The UK has a long history of strong domestic personal data protection standards ensuring individuals have control over and benefit from transparency as to how their personal data is being used. The UK’s ambition is to remain a global leader in this area to protect the privacy of individuals. lndeed, the UK’s Data Protection Act 2018 further strengthened UK standards in line with the EU’s General Data Protection Regulation (GDPR) and the Law Enforcement Directive.162 As a result, the UK will start its future relationship with the EU from a position of regulatory alignment.
The UK is seeking a new agreement with the EU, which builds on the EU’s existing adequacy model for enabling EU personal data flows to third countries. This agreement should provide certainty on the rules governing future data flows to citizens, public authorities, law enforcement agencies and business in the UK and the EU. The UK is seeking an appropriate ongoing role for the lnformation Commissioner’s office (LCO), the UK’s independent Data Protection Authority, to provide for valuable cross-border cooperation between data protection authorities.
Personal data flows are important for the UK and the EU Member State economies and for wider law enforcement cooperation, McKinsey research indicates that data flows now have a larger impact on global growth than trade in goods.163 These flows matter to all sectors of the economy, as well as for public authorities The UK and the EU also share criminal records and alerts on wanted individuals or suspected terrorists to protect citizens, as set out in detail in chapter [x] – Security, Law Enforcement and Criminal Justice. A future partnership with the EU on the exchange and protection of personal data will be an important underpinning element in maintaining and developing the strong economic and security links between the UK and the EU.
The Commission has an existing process to formally recognise that a third country outside the European Economic Area (EEA) provides an ‘adequate’ level of data protection which is ‘essentially equivalent’ to EU law. Adequacy decisions allow EU businesses and public authorities to transfer relevant personal data from the EEA to third countries without having to satisfy themselves that sufficient safeguards are in place for each transfer. This means businesses and organisations do not have to put in place other legal mechanisms, such as Standard Contractual Clauses (SCCs), which can be costly and burdensome. The recent Law Enforcement Directive provides for a comparable adequacy process in respect of data transfers for law enforcement purposes.
There are currently 12 adequacy decisions in place. Third countries do not formally agree or sign up to these decisions, although they are informed by prior discussions with the Commission. ln making its assessment the Commission will scrutinise the third country’s domestic data protection legislation and practice, as well as compliance with relevant international standards, to ascertain whether the data protection standards in the third country are ‘essentially equivalent’ to those applied in the EU. Decisions are subject to review and may be challenged in the CJEU.
ln the context of globalised data flows and the introduction of the GDPR, cross-border cooperation between domestic Data Protection Authorities is increasingly valuable in monitoring data protection standards and enforcing them effectively. The ICO is an internationally well-respected, influential and well-resourced regulator with a strong track-record of robust enforcement of data protection standards and has a reputation for working effectively across borders with other Data Protection Authorities. [The European Commission has recognised that, ‘enhancing cooperation with relevant privacy enforcement and supervisory authorities of third countries is increasingly necessary’ and that cooperation between these authorities could make the protection of individuals more effective. The Commission also noted that ‘economic operators would benefit from a clearer legal environment where common interpretation tools and enforcement practices are developed at global level.’ The new agreement should therefore allow for an appropriate ongoing role for the ICO on the European Data Protection Board (EDPB) and in the EU’s new ‘One Stop Shop’ mechanism for resolving data protection disputes established under the GDPR, for the benefit of individuals, businesses and public authorities.
A new agreement would:
- provide strong privacy protections for UK and EU citizens whose data flows between the UK and the EU;
- provide greater certainty to citizens, public authorities and business in the UK and the EU as regards their respective rights and obligations;
- avoid two parallel processes on disputes – one in the UK led by the ICO and one in the’one stop shop’, for EU businesses operating in the UK; and
- provide stability and certainty to the significant ongoing cooperation between the law enforcement agencies in the UK and the EU.
The UK and the EU agree that arrangements for the exchange of classified information in the security area and beyond will be key to underpinning the deep and special partnership that we envisage. We will look to build upon existing precedents between the EU and third countries to reflect the deep relationship, and high level of trust, between the UK and the EU, facilitate common analysis, help inform operational planning, and deliver cutting-edge capabilities.