The report “Brexit: the EU Data Protection Package” came about because of the Sub-Committee’s “routine scrutiny of EU legislative proposals, but also forms part of the coordinated series of Brexit-themed inquiries launched by the European Union Committee and its six Sub-Committees following the referendum on 23 June 2016, which aim to shed light on the main issues likely to arise in negotiations on the UK’s exit from, and future partnership with, the European Union”.
The Sub-Committee supports the governments objectives as set out in the Government’s white paper regarding the UK’s exit from Europe (see here for more detail) but the Sub-Committee highlights that it is “struck” by the lack of detail about how data flows across the EU to and from the UK will be impacted post-Brexit and what the Government’s doing about it.
The report highlights that post-Brexit the UK will be seen as a “third country” for data protection. This means that even though the UK will have engrained the General Data Protection Regulation (GDPR) into UK law at the point of leaving Europe, not being part of Europe will mean the UK will be impacted by the GDPR’s control over the transfer and processing of EU data outside the EU. Or put another way, the UK will be in the same position as the US currently is.
The Sub-Committee proposes the UK Government should aim for adequacy statements from the EU which will confirm that the UK’s data protection regime is adequate. This seems to be preferred to the alternative which is for individual data controllers and processors to ensure they provide adequate safeguards via “Standard Contractual Clauses” or “Binding Corporate Rules” (see here, for existing examples). However, there is an issue that the EU only issues adequacy decisions to third countries which the UK won’t be until Brexit which means there be a period of uncertainty – the Sub-Committee recognises this as a particular issue for law enforcement and national security and is therefore urging the Government to consider this as part of Brexit transitional agreements.
The Sub-Committee also urges the Government to negotiate ongoing Information Commissioner’s involvement in the European Data Protection Board (the EU wide body of regulators) to ensure we have some influence on EU policy makers when it comes to data protection rules. The issue here is, as the report puts it, there won’t be a “clean break” when it comes to data protection law because if we’re to continue to work across the EU will need to have adequate data protection rules in place, and if we can’t influence any future discussion or change to the rules, the UK will be at a disadvantage.
The report is likely to be debated in the House and can be read in full here.