The UK must try to influence data protection data rules made in Brussels after Brexit, according to a report from the UK House of Lords published on Tuesday.
The report, part of a series of investigations into issues that will arise in Brexit negotiations, urges the government to push for a continuing role for the UK's information watchdog, the Information Commissioner's Office, on the European Data Protection Board.
"The UK has a track record of influencing EU rules on data protection and retention," the report says. "It is imperative that the government considers how best to replace those structures and platforms."
In view of the fact that three-quarters of the UK’s cross-border data flows are with EU countries, the UK Information Commissioner, Elizabeth Denham, said the government should do anything it can to ensure that her office has, “some status, be it observer status” on the board.
Even if the UK’s data protection rules are fully aligned with the EU regime, there remains the prospect that the EU will change its rules over time.
Maintaining unbroken data flows with the EU could therefore require the UK to continue to keep its domestic data protection law up to date with the EU, while no longer have a role in setting these rules.
The report, written by the Lord’s EU home affairs sub-committee, looks at four cross-border data-sharing arrangements: the general data protection regulation, the police and criminal justice directive, the EU-US privacy shield and the EU-US umbrella agreement.
The data protection and police regimes will enter into UK legislation in May 2018, 10 months before Brexit. The EU-US privacy shield and EU-US umbrella agreement are already in force, but will cease to apply to the UK after Brexit.
No clean break
The report says, “there is no prospect of a clean break” from EU data protection rules after Brexit, with the legal controls placed by the EU on transfers of personal data outside its territory continuing to apply when data is transferred to the UK.
This will necessarily affect UK businesses handling EU-origin data. Cross-border data flows in and out of the UK increased 28-fold between 2005 and 2015 and are expected to grow another five times by 2021.
As long as UK data controllers and processers wish to continue to receive personal data from the EU they will need to maintain data protection standards that meet EU requirements, the report says.
“If you are running global operation, you will want to have consistent processes across your businesses,” said Antony Walker, deputy CEO of the industry group TechUK. “What we are seeing is that global firms based outside of the EU are taking the [EU data protection law] as the norm for their business and are building their processes around it, so, for very large companies, there is no desire to diverge — the opposite, because they worry about falling between the gaps.”
Out of EU, but hands still tied
Walker predicted there would be constraints on the UK government’s ability to alter data protection rules in the future of its own accord.
“We can try to be at the forefront of thinking about how things need to change, but we would need to bring the rest of the EU with us, and it is not clear to me exactly how we would do that,” he said.
“We have to remember the size of the UK market versus the size of the European market”, which means that “we will have to do that very much in partnership with the EU, rather than simply boldly striking out by ourselves and hoping others will follow,” he added.
The new rules introduce heftier financial penalties against controllers or processors who violate data protection rules. Data controllers can face fines of up to the higher of €20 million or 4 per cent of their global annual turnover.
Cards to chest
Although the UK government has stated that it "will seek to maintain the stability of data transfers between the EU, member states and the UK", little detail has been offered, the report says.
When asked by the committee how the government intended to achieve its goal of free data flows, Matt Hancock, minister of state for digital, said there are "many different ways this could work" but he did "not want to stress any particular option".
Susan Williams, minister of state at the Home Office, told the committee it was "too early to say what the future arrangements might look like".
In the longer term, an international treaty on data protection between data protection authorities in the world’s largest markets is desirable, the report says.
“The government’s long-term objective should be to influence the development of any such treaty,” the report says.