Data plays an increasingly important role in the global economy. Recent research suggests data flows already account for a higher proportion of global growth than trade in physical goods.85 Data also helps keep people safe by maximising the effectiveness of law enforcement agencies and bringing more criminals to justice.
It will, therefore, be important that a future UK-EU agreement:
- provides for the continued exchange of personal data between the UK and the EU with strong privacy protections for citizens; and
- allows ongoing cooperation between Data Protection Authorities.
The continued exchange and protection of personal data
The UK is a global leader in strong data protection standards. As a member of the EU, the UK has worked closely with the other Member States and the EU institutions to develop robust protections for personal data, ensuring businesses and law enforcement agencies can share data safely and smoothly.
Given the importance of data flows for economic growth and collective security, the UK, and the EU must maintain the ability to exchange data in a way that keeps personal data protected. New arrangements will also be essential in underpinning the economic and security partnerships. For instance, enabling consumers in the EU to continue purchasing goods from the UK over the internet, and supporting the exchange of data between law enforcement authorities to combat crime and terrorism.
Personal data can be transferred freely between Member States and European Economic Area (EEA) countries. Data can flow freely to third countries if the European Commission judges there to be sufficient protection for this data in the destination country. If the Commission assesses that an ‘adequate’ level of data protection is in place, an Adequacy Decision is granted for the third country, allowing EU businesses and public authorities to transfer relevant personal data without having to satisfy themselves that sufficient safeguards are in place each time data is transferred. It also avoids the need for other costly and burdensome legal mechanisms, such as Standard Contractual Clauses.
The EU currently has 12 Adequacy Decisions in place, including for each of the Crown Dependencies, and partial Adequacy Decisions with the US and Canada. The UK believes that the EU’s adequacy framework provides the right starting point for the arrangements the UK and the EU should agree on data protection but wants to go beyond the framework in two key respects:
- on stability and transparency, it would benefit the UK and the EU, as well as businesses and individuals, to have a clear, transparent framework to facilitate dialogue, minimise the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe; and
- on regulatory cooperation, it would be in the UK’s and the EU’s mutual interest to have close cooperation and joined up enforcement action between the UK’s
The UK and the EU start from a position of trust in each other’s standards and regulatory alignment on data protection. The UK’s recent Data Protection Act 2018 strengthened UK standards in line with the EU’s General Data Protection Regulation (GDPR) and the Law Enforcement Directive,p roviding a unique starting point for an extensive agreement on the exchange of personal data that builds on the existing adequacy framework. The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the implementation period at the latest, to provide the earliest possible reassurance that data flows can continue.
Ongoing cooperation between Data Protection Authorities
In the context of globalised data flows, cross-border cooperation between domestic data protection authorities is important in monitoring data protection standards and enforcing standards effectively. The ICO is an internationally respected, influential and well-resourced regulator in this regard. As a result, the future UK-EU arrangements on data protection should provide for ongoing cooperation between the ICO and EU data protection authorities.
This would avoid unnecessary complexity and duplication, and overcome barriers for EU citizens and UK nationals in enforcing their rights across borders and accessing effective means of redress. A continuing role for the ICO would also reduce administrative burdens for businesses and provide for cooperation on resolving data protection disputes. Under the new EU data protection regime, this is achieved through the ICO’s participation in the One Stop Shop mechanism.
The UK believes its proposals on regulatory cooperation between data protection authorities are in line with the EU’s developing thinking on cooperation with third countries on data protection.
The GDPR recognises that the European Commission and EU Data Protection Authorities shall take steps to develop international cooperation mechanisms to facilitate effective enforcement of data protection legislation.
The Commission’s January 2017 Communication recognised that “enhancing cooperation with relevant privacy enforcement and supervisory authorities of third countries is increasingly necessary” and that cooperation between these authorities could make the protection of individuals more effective. The Commission also noted that “economic operators would benefit from a clearer legal environment where common interpretation tools and enforcement practices are developed at global level”.
On this basis, the Communication states that “the Commission will develop international cooperation mechanisms with key international partners to facilitate effective enforcement”.
The UK and the EU agree that arrangements allowing the exchange of classified information will be important in building the future partnership. These arrangements should reflect the depth of trust between the UK and the EU and facilitate common analysis, help inform operational planning and deliver cutting-edge capabilities.
The exchange of classified information is fundamental to cooperation across the future partnership, especially in relation to security, but also in the context of economic cooperation. The UK and the EU have commenced discussions on a Security of Information Agreement (SoIA) on classified information, which should facilitate, but not mandate, the exchange of classified information.
The real-time exchange of classified information will be key to underpinning the deep and special relationship that the UK envisages across the future partnership. The UK and the EU also need to exchange sensitive but non-classified information, outside of an SoIA, to support some key areas of the security partnership, such as sanctions.
This Article draws on the White Paper The Future Relationship between the United Kingdom and the European Union Presented to Parliament by the Prime Minister July 2018 Cm 9593. UK public sector information is reproduced pursuant to the Open Government Licence The Legal Materials contain UK public sector information licensed under the Open Government Licence v3.0. The Licence is available at http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ (the UK Licence).