Data protection and data flows

The issue of data protection and data flows, post-Brexit, is the fundamental question for the digital and tech sectors. As Europe prepares to move into GDPR, the first continent-wide data protection overhaul in 23 years, it is critical for UK businesses to have legal certainty about the UK’s adoption of GDPR. Without GDPR, the UK would need to achieve equivalence and adequacy with any domestic data protection legislation it might choose to adopt. Given the chaos and congestion Brexit is causing in general, it would be all but impossible for the UK to come up with this legislation in time.

GDPR is one piece of a healthy data flow framework, and the UK is not a healthy country by any measure. Other issues, ranging from the ePrivacy directive to passenger name records, have barely been touched upon.

Relevant policy:

Progress and developments:

  • The Committee’s February review of Margot James MP’s responses to their questions on the Privacy Shield assessment make for bleak reading: “As things stand there is no specific arrangement for UK national data protection experts to be involved in any way in relation for the comitology process for making third country adequacy decisions during the transition/implementation period. “
  • In her Mansion House speech of 1 March, Theresa May declared:
    Fourth, we will need an arrangement for data protection. I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing tehe UK’s strong trading and economic links with the EU. That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.This revealed several worrying things: first, the audacity of claming the UK’s “exceptionally high standards of data protection” as a domestic achievement when they are in fact European; second, the desire to secure “more than just an adequacy agreement”, a tacit admission that her government knows that there is no way the UK will be granted adequacy based on its own domestic surveillance legislation; third, the desire for an ongoing role for ICO, a suggestion which is impossible under current EUDPB rules; and a discussion of the “one stop shop” mechanism as a non sequitur.In other words, this was the opposite of clarity and assurance.
  • Ahead of its second reading, the House of Commons Library published an excellent summary of progress on the Bill up until March 2018.