EU Privacy OK Would Ensure Data Transfers to Post-Brexit U.K.

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

The U.K. should seek privacy adequacy approval from the European Union to allow easier data transfers to continue after Brexit or businesses will be at a “competitive disadvantage,” U.K. lawmakers recently said.

After it officially leaves the EU at the end of March 2019, the U.K. will be treated like other non-EU countries that seek ways to lawfully transfer data from EU member countries—which will stand at 27 after the U.K.'s departure. Obtaining an official European Commission finding that the U.K.'s privacy regime is adequate to protect the privacy of EU citizens’ personal data is critical to maintain effective data transfers in a digital economy, according to a July 18 report from the House of Lords EU Committee.

The report said that three-quarters of data transfers by U.K. companies are with EU countries. If the government fails to secure an adequacy decision, “it could present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage,” the House of Lords report said.

The House of Lords committee highlighted its concern “by the lack of detail” on how the government plans to maintain “unhindered” data flows post-Brexit, as well as by its “non-committal” approach to whether it plans “to seek an adequacy decision.”

Ruth Boardman, a data protection partner at London-based firm Bird & Bird, told Bloomberg BNA that the EU’s new General Data Protection Regulation complicates the post-Brexit privacy analysis. U.K. companies that conduct business in the EU will have to comply with the EU’s new privacy regime when it takes effect in May 2018, but that doesn’t mean the U.K. should rush to change its privacy laws to meet GDPR obligations, she said.

“Significant change will just add uncertainty and cost—and will damage attempts for the UK to secure an adequacy decision,” she said.

Jan Philipp Albrecht, a German Green lawmaker and vice-chairman of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE), said at a July 19 Brookings Institution event in Washington that gaining adequacy approval is difficult, and that recent changes in the U.K. to allow the government easier access to consumer data won’t make the task any easier.

Continue GDPR Preparations

A U.K. Department for Digital, Culture, Media and Sport spokesman told Bloomberg BNA July 19 that the government “is considering all the options” to ensure that the U.K.'s data protection regime “continues to build a culture of data confidence and trust” and ”supports businesses in the global economy.“

The House of Lords panel advised businesses to continue to prepare for the upcoming GDPR, even if the government doesn’t “pursue full regulatory equivalence in the form of an adequacy decision” with the EU.

The committee said that those that hoped for a “clean break” from the EU won’t realize that goal. Since U.K. businesses will have to abide by the GDPR, it must follow “legal controls placed by the EU on transfers of personal data outside its territory,” it said.

Boardman agreed that companies need to take “significant steps to be GDPR-ready,“ adding that many have already started their preparations. “Post Brexit, UK businesses who also operate in, or sell to, the EU, will have to comply with GDPR for that portion of their business,” she said.

U.K.-U.S. Data Transfer Concerns

U.K.-based companies also need to prepare for cross-border data transfers with the U.S., given that the EU-U.S. Privacy Shield program will cease to apply to the U.K. post- Brexit, the House of Lords committee said.

The Privacy Shield program is used to more easily transfer data out of the EU by over 2,100 U.S. companies, including Facebook Inc., Alphabet Inc.'s Google, and Microsoft Corp., that certify to the Department of Commerce their compliance with EU-approved privacy principles. Limiting U.S. government access to data once it is moved to the U.S. is a fundamental basis underlying the EU’s approval of the system.

Rosemary Jay, privacy and data protection senior consultant attorney at Hunton & Williams in London and who appeared before the committee, said that the U.K. may be able to follow in Switzerland’s footsteps to effectuate cross-border data transfers with the U.S. Switzerland, as a non-EU member, offered a “possible model” for the U.K. to follow, she said.

“Switzerland has an adequacy finding, so it is regarded as equivalent and adequate, and then it has a mirror of the Privacy Shield agreement with the US,” she told the committee.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the House of Lords report is available at http://src.bna.com/qUH.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security