HomeInsightsHouse of Lords EU Select Committee publishes report on Brexit: the EU data protection package

Contact

The report looks at the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US Privacy Shield and the EU-US Umbrella Agreement. Both the GDPR and the PCJ will enter into effect in May 2018 while the UK is still a member of the EU. The EU-US Privacy Shield and EU-US Umbrella Agreement are already in effect, but will cease to apply to the UK post-Brexit.

The report notes that the Government has said that it wants to maintain unhindered and uninterrupted data flows with the EU post-Brexit, an objective that the Committee says it supports. However, the Government has not provided any detail as to how to achieve this. In the Committee’s view, “the stakes are high”, not least because any post-Brexit arrangement that results in greater friction around data transfers between the UK and the EU could present a non-tariff trade barrier, putting the UK at a competitive disadvantage. Any impediments to data flows post-Brexit could also hinder police and security cooperation, it says.

For third countries looking to exchange data with the EU, the GDPR and PCJ provide for two broad options. The first would be for the UK to receive an “adequacy decision” from the European Commission certifying that it provides a standard of protection which is “essentially equivalent” to EU data protection standards.

The second option would be for individual data controllers and processors to adopt their own safeguards offering an adequate level of protection to enable personal data to be transferred out of the EU. This would include tools such as Standard Contractual Clauses, and Binding Corporate Rules. The Committee concludes that these would be less effective than an adequacy decision.

However, it will not be legally possible to have an adequacy decision in place at the moment of exit, the Committee says. To ensure uninterrupted flows of data and to “avoid a cliff edge”, it urges the Government to ensure that transitional arrangements are agreed to cover the interim period.

Even though the UK will no longer be bound by EU data protection laws post-Brexit, there is no prospect of a clean break, the Committee says. The legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK. This will necessarily affect UK businesses that handle EU data.

In addition, if the UK were to obtain an adequacy decision, the standards will then need to be maintained so that they continue to meet EU requirements for the transfer of personal data outside its territory.

Similarly, as long as the UK wants to continue to receive unhindered data flows from the EU, the UK will be affected by the EU’s data protection standards relating to the onward transfer of personal data to third countries. The UK’s departure from the EU-US Privacy Shield and the EU-US Umbrella Agreement may require the UK to demonstrate that it has protections in place with the US that ensure the same level of protection as provided for under the two agreements. If the UK were to obtain an adequacy decision, a lax approach to onward transfers of data to third countries would put that adequacy decision at risk.

The UK’s future ability to influence EU rules on data protection is in doubt, the Committee concludes. It urges the Government to retain UK influence, starting by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board. The Government will also need to replace the institutional platforms currently used to exert influence and find a way to work in partnership with the EU to influence the development of data protection standards at both the EU and global level. To access the report, click here.