Amongst the flurry of DExEu 'Position' and 'Future Partnership' papers in recent weeks was a paper entitled "The exchange and protection of personal data". This is a 'Future Partnership' paper, which means it is focused on the key issues that the UK has identified as part of its desire to forge a 'new, deep and special relationship' with the EU. Clearly recognising the significant value in ensuring ongoing data flows across Europe post-Brexit, the paper proposes an 'ambitious model' and 'unique approach' in relation to data protection and the exchange of personal data between the UK and the EU: in effect, the UK is seeking pre-approved data adequacy status, at least on a transitional basis, which certainly seems ambitious and unique.
In the field of data protection, the paper notes that the UK is starting from an 'unprecedented point of alignment' with the EU, and that it is compliant with EU data protection law and wider global data protection standards. This forms the basis for the proposal of a bespoke UK-EU model for exchanging and protecting personal data, building upon the existing adequacy model. For countries outside of the EEA, the European Commission can decide that their data protection framework is 'adequate', with the consequence that data can flow freely between EEA states and those 'adequate' countries – the Commission has adopted 12 such adequacy decisions to date. Adequacy decisions can only be taken in respect of third countries and so, as noted by the House of Lords EU Home Affairs sub-committee in its recent report calling for the Government to flesh out its data protection Brexit position, a transitional arrangement would have to be agreed during the withdrawal negotiations.
The DExEu paper confirms that the UK would like to agree, at an early stage in the withdrawal negotiations with the EU, mutual recognition of each other's data protection frameworks (albeit it is not really clear why the UK would need to recognise the adequacy of the EU framework), as a basis for continuing free flows of data between the EU and the UK post-Brexit, alongside an agreed negotiating timeline for future longer-term arrangements. The UK also wants to ensure that data flows between the UK and third countries which have existing EU adequacy decisions should be allowed to continue on the same basis post-Brexit (such data flows could, of course, include EU data). Further, the UK wants the ICO to have an ongoing regulatory co-operation role in EU data protection dialogue. No doubt, this is so that the UK can continue to have some voice in shaping the EU's approach to data protection, not least given that the GDPR will still impact on UK businesses and public authorities post-Brexit for data transfers with the EU, and also due to its extra-territorial reach.
The Future Relationship paper follows the Government's Statement of Intent issued earlier in August on its new Data Protection Bill, which is designed to fill in the gaps left by GDPR – which will be directly applicable in the UK from 25 May 2018 – and to address the post-Brexit status of the law.