The Government's latest Brexit position paper covers transfers of personal data between the UK and the rest of the EU post-Brexit. As with other position papers published by the Government, the paper provides an outline of the Government's preferred approach and is important reading for any organisation that transfers personal data between the UK and other countries - whether elsewhere in the EU or beyond.

For anyone that has been following this topic, there is little in the way of surprises in the data protection paper. In summary:

  • the Government is seeking a finding of adequacy from the EU in respect of UK data protection law
  • the Government plans for the UK to continue to rely upon the EU's existing adequacy decisions, to ensure a smooth transition for data transfers between the UK and third countries such as Canada, Switzerland and to the US via the Privacy Shield Scheme
  • the Government would like to discuss a model whereby the Information Commissioner's Office is "fully involved in future EU regulatory dialogue"

Findings of adequacy

As the position paper notes, the finding of adequacy is by far the most preferable basis for enabling lawful transfers of personal data between the rest of the EU and the UK. In the absence of a finding of adequacy, data controllers would need to put in place Standard Contractual Clauses or use Binding Corporate Rules or approved Codes of Conduct, leading to additional cost and administrative complications for organisations. This would not deliver on the Government's desire for "friction free" data transfers.

It is therefore unsurprising that the Government is advocating a finding of adequacy.

Adequacy findings can take some time to be issued, and there is a need to provide organisations with certainty and stability in relation to current data transfer arrangements. The Government is therefore pushing for at least an interim adequacy finding on the basis that the General Data Protection Regulation will enter into UK domestic law under the EU Withdrawal Bill, pending discussions on fuller arrangements.

While the fact that the EU data protection law will have applied up until the date of Brexit should make things simpler, it remains to be seen whether controversial legislation such as the Investigatory Powers Act impacts on whether a finding of adequacy is forthcoming. It is somewhat ironic that one of the parties to bring the original challenge to UK investigatory powers legislation which led to last December's decision from the CJEU was a certain David Davis, now Secretary of State for Exiting the EU.

UK adoption of existing EU findings of adequacy

Noting the need to provide certainty and stability to organisations that currently transfer personal data between the UK and countries outside the EU, the suggestion that the UK adopt the EU's existing findings of adequacy is sensible. While the position paper is silent, I presume that the UK would also seek to adopt the current Standard Contractual Clauses approved by the Commission for international data transfers.

What is more interesting is how the UK would respond if an EU supervisory authority or court were to strike down, say, the EU-US Privacy Shield or a finding of adequacy in respect of a particular country.

The ICO's participation in future regulatory dialogue

Both the Government and the ICO have suggested that the ICO would continue to work closely with other supervisory authorities post Brexit, and the position paper proposes exploring mechanisms to make this happen.

The consistency mechanism under the GDPR requires supervisory authorities such as the ICO to operate in a consistent manner across the EU and it seems likely that one of the reasons for the prolonged delays in GDPR guidance from the Article 29 Working Party (WP29)/European Data Protection Board (EDPB) is the need to reach consensus across 28 supervisory authorities, each of whom have historically taken a different approach to interpreting EU data protection law.

A loss of UK influence going forward may lead to an approach that is more aligned with the views of those supervisory authorities that have historically been pro-individual. That, in turn, may lead to post Brexit differences in interpretation arising between the UK and the rest of the EU (which in turn may impact on any finding of adequacy in respect of the UK).

It is therefore understandable that the Government would like to ensure that the ICO still has a seat at the table.

On the other hand, the position paper states that the "UK Government will continue to have responsibility for the content and direction of data protection policy and legislation within the United Kingdom." Would the EU would permit the ICO to have that seat at the table if the UK did not agree to be bound by the WP29/EDPB guidance?

That, as with many things associated with Brexit, is likely to be a matter of politics.

Find out more

You can download the Government's position on the website.

Find out more about the GPDR on our GDPR Hub.


Martin Sloan