Brexit, Barnier and borderless data flows

The General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 are now in force and together they overhaul the long outdated data protection legislation in the UK. However, with Brexit negotiations continuing, the prospect of ensuring data continues to flow freely between the EU and the UK is becoming increasingly uncertain.

Data Protection Act 2018

The DPA 2018 intends to update and modernise the data protection law framework in the UK, taking into account the increasing digitisation of both the UK economy and society. The importance of this is undeniable as, in the words of Elizabeth Denham, the UK Information Commissioner, ‘the previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data.’

The DPA 2018 sits alongside the GDPR, applying its standards of data protection, as well as supplementing it in other areas, such as law enforcement and national security data, in addition to expanding the Information Commissioner’s Office (ICO)’s responsibilities and enforcement powers. It also covers a number of areas that are not included within the GDPR. However, most importantly, by implementing much of the GDPR word for word, the DPA aims to prepare Britain for Brexit and ensure that data will still be freely exchanged between the UK and the EU from 30 March 2019.

Data Protection post-Brexit

Whilst the intention of the DPA was, in part, to prepare the UK for Brexit, aligning the UK’s standards of data protection with the rest of Europe’s, this may not be as straightforward as it was first hoped. In a speech delivered on 26 May 2018, the day after the implementation of the GDPR, Michel Barnier, the EU’s chief Brexit negotiator, rejected the UK government’s proposal for a special agreement with the EU on data protection.

In his speech, Barnier cited the inclusion of the UK ICO on the European Data Protection Board as a sticking point, stating that “... We cannot, and will not, share this decision-making autonomy with a third country, including a former member state who does not want to be part of the same legal ecosystem as us.” He went on to say that “…as indicated in the European council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”.

Whether the UK will obtain an adequacy decision is uncertain. Under the previous DPA 1998, the European Commission identified a number of areas in the UK’s national legislative framework (particularly around privacy and surveillance) which it considered to run counter to the Data Protection Directive. It is hard to be optimistic that the UK will achieve the adequacy status Barnier suggests it needs, particularly given the UK Information Commissioner herself had said there will be challenges because of the UK’s national security agencies and bulk collection and retention of data.

If the UK does not achieve adequacy, then unless transitional arrangements are put in place before 11pm, on Friday 29 March 2019, the UK will become a ‘third country’, meaning data sharing across the EU will be restricted unless adequate safeguards can be put in place.

“So what are these adequate safeguards?” we hear you say.

Well, as you have probably guessed when it comes to anything data related, it’s not straightforward, and so we will save this topic for our next blog. Of course, if you can’t wait until then, please do get in contact with a member of our GDPR team.

If you wish to discuss this topic further, please contact Nick Phillips – Partner, Selina Clifford – Associate, or any member of the Edwin Coe Intellectual Property team.

If you aren’t receiving our legal updates directly to your mailbox, please sign up now