On 24 August 2017, the UK government published its latest Brexit position paper, this time setting out its plans for ensuring that personal data can continue to move back and forth between the UK and the EEA once the UK falls outside of the EEA.
In this short update, we summarise the key messages, why it matters and what happens next.
What are the key messages?
In its proposals, the UK government:
- re-iterates the importance of EEA-UK data flows to the UK and EU economies and to assisting in the fight against serious crime and terrorism;
- confirms (again) that the new UK Data Protection Bill will implement the General Data Protection Regulation (GDPR) into UK law (as summarised in our recent update);
- proposes a mutual recognition of the respective EU and UK data protection frameworks to allow for the continued free flow of data between the UK and the EU (and other third countries covered by existing adequacy decisions) from the point of exit until more permanent arrangements are in place;
- requests agreement on a negotiating timeline for longer-term arrangements (beyond the initial mutual recognition of each other’s data protection frameworks) – the UK government suggests the creation of a bespoke data transfer arrangement, building on the existing adequacy model; and
- rather unusually, recommends that the UK’s Information Commissioner’s Office (ICO) continue to be involved in and have an on-going role in the EU data protection regulatory fora (which presumably includes the European Data Protection Board (replacing the Article 29 Working Party)) – if agreed, this is likely to be good news for businesses who are used to the ICO’s pragmatic approach to enforcement.
Why does it matter?
As explained in detail in our earlier article, the GDPR (which comes into effect on 25 May 2018), prohibits businesses and other organisations from transferring personal data outside of the EEA unless a suitable solution is found to legitimise those transfers.
Failure to reach a satisfactory agreement on legitimising EEA-UK data flows post-Brexit could have far-reaching consequences for businesses (both in the UK and in the EEA). Businesses would be left facing regulatory uncertainty, (yet more) contingency planning and (potentially) re-negotiation of contractual arrangements. The effects would not be dissimilar to the impact of the invalidation of Safe Harbor on EU-US data flows back in October 2015 (until it was replaced by the EU-US Privacy Shield).
Retaining the status quo at the point of exit (as is being proposed by the UK government) would enable many businesses to breathe a sigh of relief, at least in the short-to-medium term. A longer-term arrangement is likely to take months (if not years) to agree.
What can we expect next?
Whether or not the EU accepts the UK government’s proposals for legitimising EEA-UK data flows remains to be seen; it is just one in a long list of issues to discuss as part of the Brexit negotiations.
In the meantime, the recommendations in our earlier article still stand. Businesses should:
- continue business as usual – in particular, continue to take steps to comply with the GDPR from 25 May 2018;
- identify data flows, particularly EEA-UK data flows – many businesses will already be doing this as part of their GDPR readiness projects;
- approach data protection policies and procedures across the EEA (including the UK) consistently; and
- assess flexibility in key contractual data processing provisions – do they enable you to introduce alternative compliant data transfer solutions?
This article was prepared with the assistance of Elliott Prentiss, Associate at Osborne Clarke.