In a technical note published in June 2018, the Department for Exiting the European Union outlined its support for a post-Brexit data protection agreement between the EU and the UK. It aims to help both businesses and individuals, providing a more straightforward approach to data protection post-Brexit.
Because the UK has a large data flow with the EU – and UK law is already compatible with EU data protection law – the Government thinks a special agreement is possible. Here, Lucy Emanuel, a solicitor in our Commercial Disputes team, outlines what the agreement would involve.
Under the General Data Protection Regulation (GDPR), the European Commission can decide whether a country outside the EEA offers an adequate degree of data protection or not. This is called an adequacy decision. Transfers of data from countries within the EEA to those subject to an adequacy decision are covered within EU regulation. But, the decisions do not legally require parties to fulfil their obligations. A legally binding agreement, as proposed by the Government, would increase legal certainty by ensuring that both parties deal with any data flow issues. Also, more predictable outcomes for individuals and companies would result in greater transparency.
Cooperation on enforcement and investigations for EU citizens
There is a strong data flow between the EU and the UK, so an approach that isn’t unnecessarily complicated is important. The proposed agreement would allow both EU and UK subjects to enforce their rights with just one regulator – rather than two. This seamless integration would also support the EU’s application of the GDPR.
Keeping it simple for EU citizens and companies
If the Information Commissioner’s Office (ICO) remains a member of the European Data Protection Board, EU citizens and companies will find it much easier to control their data protection rights. This, together with the One Stop Shop, would allow the ICO to conduct thorough and efficient investigations if there’s a breach of EU data rights in the UK.
Cost saving and more efficient processes for EU businesses
Under an adequacy decision, a company breaching data protection rights would be investigated by both UK and EU regulators. This could mean two sets of fines for the same breach - potentially reaching a maximum of €20 million, or 4% of the company’s global turnover. But, the UK-EU agreement would only enforce one fine, as the company would only deal with one regulator.
The benefits of the ICO
The ICO is the largest data protection authority in Europe and is very influential; other regulators also use its guidance. It’s recognised as an international authority on the impact of new technologies on privacy rights. A UK-EU agreement would utilise the ICO’s expertise to maintain a close and effective connection between the UK and the EU regulators.