alexlmx - Fotolia

Exiting EU committee cattle-prods government on 'data adequacy'

House of Commons Select Committee for Exiting the European Union urges the government to start the process to secure a “Data Adequacy Decision” from the EU pronto

The House of Commons Select Committee for Exiting the European Union has urged the UK government to start the process to secure a “Data Adequacy Decision” from the EU as soon as possible.

When the UK leaves the Union on 29 March 2019, it will also leave behind the legal framework for moving data between it and the EU.

In the publication of a report about data flows and data protection after Brexit, chair of the committee, Hilary Benn said: “The ability to move data between the UK and the EU after the UK leaves the EU is “mission critical” for the UK's trading relationship.

In the Prime Minister’s Mansion House speech, she said the UK had “exceptionally high standards of data protection” and emphasised that the UK wanted to “secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals”. As a first step, the UK needs to request an Adequacy Decision from the EU.

“The UK must take steps urgently to enable data to flow between the UK and the EU on the same terms as now, with no gaps in service. UK citizens also need to be reassured about what will happen to their personal information once we exit the EU; they deserve the highest level of data protection – just as they have now.”

Countries which the EU has granted adequacy of data protection status include Argentina, Switzerland and New Zealand.

The committee has said the UK Government “needs to establish with the Commission whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay.

Read more about Brexit and data adequacy

  • Hancock sure UK will obtain and maintain EU data protection adequacy.
  • Post-Brexit, the UK should seek EU data protection adequacy as well as special status regarding the EU Data Protection Board, says information commissioner.
  • The European Commission has emphasised the importance of having a data transfer agreement in place after the UK leaves the European Union.

“It needs to provide concrete assurances that data will be able to flow between the UK and the EU after December 2020 on the same terms as now. Beyond this, the UK should explore the possibility of negotiating a bespoke agreement with the EU allowing much closer cooperation in data protection and data sharing which once achieved could replace the third party arrangements conferred by a simple adequacy decision.”

The committee’s report also notes that, as matters stand presently, the “EU appears to consider ... UK proposals [on future data protection] to be an attempt to retain influence on the EU regulatory regime from the position of a third country”. And that Michel Barnier, who leads the negotiations with the UK on behalf of the Union, has “consistently said that the EU will not share its regulatory autonomy with a third country”.

The committee recommends “the UK should accept, to increase the prospects of securing the Prime Minister’s objectives of continuing membership by the [UK] Information Commissioner on the European Data Protection Board and representation under the European One-stop shop, that the CJEU [Court of Justice of the EU] will continue to have jurisdiction over aspects of data protection law in the UK after exiting”.

The committee is concerned that trade and data flows are currently being discussed separately. It notes that “while there are signs the EU is moving to the inclusion of data in trade agreements, the current pattern appears to be for a trade agreement to be negotiated separately and in parallel to the process of an adequacy decision”.

Regulatory equivalence

The report is partly based on oral testimony, given on 20 June, by Guy Verhofstadt MEP, who is the Brexit co‑ordinator and chair of the Brexit Steering Group in the European Parliament.

The committee did not ask Verhofstadt about data adequacy, but he did have this to say about regulation in another, germane context, financial services: “We see regulatory equivalence as the way forward for financial services ...We decide on our regulatory framework on financial services,” he said.

“If we see there is equivalence on the other side of the Channel, it gives us the possibility to authorise products coming mainly from the City of London to the continent, but always with the possibility for the European Union to stop these authorisations. That is the way the Commission, Council and Parliament are, in a unanimous way, looking to solve the problem of financial services.”

And, on the question of intelligence information sharing, he pointed at an intellectual difference between Anglo-Saxon and continental traditions: “Intelligence sharing will continue. You have to put that in a framework that is consistent. From the beginning, my feeling is about why it is sometimes so difficult between the EU and the UK to talk about these things.

“Maybe you are very practical people. You say, ‘There is a problem. Here is the solution. There is a new problem. Here is the solution’. On the continent, we need a little bit of concept, saying, ‘What is the basis for it? What is the framework for it?’”

Read more on Regulatory compliance and standard requirements