Delphotostock - Fotolia

UK makes its case for post-Brexit data adequacy decision

Government sets out an explanatory framework as it seeks adequacy decisions from the European Commission to maintain the free flow of personal data between the European Union, the UK and Gibraltar

The UK government has set out its stall in preparation for a series of upcoming assessments by the European Commission (EC) as it seeks to secure adequacy decisions from Brussels to maintain the free flow of personal data after the Brexit transition period ends.

In a series of newly published documents, the government emphasised the UK’s “world-class” data protection regime and stressed the contribution the UK made to the development of the European Union (EU) General Data Protection Regulation (GDPR).

“The continued free flow of personal data is vital for the future relationship between the UK and the EU,” said the government in its preamble. “Imports and exports of both goods and services heavily depend on the free flow of personal data between the UK and the EU.

“EU personal data-enabled services exports to the UK were worth approximately £42bn (€47bn) in 2018, and exports from the UK to the EU were worth £85bn (€96bn).

“Given these economic ties and our shared commitment to high data protection standards, the government believes it is in both parties’ interests to act quickly to ensure the reciprocal free flow of personal data between the EU and the UK.

“The UK government stands ready to assist the Commission in undertaking an assessment to allow the adoption of adequacy decisions for the UK and Gibraltar. We have made arrangements to allow for the free flow of UK personal data to the EU.”

Adequacy decisions are a legal mechanism by which the EC facilitates personal data transfers from the EU to third countries – they can encompass data flows under Article 45 of the GDPR for general and commercial purposes, as well as data flows under Article 36 of the Law Enforcement Directive (LED) for law enforcement needs.

A decision in the UK’s favour will, in effect, confirm that the country’s data protection standards are “essentially equivalent” to those of the EU and are adopted based on a “positive assessment of the third country’s data protection framework by the EC”.

The UK is taking the position that because the 2018 Data Protection Act and the GDPR were developed hand-in-hand with the EC, they provide comprehensive protections for data subjects that are already equivalent to those in EU law.

The UK’s protections include principles to protect personal data in terms of lawfulness, fairness, transparency, purpose limitation, data limitation, accuracy, storage limitation, integrity and accountability; clear grounds limiting when processing of personal data is lawful; effective and enforceable rights that give individual citizens control over their data in terms of requesting access, information on how it is being used, corrections to it, and deletion; limits and conditions to make sure that when restrictions to user rights are provided for, they are necessary and proportionate; onward transfer rules for data that subsequently leaves the UK; and additional safeguards for records of processing, data protection impact assessments, the appointment of data protection officers, and breach notification.

Read more about Brexit and data protection

  • Shadow digital minister Chi Onwurah challenges the government to stop Google’s plans to move UK user data out of the EU as a result of Brexit.
  • The extra work for banks due to Brexit preparations has caused a delay to FCA work on the use of data in the wholesale banking sector.
  • Transferring data to and from the EU will only be possible if an agreement is in place before the UK leaves. No deal means no data agreement.

“Robust rules require robust enforcement, and the UK’s framework provides for effective administrative and judicial redress for data subjects in the UK and the EU,” said the government.

It pointed out the Information Commissioner’s Office’s track record of strong regulation and tough sanctions on offenders since the GDPR came into force, and robust laws pertaining to law enforcement and national security, in particular the controversial Investigatory Powers Act of 2016.

It also cited the much-criticised £1.9bn National Cyber Security Strategy, alongside the Centre for Data Ethics and Innovation and Office for Artificial Intelligence as further evidence that the UK was to be taken seriously on data security.

“The UK puts data protection and trust at the heart of our digitised society,” said the government. “Our ongoing ability to do this will require a world-leading and global response that sees us work in tandem, at a domestic and international level, to uphold strong data protection standards that enable the societal and economic promise of data while safeguarding rights and protections.

“The UK stands ready to offer further clarifications throughout the assessment process and looks forward to an open dialogue with the Commission.”

Read more on Privacy and data protection