In a post-Brexit world where the UK is no longer part of the European Economic Area ("EEA"), the UK will be a 'third country' from the point of view of international transfers of personal data, and hence have to satisfy one of the grounds on which such transfers can be made in the GDPR. This issue has been consistently high on the government's radar as one which the government needs to reach agreement on with the EU both to facilitate cross-border business and data flows post Brexit, but also to retain the Information Commissioner's (regulator of the GDPR in the UK) seat at the table of the European Data Protection Board, the body of European data protection regulators who are at the heart of developing guidance, practice and law for data protection.
On 23 May, the government issued a proposal to the EU for a new model of Data Protection Agreement. The UK wants to build a 'new, deep and special partnership with the European Union', which goes further than the standard adequacy position.
The standard adequacy approach is deemed insufficient by the government, not reflecting the 'breadth and depth of the UK-EU relationship' and also failing to enable effective co-operation to enforce data protection principles internationally. The key features of the new agreement are to:
- Ensure high standards of data protection for personal data flow;
- Provide for continued regulatory co-operation and consistent enforcement through an appropriate ongoing role for the ICO on the European Data Protection Board; and
- Ensure businesses and consumers are effectively represented under the EU's new 'One Stop Shop' mechanism for resolving data protection disputes when doing business in the EU, to avoid businesses and consumers having to navigate two parallel processes.
However, Michel Barnier poured cold water on the UK's idea, stating that "we cannot, and will not, share this decision-making autonomy with a third country including a former member state who does not want to be part of the same legal ecosystem as us" and outlining various specific problems with the UK's proposal such as who would enforce against the UK in the case of misapplication of the GDPR, who would ensure that the UK updated its national legislation in parallel with GDPR and how would uniform interpretation of GDPR be achieved. The EU sees no reason why the UK should have anything more than a standard adequacy decision.
To be granted an adequacy decision, the country must be considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Even though at this point in time the UK's laws are identical to GDPR (subject to the permitted derogations), the UK Information Commissioner acknowledged that the EU has concerns over the UK's national security agencies' bulk collection and retention of data.
If the UK does not achieve an adequacy decision, the parties transferring data would need to use the model clauses approved by the European Commission to govern transfers of personal data. Whilst this is not subject to the same criticisms as the EU-US Privacy Shield, it is currently being challenged by Max Schrems in Ireland. Whilst easy to use, they do involve an additional layer of bureaucracy for companies and none of the international transfer solutions give the Information Commissioner a role within the body of European regulators or provide a joined up solution for businesses operating across the UK and Europe.