Following the Government’s decision to include a revised data protection law in the Queen’s Speech last month, the House of Lords EU Home Affairs Sub-Committee reviewed the potential implications on national security, stability and public safety of the UK exiting the European Union without an agreement to ensure there is unhindered data flow between the two sides. The Committee issued a stark warning that it was “struck by the lack of detail” on how the Government would ensure that the UK data protection regime continues to allow data transfer with the European Union in a post-Brexit world.
The Committee highlighted the following issues:
- Competitive disadvantage. Any post-Brexit arrangement that leads to greater friction around UK-EU data flows could pose a non-tariff barrier to trade, putting the UK at a competitive disadvantage;
- Security and cooperation. Any impediments to data sharing could hinder police and security cooperation. For example, access to databases such as the Schengen Information System (SIS II) and the European Criminal Records Information System (ECRIS), which hold an 8,000-name watch list of suspected terror suspects, rely on shared data protection standards;
- Adequacy. The Government should pursue an ‘adequacy decision’ as the most comprehensive option for maintaining unhindered data flows post-Brexit. Alternatives, such as reliance on Standard Contractual Clauses would be less effective. Adequacy decisions are only made with regard to third countries–in this context, non-EU Member States–and follow a set procedure. To avoid a cliff-edge there will need to transitional arrangements to cover the gap between leaving the EU and obtaining an adequacy decision.
- Differing standards. The UK could find itself being held to a higher standard as a third country than it does as a Member State, since it will no longer be able to rely on the national security exemption on the Treaty on the Functioning of the European Union.
- No ‘clean break’. Even though the UK will no longer be bound by EU data protection laws, there is no prospect of a clean break. Legal controls on the transfer of personal data to non-EU countries mean that any changes in the EU data protection regime could affect the standards that the UK needs to meet to maintain an adequate level of protection.
- Loss of influence. Brexit means the UK will lose the institutional platform from which it has been able to influence EU data protection rules. The Committee recommended that the Government secure “a continuing role” for the UK’s ICO on the European Data Protection Board.
We will continue to monitor and report as both Brexit negotiations and the proposed new UK Data Protection bill progress.