In the latest of a series of papers on the UK government’s proposals for future relations with the EU, the first detail of how data regulation might work has been unveiled. It makes for some interesting reading. The UK is proposing a sort of ‘adequacy plus’ status which it says would build on the adequacy model.
Currently, the EU can designate non-EU countries as having adequate data protection standards which means transfers between the EU and those countries can take place more freely. The suggestion being made is that the UK might enjoy that sort of status but with two key added extras. This is where it becomes both interesting and extremely complex.
One limb of the ‘adequacy plus’ proposal is that the UK’s data regulator – the ICO – could still be part of EU ‘regulatory fora’. However, GDPR has set up a formal framework for EU-wide supervision of data laws including the creation of the European Data Protection Board. The Board is responsible for the consistent application of GDPR across the EU, including issuing binding decisions if there are disputes between national regulators, especially on questions of cross-border regulation.
If GDPR is to be maintained in full post-Brexit, then the UK will be subject to the Board’s decisions. It would therefore seem sensible to participate in it but this is a vexed area. There is an obvious tension between being a part of an EU body (which the Board is) when not in the EU.
Also, according to GDPR, the exercise of powers by the ICO must be subject to safeguards including judicial remedies under Union law in accordance with the Charter rights – which includes the European Court of Justice.
Free flow of personal data
The second limb of ‘adequacy plus’ is that the EU recognises at an early stage in the exit process that the UK’s regime will be declared satisfactory to allow the free flow of personal data between the EU and the UK to continue unhindered, impliedly without the need (and resultant delay) for a formal adequacy decision.
The proposal is a mutual UK-EU data regime recognition based on the full implementation of GDPR here. In the meantime, while such long-term proposals are worked out, the government is also seeking an interim adequacy recognition to maintain the status quo after March 2019.
The paper also recognises the economic importance of data to the EU, estimated as being worth EUR643 billion by 2020.
Jo Sanders, Data and Privacy partner, said: “The role that the UK will play in future pan-European data regulation gives rise to a real conundrum. This isn’t just an academic question, as the European Data Protection Board will decide questions like which country should regulate a business if where it is established is in dispute.
“The government has indicated that it wants the UK to continue playing a central role in data regulation, given the size and significance of data businesses here, but there are legal and political hurdles to clear for that to be able to happen.”
You can read the full government position paper here.