Brexit: the EU data protection package

The House of Lords EU Home Affairs sub-committee has issued a detailed report reviewing the implications of Brexit for the EU data protection package (comprising the General Data Protection Regulation (GDPR), the Policy and Criminal Justice Directive, the EU-US Privacy Shield and the EU-US Umbrella Agreement).  Whilst the Government has said that it wants to secure unhindered and interrupted flows of data between the UK and EU post-Brexit, the report notes the striking ‘lack of detail in the Government’s assurances’.  Given that failure to reach an acceptable arrangement will lead to potential barriers to trade, the report identifies a number of issues and recommendations:

  • The most effective way to achieve the objective of unhindered flows of data is to secure adequacy decisions from the European Commission which confirm that the UK’s data protection rules offer an equivalent standard of protection. There are alternative mechanisms to facilitate cross-border flows (e.g., individual data controllers and processors could rely upon Standard Contractual Clauses and Binding Corporate Rules) but these are sub-optimal and may not be available to some types of companies.  There is, of course, an outstanding legal challenge in Schrems II  against Standard Contractual Clauses.
  • However, as an adequacy decision can only be taken in respect of a ‘third country’, a transitional arrangement must be agreed during the withdrawal negotiations.
  • As the EU-US Privacy Shield will no longer apply to the UK post-Brexit, EU rules may require the UK to show that it has arrangements in place with the US affording the same level of protection (e.g., Switzerland has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement).
  • There is no prospect of a ‘clean break’ in data protection rules. Even if the UK does not seek to secure an adequacy decision, the GDPR has extra-territorial reach in that it applies to transfers of data from the EU to the UK.
  • As a third country, the UK could find itself subject to a higher standard than as a Member State.
  • The UK has a strong track record of influencing the development of EU data protection and retention rules. In order to ensure continued UK influence, the Government should seek to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.
  • In the longer term, the Government should aim to influence the development of an international treaty on data protection.

It will be necessary to address these points to enable uninterrupted trade between the UK and the EU post Brexit. The government will need to commit to concrete plans around data protection sooner rather than later so companies can ensure they are compliant.  And the devil, of course, will be in the detail.