The House of Commons Select Committee on Exiting the
European Union has issued a report which suggests that, in order to ensure data
flows between the EU and the UK can be maintained after 29 March 2019, the UK
Government should start the process to secure a Data Adequacy Decision from the
EU as soon as possible.
The Chair of the Committee, Hilary Benn MP, said:
‘The ability to move data between the UK and the EU after
the UK leaves the EU is ‘mission critical’ for the UK’s trading relationship.
In the Prime Minister’s Mansion House speech, she said the UK had
‘exceptionally high standards of data protection’ and emphasised that the UK
wanted to ‘secure an agreement with the EU that provides the stability and
confidence for EU and UK business and individuals.’ As a first step, the UK
needs to request an Adequacy Decision from the EU. This will help not just
business but also our future security relationship which is vital to both the
UK and EU. The UK must take steps urgently to enable data to flow between the
UK and the EU on the same terms as now, with no gaps in service. UK citizens
also need to be reassured about what will happen to their personal information
once we exit the EU; they deserve the highest level of data protection – just
as they have now.’
The Committee’s conclusion are as follows.
1. Data flows and data protection are fundamental to the
modern way of life and, increasingly, to the functioning of the economy,
particularly in areas of UK comparative advantage such as services. The
objective in the negotiations for the UK Government must be to maintain high
standards of data protection and ensure that data can continue to be
transferred across borders as it is now. (Paragraph 7)
EU
data protection and third countries
2. The EU’s existing arrangements for providing for data
flows with third countries typically involve a decision of adequacy from the
European Commission. Since the CJEU decision on the US-EU Safe Harbour
agreement, a decision of adequacy will require the third country to provide
protection of fundamental rights essentially equivalent to that provided in the
EU. A range of countries have received an adequacy decision, ranging from
Switzerland to Argentina to New Zealand. The United States and Canada have
limited arrangements. (Paragraph 16)
3. The UK’s proposals accept that the EU will need to assess
the adequacy of the UK data regime. The UK is asking for this to be on the
basis of a two-way agreement—rather than solely a one-way decision of the
European Commission—and in the form of an international agreement—a Treaty. The
UK should provide more information on the distinction between the procedure for
an adequacy decision and the procedure that it expects both parties to go
through to secure an international agreement on data. (Paragraph 30)
4. The EU negotiating guidelines on the future relationship
provide that data protection should be governed by EU rules on adequacy. The
public statements from Michel Barnier have consistently said that the EU will
not share its regulatory autonomy with a third country. The UK has said it does
not wish to interfere with the EU’s decision-making autonomy and respects the
fact that certain EU bodies are subject to CJEU jurisdiction. The EU appears to
consider the UK proposals to be an attempt to retain influence on the EU
regulatory regime from the position of a third country. The UK should accept,
to increase the prospects of securing the Prime Minister’s objectives of
continuing membership by the Information Commissioner on the European Data
Protection Board and representation under the European One-stop shop, that the
CJEU will continue to have jurisdiction over aspects of data protection law in
the UK after exiting the EU. (Paragraph 31)
5. The EU have said as a third country that the UK cannot
have continued participation on the European Data Protection Board or One-stop
shop. No non-EU states are represented on the European Data Protection Board;
and while non-EU EEA countries such as Norway are within the internal market on
data they do not participate on the European Data Protection Board. The EU
wishes to retain its decision-making autonomy, and the UK may be put in a
position where it does not have a role in helping to frame future EU wide rules
on data. (Paragraph 36)
6. As things currently stand, UK businesses will be outside
the provisions of the new One-stop shop, a coordination mechanism designed to
reduce cost and bureaucracy to businesses across the EU. (Paragraph 37)
7. The content of the UK proposal is unprecedented for an EU
third country arrangement on data and there are no existing models for third
country data exchange covering the degree of data sharing in criminal justice
that the UK is seeking. The UK would need an adequacy decision to be able to
engage in data sharing for law enforcement purposes. It would also have to
accept the jurisdiction of the CJEU. It is not in the interests of the people
and governments of Europe for there to be a reduction in cooperation in respect
of policing and law enforcement. We urge both sets of negotiators to find a way
to secure continued high level cooperation on this incredibly important and
sensitive matter. (Paragraph 43)
8. There is a high chance of a legal challenge to any
proposed UK-EU data international agreement. A legal challenge could create
regulatory gaps and uncertainty for business. (Paragraph 47)
9. The UK should accept the provisions in Title 7 of the
draft Withdrawal Agreement providing assurance about the future protection of
personal data already in the UK at the time of withdrawal. Following the
passage of the Data Protection Act, the UK’s data protection law will be
aligned with EU law on the day the UK leaves the EU. As a result, the UK will
be in a very strong position when it seeks a declaration of essentially
equivalent data protection. However, it is seeking an unprecedented agreement
which will be subject to negotiation. The UK Government should be preparing for
the adequacy process and ensuring that there is no risk of a gap in legal
provision for transferring data between the UK and the EU after December 2020.
This would have serious implications for businesses and consumers on both
sides. The UK Government needs to establish with the Commission whether it is
possible for the adequacy process to be initiated before the UK leaves the EU
and, if so, to initiate the process without delay. It needs to provide concrete
assurances that data will be able to flow between the UK and the EU after
December 2020 on the same terms as now. Beyond this, the UK should explore the
possibility of negotiating a bespoke agreement with the EU allowing much closer
cooperation in data protection and data sharing which once achieved could
replace the third party arrangements conferred by a simple adequacy
decision. (Paragraph 51)
10. The alternative legal processes for enabling data
transfers, such as standard contractual clauses, binding corporate rules, codes
of conduct, and certification mechanisms, are unsatisfactory substitutes for an
agreement that data protection rules in the UK are essentially equivalent to
that of the EU. Such alternatives would represent a considerable change from
the status quo, would place a bureaucratic burden on individual businesses, a
burden which would be prohibitive for many small businesses. (Paragraph
57)
11. While there are signs that the EU is moving to the
inclusion of data in trade agreements, the current pattern appears to be for a
trade agreement to be negotiated separately and in parallel to the process of
an adequacy decision. The process for considering an application for data
adequacy is not hampered or delayed by being subject to trade
negotiations. (Paragraph 62)
12. The Government should state if its intention is to
negotiate a single agreement covering the economic and the security aspects of
the relationship, or to separate them into more than one agreement so the data
aspect of the security relationship is not subject to the procedure for the
economic agreement. (Paragraph 63).
Read the full report here.