Data flows crucial for post-Brexit success, Lords say

The Government should pursue full regulatory equivalence with the EU with respect to data protection in order to ensure unhindered data flows between the UK and EU post-Brexit, offer stability and certainty for businesses and maintain police and security cooperation, says the EU Home Affairs Sub-Committee in a new report.

Maintaining unhindered and uninterrupted data flows between the UK and EU after Brexit is an important aim, as any arrangement that results in greater friction could present a non-tariff trade barrier that puts the UK at a competitive disadvantage and hinders police and security cooperation.

Although the Government has stated that they “will seek to maintain the stability of data transfers between the EU, Member States and the UK”, little detail has so far been offered on how the Government plans to deliver this outcome.

In its report, by looking at four elements of the EU’s data protection package the Committee examines the options available to the Government for securing uninterrupted data flows between the UK and EU after the UK leaves the EU. These elements are the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US Privacy Shield and the EU-US Umbrella Agreement.

“The volume of data stored electronically and moving across borders has grown hugely over the last 20 years,” the report said. “Between 2005 and 2012 alone, internet traffic across borders increased 18-fold. The maintenance of unhindered data flows is therefore crucial, both for business and for effective police cooperation.

“The Committee was concerned by the lack of detail on how the Government plans to maintain unhindered data flows post-Brexit. It was concerned, too, by the risk that EU and UK data protection rules could diverge over time when the UK has left the EU. To avoid this, the Committee urges the Government to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board”.

Key findings of the report include:

  • There was consensus among witnesses that the most effective way to achieve unhindered flows of data would be to secure adequacy decisions from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive, thereby confirming that the UK’s data protection rules would offer an equivalent standard of protection to that available within the EU.
  • EU adequacy decisions can only be taken in respect of third countries – i.e. countries that are not EU Member States – and there will therefore be legal impediments to having such decisions in place at the moment of exit. If there is no transitional arrangement on data protection post-Brexit, this could put at risk the Government’s objective of securing uninterrupted flows of data, thereby creating a cliff-edge.
  • Without a transitional arrangement, the lack of tried and tested fall-back options for data-sharing in the area of law enforcement would raise concerns about the UK’s ability to maintain deep police and security cooperation with the EU and its Member States in the immediate aftermath of Brexit.
  • Even if the UK’s data protection rules were aligned with the EU regime to the maximum extent possible at the point of Brexit, there remains the prospect that over time, the EU would amend or update its rules. Maintaining unhindered data flows with the EU post-Brexit could therefore require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting.
  • It is imperative that the Government consider how best to replace those structures and platforms that have allowed it to influence EU rules on data protection and retention. It should start by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.

The full report can be viewed here.

Related reading