Data Adequacy after Brexit: Commons Select Committee Report

The Exiting the European Union Committee has published its report on data flows and data protection after Brexit.

The House of Commons Select Committee on Exiting the European Union has issued a report which suggests that, in order to ensure data flows between the EU and the UK can be maintained after 29 March 2019, the UK Government should start the process to secure a Data Adequacy Decision from the EU as soon as possible.

The Chair of the Committee, Hilary Benn MP, said:

‘The ability to move data between the UK and the EU after the UK leaves the EU is 'mission critical' for the UK's trading relationship. In the Prime Minister's Mansion House speech, she said the UK had 'exceptionally high standards of data protection' and emphasised that the UK wanted to 'secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals.' As a first step, the UK needs to request an Adequacy Decision from the EU. This will help not just business but also our future security relationship which is vital to both the UK and EU. The UK must take steps urgently to enable data to flow between the UK and the EU on the same terms as now, with no gaps in service. UK citizens also need to be reassured about what will happen to their personal information once we exit the EU; they deserve the highest level of data protection – just as they have now.’

The Committee’s conclusion are as follows.

Data and the modern world

1. Data flows and data protection are fundamental to the modern way of life and, increasingly, to the functioning of the economy, particularly in areas of UK comparative advantage such as services. The objective in the negotiations for the UK Government must be to maintain high standards of data protection and ensure that data can continue to be transferred across borders as it is now. (Paragraph 7)

EU data protection and third countries

2. The EU’s existing arrangements for providing for data flows with third countries typically involve a decision of adequacy from the European Commission. Since the CJEU decision on the US-EU Safe Harbour agreement, a decision of adequacy will require the third country to provide protection of fundamental rights essentially equivalent to that provided in the EU. A range of countries have received an adequacy decision, ranging from Switzerland to Argentina to New Zealand. The United States and Canada have limited arrangements. (Paragraph 16)

The negotiation positions

3. The UK’s proposals accept that the EU will need to assess the adequacy of the UK data regime. The UK is asking for this to be on the basis of a two-way agreement—rather than solely a one-way decision of the European Commission—and in the form of an international agreement—a Treaty. The UK should provide more information on the distinction between the procedure for an adequacy decision and the procedure that it expects both parties to go through to secure an international agreement on data. (Paragraph 30)

4. The EU negotiating guidelines on the future relationship provide that data protection should be governed by EU rules on adequacy. The public statements from Michel Barnier have consistently said that the EU will not share its regulatory autonomy with a third country. The UK has said it does not wish to interfere with the EU’s decision-making autonomy and respects the fact that certain EU bodies are subject to CJEU jurisdiction. The EU appears to consider the UK proposals to be an attempt to retain influence on the EU regulatory regime from the position of a third country. The UK should accept, to increase the prospects of securing the Prime Minister’s objectives of continuing membership by the Information Commissioner on the European Data Protection Board and representation under the European One-stop shop, that the CJEU will continue to have jurisdiction over aspects of data protection law in the UK after exiting the EU. (Paragraph 31)

5. The EU have said as a third country that the UK cannot have continued participation on the European Data Protection Board or One-stop shop. No non-EU states are represented on the European Data Protection Board; and while non-EU EEA countries such as Norway are within the internal market on data they do not participate on the European Data Protection Board. The EU wishes to retain its decision-making autonomy, and the UK may be put in a position where it does not have a role in helping to frame future EU wide rules on data. (Paragraph 36)

6. As things currently stand, UK businesses will be outside the provisions of the new One-stop shop, a coordination mechanism designed to reduce cost and bureaucracy to businesses across the EU. (Paragraph 37)

7. The content of the UK proposal is unprecedented for an EU third country arrangement on data and there are no existing models for third country data exchange covering the degree of data sharing in criminal justice that the UK is seeking. The UK would need an adequacy decision to be able to engage in data sharing for law enforcement purposes. It would also have to accept the jurisdiction of the CJEU. It is not in the interests of the people and governments of Europe for there to be a reduction in cooperation in respect of policing and law enforcement. We urge both sets of negotiators to find a way to secure continued high level cooperation on this incredibly important and sensitive matter. (Paragraph 43)

8. There is a high chance of a legal challenge to any proposed UK-EU data international agreement. A legal challenge could create regulatory gaps and uncertainty for business. (Paragraph 47)

Alternatives to adequacy

9. The UK should accept the provisions in Title 7 of the draft Withdrawal Agreement providing assurance about the future protection of personal data already in the UK at the time of withdrawal. Following the passage of the Data Protection Act, the UK’s data protection law will be aligned with EU law on the day the UK leaves the EU. As a result, the UK will be in a very strong position when it seeks a declaration of essentially equivalent data protection. However, it is seeking an unprecedented agreement which will be subject to negotiation. The UK Government should be preparing for the adequacy process and ensuring that there is no risk of a gap in legal provision for transferring data between the UK and the EU after December 2020. This would have serious implications for businesses and consumers on both sides. The UK Government needs to establish with the Commission whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay. It needs to provide concrete assurances that data will be able to flow between the UK and the EU after December 2020 on the same terms as now. Beyond this, the UK should explore the possibility of negotiating a bespoke agreement with the EU allowing much closer cooperation in data protection and data sharing which once achieved could replace the third party arrangements conferred by a simple adequacy decision. (Paragraph 51)

10. The alternative legal processes for enabling data transfers, such as standard contractual clauses, binding corporate rules, codes of conduct, and certification mechanisms, are unsatisfactory substitutes for an agreement that data protection rules in the UK are essentially equivalent to that of the EU. Such alternatives would represent a considerable change from the status quo, would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses. (Paragraph 57)

11. While there are signs that the EU is moving to the inclusion of data in trade agreements, the current pattern appears to be for a trade agreement to be negotiated separately and in parallel to the process of an adequacy decision. The process for considering an application for data adequacy is not hampered or delayed by being subject to trade negotiations. (Paragraph 62)

12. The Government should state if its intention is to negotiate a single agreement covering the economic and the security aspects of the relationship, or to separate them into more than one agreement so the data aspect of the security relationship is not subject to the procedure for the economic agreement. (Paragraph 63).

Read the full report here.

Published: 2018-07-04T13:00:00


      This site uses cookies. By using the site you agree to our use of cookies as set out in our Privacy Policy.

      Please wait...