Title Original Language:
The progress of the UK’s negotiations on EU withdrawal: Data
Abstract Original Language:
Data ﬂows and data protection are fundamental to the modern way of life and, increasingly, to the functioning of the economy, particularly in areas of UK
comparative advantage such as services. The objective in the negotiations for the UK Government must be to maintain high standards of data protection and ensure that data can continue to be transferred across borders as it is now. EU data protection and third countries. The EU’s existing arrangements for providing for data ﬂows with third countries typically involve a decision of adequacy from the European Commission. Since the CJEU decision on the US-EU Safe Harbour agreement, a decision of adequacy will require the third country to provide protection of fundamental rights essentially equivalent to that provided in the EU. A range of countries have received an adequacy decision, ranging from Switzerland to Argentina to New Zealand. The United States and Canada have limited arrangements. The negotiation positions. The UK’s proposals accept that the EU will need to assess the adequacy of the UK data regime. The UK is asking for this to be on the basis of a two-way agreement—rather than solely a one-way decision of the European Commission—and in the form of an international agreement—a Treaty. The UK should provide more information on the distinction etween the procedure for an adequacy decision and the procedure that it expects both parties to go through to secure an international agreement on data. The EU negotiating guidelines on the future relationship provide that data protection The UK should accept the provisions in Title 7 of the draf Withdrawal Agreement providing assurance about the future protection of personal data already in the UK at the time of withdrawal. Following the passage of the Data Protection Act, the UK’s data protection law will be aligned with EU law on the day the UK leaves the EU. As a result, the UK will be in a very strong position when it seeks a declaration f essentially equivalent data protection. However, it is seeking an unprecedented
agreement which will be subject to negotiation. The UK Government should be preparing for the adequacy process and ensuring that there is no risk of a gap in legal provision for transferring data between the UK and the EU afer December 2020. This would have serious implications for businesses and consumers on both sides. The UK Government needs to establish with the Commission whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay. It needs to provide concrete assurances that data will be able to ﬂow between the UK and the EU afer December 2020 on the same terms as now. Beyond this, the UK should explore the possibility of negotiating a bespoke agreement with the EU allowing much closer cooperation in data protection and data sharing which once achieved could replace the third party
arrangements conferred by a simple adequacy decision. The alternative legal processes for enabling data transfers, such as standard contractual clauses, binding corporate rules, codes of conduct, and certifcation mechanisms, are unsatisfactory substitutes for an agreement that data protection
rules in the UK are essentially equivalent to that of the EU. Such alternatives would represent a considerable change from the status quo, would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses. While there are signs that the EU is moving to the inclusion of data in trade agreements, the current pattern appears to be for a trade agreement to be negotiated separately and in parallel to the process of an adequacy decision. The process for considering an application for data adequacy is not hampered or delayed by being subject to trade negotiations. The Government should state if its intention is to negotiate a single agreement covering the economic and the security aspects of the relationship, or to separate them into more than one agreement so the data aspect of the security relationship is not subject to the procedure for the economic agreement.