Free flow of data and Brexit

Last updated 24 June 2020

“Free flow of data” refers to data localisation. It should not be confused with data protection, data flows, and an adequacy agreement, which are a wholly different set of issues. There is a 95% chance you are probably looking for the page on data protection, not this one.

The Free Flow of Data initiative is a wider strategy which would ban member states from requiring that businesses must physically localise data storage within their own national borders. It also includes initiatives on data ownership, free flow of data between cloud providers, and a European cloud initiative.

Relevant policies:

The Free Flow of Data initiative is part of the Digital Single Market strategy.

Progress and developments:

This is important. TechUK has drawn attention to the fact that after Brexit, when the UK is no longer part of the EU or the DSM, data localisation rules could be applied in a punitive manner against UK tech businesses. (And, to be frank, why not?) As was stated in a House of Lords hearing:

Baroness Noakes: Could I ask what in particular are you thinking of in terms of interests that could work against the UK?

Antony Walker of TechUK: Data protection and the free flow of data, which is being debated at European level, could set out and require certain kinds of data and activities to be hosted within the European Union. It would mean that therefore there are services that could not be made available to the rest of the European market from here in the UK. If you wanted to attract digital businesses away from the UK and require them to locate within the EU, that would be a mechanism by which do it.

The EU Committee of the House of Lords noted free flow of data issues in March 2017.

Also in March 2017 the European Scrutiny Committee of the House of Commons asked Government to clarify the following questions on data localisation:

  • How reliant does the Government believe the UK economy is on cross-border flows of non-personal data between the UK and EU Member States? Which sectors are most reliant?
  • techUK has raised concerns that EU action on data localisation could, while liberalising the flow of data within the EU, simultaneously introduce EU-level data localisation requirements for service providers from third countries, in order to require digital businesses to relocate part of their operations to the EU.12 Given that the focus throughout the Communication is on ensuring the free flow of data “within the EU”, what is the Minister’s assessment of this risk? Does the Communication dispel these concerns, or not?
  • Given the current timescales for the adoption of legislative measures for the data economy, does the Government believe it will have ample opportunity, pre-exit, to influence any proposals this Communication may lead to? Is the Government concerned that the Commission may have delayed bringing forward concrete measures in order to limit the UK’s opportunity to influence them? and
  • In relation to EU-third country data flows, the Communication states that “the Commission will seek to use EU trade agreements to set rules for e-commerce and cross-border data flows and tackle new forms of digital protectionism in full compliance with and without prejudice to the EU’s data protection rules”. This suggests that it will seek to ensure that the UK complies with EU rules with regard to the digital economy. Does the Minister have a preliminary view as to whether it will seek a close approximation of UK domestic law with the EU acquis in the longer term in order to maximise market scale and minimise barriers to trade, or whether it believes that a more laissez-faire regulatory approach would offer the UK a competitive advantage, nothwithstanding the increased barriers to trade that would arise through regulatory divergence?

The Committee requested responses to the above questions by 6 April.

In their 25 April meeting, the Committee continued their scrutiny of the UK implementation of the Initiative, noting that

the Government intends to submit a response to the European Commission’s consultation on “Building the European Data Economy” by 26 April, and will provide the Committee with a copy of this response;

the Digital Catapult has been engaged with the Government in the development of its thinking in relation to this issue and how to promote the growth of the digital economy in the UK; and

the current regulatory landscape for the free movement of data is “patchy”, with at least four applicable legislative instruments and a number of sectoral exemptions.

Regarding the Brexit-related implications of the file, the Minister states that:

the Commission’s Communication does not completely dispel nor confirm techUK’s concerns that EU action on data localisation could, while liberalising the flow of data within the EU, simultaneously introduce EU-level data localisation requirements for service providers from third countries in order to require digital businesses to relocate part of their operations to the EU;

the Government will continue to press the EU to bring forward concrete measures on data localisation, while the UK remains an EU Member State; and

the Government will seek to maintain unhindered data transfers between EU Member States and the UK, and the full implementation of the General Data Protection Regulation will be the first step in maintaining the stability of cross-border data transfers in the short term.

In November 2017 the Committee cleared the Communication on Building a European Data Economy from further scrutiny. They also requested further information on the Proposal the free flow of non-personal data in the European Union on questions such as “Large cross-border flows of electronic data to and from both data storage providers and data processing providers are likely to contain significant amounts of personal (along with non-personal) data, which is not covered by the draft Regulation. Our assessment is therefore that the proposed Regulation does not reduce the need to secure a sound legal basis for ongoing personal data transfers between the UK and the EU (e.g., an adequacy decision or equivalent arrangement). To what extent does the Government share this assessment?”

In December 2017 the Committee retained the Proposal on non-personal data under scrutiny, on the now-familiar grounds that the Minister and Government have, once again, not done their homework.

In February 2018 the Committee issued a scathing rebuke to Government on its behavior during the December COREPER meeting:

We regret the Government’s failure to communicate to the UK’s Permanent Representation our request that the agreement of an informal mandate in COREPER be deferred until we were provided with the necessary clarifications, and that a General Approach be agreed at a later date instead. In effect, the key stage of the legislative process for the purposes of parliamentary scrutiny has now concluded without Parliament being able to meaningfully exercise its scrutiny function. That a vote will eventually take place in the Ministerial Council at the end of the legislative process in no way mitigates this situation as there will be negligible scope at that late stage to influence the legal text, which will have been agreed by the Parliament and the Council in trilogue negotiations. The Department’s handling of this proposal falls short of our expectations and deprecates parliamentary scrutiny. We note that this is not the first instance of such difficulties arising.22

The Committee demanded answers by 28 March.

See also the European Memoranda page containing various correspondence on the negotiations.