Data protection, data flows, data adequacy, and Brexit

Last updated:

The issues of data protection, data flows, and a data adequacy agreement, post-Brexit, are the fundamental questions for the digital and tech sectors.

The issues at hand are about much more than GDPR, which is only one piece of a healthy data protection framework. The UK is not, and has never been, a healthy country by any measure where data protection is concerned. Other issues, including other policies on data as well as the UK’s domestic surveillance strategy, are only beginning to be recognised now that the UK’s tech sector has been taken out of Europe and the Digital Single Market strategy.

This page is divided into seven policy topics which form the full picture for data protection and Brexit:

GDPR and data protection in general

  • In October 2016 the UK government confirmed that the UK will implement GDPR. The UK Information Commissioner subsequently set out how the ICO would support implementation over the next two years.
  • In December 2016 the Commons held a surprisingly rich debate on GDPR post-Brexit.
  • In March 2017 the EU Committee of the House of Lords drew attention to post-Brexit GDPR and data flow issues. The European Scrutiny Committee of the House of Commons also reviewed the issue, and provided yet more background analysis.
  • In spring 2017 UK Gov ran a consultation on the UK’s GDPR implementation, including derogations. The 2017 Queen’s Speech announced the Data Protection Bill, the legislation intended to act as the bridge between GDPR and any post-European data protection regime.
  • In August 2017 UK Gov launched a publicity campaign about the Data Protection Bill, most of which blatantly claimed the changes the UK was receiving anyway under GDPR as the UK’s ideas, and indeed, the work itself as Matt Hancock’s.
  • On 18 August the House of Lords warned of the dangers of hindering data flows after Brexit.
  • On 27 July the House of Commons research service published a useful basic briefing on data protection after Brexit.
  • On 24 August the Department for Exiting the EU released a remarkably flawed white paper on data flow adequacy after Brexit.
  • The European Commission’s advisory note on data protection and Brexit, published in January 2018, reiterated the paperwork burdens ahead for businesses trading with Europe.
  • In her Mansion House speech of 1 March 2018, Theresa May declared:
    Fourth, we will need an arrangement for data protection. I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing the UK’s strong trading and economic links with the EU. That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.
    This revealed several worrying things: first, the audacity of claming the UK’s “exceptionally high standards of data protection” as a domestic achievement when they are in fact European; second, the desire to secure “more than just an adequacy agreement”, a tacit admission that her government knows that there is no way the UK will be granted adequacy based on its own domestic surveillance legislation; third, the desire for an ongoing role for ICO, a suggestion which is impossible under current EUDPB rules; and a discussion of the “one stop shop” mechanism as a non sequitur.In other words, this was the opposite of clarity and assurance.
  • Ahead of its second reading, the House of Commons Library published an excellent summary of progress on the Bill up until March 2018.
  • The Data Protection Act 2018 received royal assent on 23 May 2018.

And so we come to what happens now.

In the event of a “No Deal” Brexit

In September 2018 DCMS published its guidance on what would happen to data protection in the event of a “no deal” Brexit. With the arrogance the sector has come to expect from Government, the report boasted that “[i]n recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”

In other words, “we’re alright, Jack.” That’s not the problem.

Information travelling in the other direction – from the EU to the UK – would become the responsibility of every recipient to create a legal structure to hold in lieu of what we took for granted under the single market. The guidance suggests that until an adequacy agreement is hammered out (assuming it ever is), organisations should look at standard contractual clauses, derogations, or the other commercial mechanisms normally associated with larger businesses and fully staffed legal departments. Writing in the Irish Independent, Maria Farrell advises that it costs a UK company about £10,000 to apply its own EU-acceptable contract clauses.

It goes without saying that this would destroy the ability of small UK digital businesses to work with anyone but other British businesses and to serve anyone but British customers – which would certainly suit some Brexiters down to the ground.

On 13 December two further pieces of advisory information were published on data protection in the event of a “no deal” Brexit. The first, published by DCMS from the policy perspective, listed the seven elements at stake, being the need to:

  • Preserve EU GDPR standards in domestic law
  • Transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue
  • Preserve the effect of existing EU adequacy decisions on a transitional basis
  • Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses
  • Recognise Binding Corporate Rules (BCRs) authorised before Exit day
  • Maintain the extraterritorial scope of the UK data protection framework
  • Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale

More information, so they said, was forthcoming; and that information turned out to be a meaningless press release in January 2019.

The second half of the “no deal” information came from the ICO from the commercial perspective and addresses the areas businesses will need to look at to continue trading as before. They include: