A House of Lords report warns that data sharing between the UK and EU could be disrupted after Brexit if standards are allowed to diverge from the current state.
According to the report, three-quarters of the UK’s cross-border data flows are with EU countries. The sub-committee, Lord Jay said, was concerned that EU and UK data protection rules could divide over time after the UK has left the EU.
If data sharing is disrupted, it could present a non-tariff trade barrier and potentially hinder law enforcement co-operation, the EU Home Affairs Sub-Committee said.
Its chairman, Lord Jay, voiced concerns over the lack of detail in Government plans to maintain unhindered data flows. Although the Government has stated that they will “seek to maintain the stability of data transfers between the EU, Member States and the UK”, little detail has been offered on how this outcome will be delivered.
The report accepts the Government has been “unequivocal about the need to maintain stability and ensure unhindered and uninterrupted data flows between the UK and the EU post-Brexit” but its action must be taken sooner.
Lord Jay also urged the Government to secure a continuing role for the UK’s information watchdog, the Information Commissioner’s Office, on the European Data Protection Board.
In response, the sub-committee recommends securing an “adequacy decision” for the UK – a ruling by the European Commission that a non-EU country has ensured an adequate level of protection of personal data and no further safeguards are required.
Minister of State for digital, Matt Hancock, was asked how the Government intended to achieve its goal of unbroken data flows, and told the sub-committee there were “many different ways this could work” but he did “not want to stress any particular opinion”.
Within the report, it notes the UK has a record of influencing EU rules on data protection and retention, and risks losing it after Brexit.
Stewart Room, PwC’s global data protection legal services leader, who gave both written and oral evidence to the House of Lords committee during its inquiry, said: “A declaration of non-adequacy would be surprising given that the UK has led the way on data protection for years, we have a strong regulator in the form of the Information Commissioner’s Office (ICO), and in many cases our regulations already go far beyond what other EU member states currently have. However, there are only eleven jurisdictions that currently have adequacy agreements in place. This could point to it being a potentially lengthy process, so I would urge negotiations to begin to provide the certainty that’s needed.
“On leaving the EU, the UK would technically be free to abandon the GDPR (it being EU legislation), but retaining it would be in national interest – both for UK citizens and UK-based data controllers and data processors. It’s likely we’ll see that UK data protection policy after Brexit remain similar, to ensure we’re operating on a level playing field with the rest of Europe.
“Regardless of Brexit negotiations, all organisations that handle data on EU citizens must abide by the GDPR by May 2018 and should continue their preparations accordingly. While there are many elements of our political and economic future that may appear uncertain, it’s vitally important that the controllers and processors of personal data don’t fall into the trap of thinking that the new EU GDPR no longer matters.
“As the Committee has recognised in its report, it is vitally important for businesses and the economy that transitional arrangements are put in place and that the UK continues to have an influential role in Europe on data protection going forwards.”
A section of the report examines the options available to the Government for securing uninterrupted data flows between the UK and EU after the UK exits the EU. Those are: General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PJC), the EU-US Privacy Shield and the EU-US Umbrella Agreement.
Detlef Spang, CEO for Data Centre Services at Colt, said: “This morning’s report from the House of Lords highlights both the challenges of extracting the UK from European data laws while trying to remain compatible with them, as well as showing how significant the upcoming General Data Protection Regulations (GDPR) will be post-Brexit.
“GDPR will require cloud-based service providers and storage repositories to provide visibility of network traffic. It should mean law enforcement agencies are able to achieve an unhindered flow of data with different countries. However, there are questions over how this information will be shared effectively following a country’s withdrawal from EU membership.
“A new Data Protection Bill was proposed for the UK in a recent speech by the Queen. This would seem to tighten regulations on data access, retention and security even further, as well as potentially overhaul the powers of law enforcement and other agencies regarding access to data for investigations.
“Until negotiations for Brexit are confirmed, data centre providers must continue to provide low-latency, high-performance solutions to ensure seamless operations.”
Following last year’s referendum, the scheduling leaving date for the UK is 29 March 2019, though this departure date may be extended if all 28 EU members agree.