TechUK and UK Finance have called on the government to prepare a “mutual adequacy agreement” to enable the protection of cross-border personal data exchange after the UK leaves the European Union (EU).
The two bodies – which lobby government for the IT and financial services industries – commissioned a report from international law firm Dentons, No interruptions: options for the future UK-EU data sharing relationship.
In a briefing document to accompany the report, TechUK and UK Finance said: “It will be difficult to achieve a full adequacy decision from the European Commission (and reciprocally from the UK) during the Article 50 negotiation window. This raises the clear risk that the legal basis for numerous data transfers between the EEA [European Economic Area] and the UK will lapse completely overnight in March 2019, impacting thousands of companies and their customers (the ‘cliff-edge’).”
The EU permits the movement of data where it deems the data protection of another country to be “adequate”. Once the UK is outside the EU, as a press statement accompanying the report explains, the union will look at the “totality of UK domestic law, including UK security law, and its international commitments to determine whether there is a level of protection of fundamental rights and freedoms that is ‘essentially equivalent’ to that guaranteed within the EU”.
As the report says, at the end of March 2019, the UK will become a “location which is not deemed by the EU to automatically offer sufficient safeguards and protections for EEA personal data and further steps will need to be taken by EEA exporters of personal data to ensure such data flows may continue on a lawful basis”.
The report advocates a “mutual adequacy agreement to enable the continuing protection for cross-border exchange of … personal data between the two regions [the UK and the EU] by customers and business following Brexit”.
Julian David, CEO of TechUK, said in a statement coinciding with the publication of the report: “With the Brexit deadline growing ever closer, time is of the essence. The UK and EU must recognise each other’s data protection frameworks as adequate as soon as possible. This should be a priority for phase two of Brexit negotiations. This isn’t solely for the benefit of one industry or one country, but for the whole European economy as cross-border data flows become ever more important for trade and the ability to do business.”
Martin Fanning, partner at Dentons, said: “In a connected world, data is ubiquitous and data protection considerations are paramount. This analysis assists all sides of the Brexit debate, and across all sectors, to examine the challenges posed in relation to the free flow of data.”
In their conclusion, the report’s authors state that while “the UK’s implementation of the Data Protection Bill, and its commitment to the GDPR post-exit from the EU, is important, the UK will also need to assess wider domestic legislation and regulatory considerations to ensure it is in the best possible position to achieve adequacy”.
The report goes on to say: “A mutual adequacy model would preserve the strong working relationships already in place between the UK and EEA and offer businesses much-needed regulatory certainty.”
But this may not be straightforward, the report said. “Foreseeing this potential, the UK and EU should begin their adequacy assessment processes as soon as possible,” it added.
The report also stated, in a footnote, that were the UK to become part of the EEA, “the UK would automatically be considered an ‘adequate’ destination for personal data. As long as the UK remained a member of the EEA, personal data would continue to flow to the UK from locations within the EEA without restriction (and vice versa) – as is currently the case for Iceland, Lichtenstein and Norway”. However, being a member of the EFTA [European Free Trade Area] would not bring the same status, it said.
The report also said the UK may need to become a “party to the EU-US Privacy Shield or set up its own bilateral arrangement with the US to ensure proper protections for UK personal data and facilitate transfers”.
The UK should ensure that its “international and ‘onward transfer’ regimes, including with the US, provide equivalent levels of protection to those set out in the EU’s regime as this will form a key part of the EU’s adequacy assessment”, the report said.
Stephen Jones, CEO of UK Finance, said in support of the report: “It may not always be obvious, but every aspect of our economy as well as our everyday lives rely in some way or another on data. In its current form, the EU’s interconnected regulatory environment facilitates millions of vital data exchanges every today.
“Leaving this relationship will result in significant changes and time must be allowed for new agreements to be put in place. The UK and EU should implement transitional arrangements maintaining the status quo to give both sides time to agree how they will deliver high standards of data protection, allowing both communication and trade to flourish.