report on the EU data protection package as it pertains to Brexit. “Brexit means that it will lose the institutional platform from which it has been able to exert that influence. It is imperative that the government considers how best to replace those structures and platforms in order to retain UK influence as far as possible. It should start by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.”

Giving evidence to the committee earlier this year, the U.K.’s digital minister, Matt Hancock, said the government’s aim is to “ensure unhindered data flows after Brexit” — clearly essential to any U.K. businesses with customers in the EU — which he conceded likely meant mirroring the major part of EU DP law, as we reported at the time.

Seasoned Brexit watchers should not therefore be surprised that the massive upheaval and expense that Brexit represents is likely to result, at least on the data protection front, in being bound by the same EU standards the U.K. is bound by now. (At least, that’s the best-case scenario; assuming the U.K. is able to secure agreement on a continued relationship with the EU after Brexiting.)

“Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, there remains the prospect that over time, the EU will amend or update its rules. Maintaining unhindered data flows with the EU post-Brexit could therefore require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting,” the committee writes.

“There is no prospect of a clean break: the extra-territorial reach of the GDPR [General Data Protection Regulation] means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data,” it adds.

The GDPR, which updates and strengthens EU data protection legislation — including increased fines for privacy violations — is due to come into force across the bloc on May 25 next year.

The committee also suggests a post-Brexit “third country” U.K. might in fact be held to higher standards in data protection terms by the EU than a U.K. that is an EU Member State — on account of no longer being able to rely on a national security EU treaty exemption which the committee says is “currently engaged when the UK’s data retention and surveillance regime is tested” (i.e. before Europe’s top court, the CJEU).

That said, prior U.K. surveillance legislation has fallen foul of the CJEU — which in December put out a judgement following a legal challenge that states Member States cannot create national laws that include “general and indiscriminate retention of data.” So even now, still while an EU Member State, the U.K. looks to be on shaky ground legally over its national security legislation — which is facing a crowdfunded legal challenge.

The committee also warns of the risk in the U.K. of a data flow “cliff-edge” should the government not be able to negotiate a transitional arrangement — i.e. between the end of the two-year Brexit negotiation period, which began this March, and before it is able to obtain a so-called “adequacy decision” from the EU. This refers to a certification that a country provides a standard of protection that is “essentially equivalent” to EU data protection standards.

“Adequacy decisions can only be taken in respect of third countries, and there are therefore legal impediments to having such decisions in place at the moment of exit,” the report notes. “In the absence of a transitional arrangement, this could put at risk the government’s objective of securing uninterrupted flows of data, creating a cliff-edge.

“We urge the government to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK.”

The committee also raises a collective eyebrow at the lack of detail provided from the government thus far on how it intends to secure “unhindered and uninterrupted flows of data,” and urges greater clarity ASAP.

“The government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome. We were struck by the lack of detail in the government’s assurances thus far,” it adds.

The committee says the consensus among the witnesses which it took evidence from for the report is that the U.K. needs to secure an adequacy decision from the EU, rather than seeking to rely on other mechanisms — noting for example the U.K. Information Commissioner’s view that the country is so heavily integrated with the EU (“three-quarters of the UK’s cross-border data flows are with EU countries”) that it would be difficult for it to manage without this type of arrangement.

“We therefore recommend that the government should seek adequacy decisions to facilitate UK-EU data transfers after the UK has ceased to be a member of the EU. This would provide the least burdensome and most comprehensive platform for sharing data with the EU, and offer stability and certainty for businesses, particularly SMEs,” it writes.

The committee also notes there are specific concerns about the U.K.’s ability to “maintain deep police and security cooperation” with the EU and its Member States in the immediate aftermath of Brexit should the government fail to secure a transitional arrangement ahead of being able to obtain an adequacy decision.

And it suggests a transitional arrangement will also be important for businesses — flagging up doubts over alternative mechanisms which can be used to allow data to flow out of the EU for commercial purposes.

“These are sub-optimal compared to an adequacy decision, and may not be available to some types of companies, for instance small companies or those dealing directly with consumers,” it writes, adding: “Some are also currently subject to legal challenge, notably the Schrems II case against Standard Contractual Clauses, underlining the need for a transitional arrangement.”

The committee says the U.K. is also likely to need to secure equivalent data flow agreements with the U.S. as the EU’s EU-US Privacy Shield and the EU-US Umbrella Agreement — which will of course both cease to apply to the U.K., post-Brexit. “As regards data-sharing for commercial purposes, we note the approach taken by Switzerland, which has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement with the US,” it writes.

Looking further ahead, the committee suggests an international treaty on data protection “could emerge,” over the longer term, on account of “greater coordination between data protection authorities in the world’s largest markets.”

“The government’s long-term objective should be to influence the development of any such treaty,” it adds. “Given the relative size of the UK market compared to the EU and US markets, and its alignment with EU rules at the point of exit, the government will need to work in partnership with the EU to achieve that goal — again underlining the need to adequately replace existing structures for policy coordination.”

The prospect of any such international co-operation emerging under current U.S. President Trump, however, seems slender, given the existing EU-US Privacy Shield regime is looking increasingly precariously placed.

The first annual review of the EU-US Privacy Shield is due to take place in September, with EU DPAs signaling they intend this scrutiny process to be robust and rigorous.