Privacy & Information Security Law Blog

On July 18, 2017, the European Union Committee of the UK’s House of Lords published its paper, Brexit: the EU data protection package (the “Paper”). The Paper urges the UK government to make good on its stated aim of maintaining unhindered and uninterrupted data flows between the UK and EU after Brexit, and examines the options available to ensure that this occurs. It warns that data flows have become so valuable to cross-border business that failure to establish an adequate framework could hamper EU-UK trade.

The Paper draws on the advice of a number of prominent UK data protection experts, including Hunton & Williams’ senior consultant attorney Rosemary Jay. The Paper’s main recommendation is that the UK seek to secure an adequacy decision from the European Commission, which would hold that the UK has an equivalent level of data protection safeguards as the EU, and would allow EU-UK data flows to continue without hindrance. As the Paper explains, this may be difficult. In particular, once the UK leaves the EU it will not be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently relied upon when the UK’s data retention and surveillance position is tested in the Court of Justice for the European Union. This effectively means that the UK will be held to a higher standard than EU Member States when its data protection regime is assessed for adequacy, which could cause issues in light of the recent introduction of the UK’s Investigatory Powers Act 2016. The Investigatory Powers Act permits the sort of bulk surveillance activities that were fundamental in invalidating the EU-U.S. Safe Harbor framework for data transfers. Without an adequacy decision, alternative methods of validating cross-border transfers, such as standard contractual clauses and binding corporate rules, will be held as “sub-optimal” and could cause problems for companies offering products and services direct to EU consumers. The House of Lords also calls for data protection to form part of any transitional agreement reached with the EU, asserting that the adequacy process could only begin once the UK has left the EU and would therefore rule out the prospect of the UK immediately being held adequate.