Another Brexit cliff edge: UK.gov warned over data flows to EU

The UK is risking a security and trade "cliff edge" if it doesn't secure an arrangement that allows data transfer with the European Union to continue after Brexit, a report has said.

In its report Brexit: The EU data protection package, published today, the House of Lords EU Home Affairs Sub-Committee said that there was "no prospect of a clean break" with the union when it came to data flows.

The ability to move data across borders is central to both security and trade, and will continue to be so after Brexit, the committee said.

Cross-border data flows increased 28-fold between 2005 and 2015, and are expected to grow another five times by 2021, the report said.

Although the government has made numerous pledges to retain "unhindered and uninterrupted" data flows after Brexit, the committee said it was "struck by the lack of detail on how the government plans to deliver this outcome".

It added that the "stakes are high" – and that any increase in friction in data flows could put the UK "at a competitive disadvantage" and "hinder police and security cooperation".

"The potential downside of not getting this right is very serious," crossbench peer and committee chairman Michael Jay told The Reg. "It has to be high up on the government's priority list."

'Government must seek adequacy decision'

The UK will initially abide by the two incoming laws on such data transfers – the General Data Protection Regulation and Police and Criminal Justice Directive – as they come into force in May 2018, before Brexit.

If it wants to carry on exchanging data with member states after this, the UK has two options: seek an adequacy decision from the EU that certifies it provides the right standard of protection, or have individual data controllers and processes adopt their own compliant safeguards.

The committee is urging the government to seek an adequacy decision from the EU, which it said would be the "least burdensome" and would offer more stability and certainty for smaller businesses.

"We were persuaded by the Information Commissioner's view that the UK is so heavily integrated with the EU – three-quarters of the UK's cross-border data flows are with EU countries – that it would be difficult for the UK to get by without an adequacy arrangement," the report said.

However, adequacy decisions can't be made until after the UK has left the EU, meaning that the country risks falling off a "cliff edge" if there is a gap between legislation that causes data flows to be interrupted.

"This has to have happened by the time we leave, in March or April 2019," said Jay. "That [doesn't leave] a huge amount of time to negotiate the transitional arrangement."

And despite prime minister Theresa May arguing that European courts will have no more influence after Brexit, data protection is yet another area where the lines are blurred.

This is because the UK's data protection laws will have to stay up to date with, and possibly change based on, those made at an EU level.

Or, as Jay put it: "The European Court of Justice is going to continue to have an indirect effect on the way our own data protection rules evolve."

Warnings of lost influence

The committee is also concerned that the UK will lose its influence over the setting of those laws, and has urged the government to take steps to ensure it can still exert its influence.

"The UK has a track record of influencing EU rules on data protection and retention," the report said. "It is imperative that the government considers how best to replace those structures and platforms."

This includes on the European Data Protection Board (EDPB) – which will be more powerful than the current group of member states' data protection watchdogs, the Article 29 Working Party, which acts as an advisory body.

The government should secure a "continuing role" for the Information Commissioner's Office on the EDPB, the committee said – although Jay acknowledged that this would "not be straightforward".

But, he said, it was "very important to try and have the same influence in the future as in the past".

A further issue identified by the committee's inquiry is that the UK might find itself "held to a higher standard" than member states.

This is because the European Commission looks at a broader range of data protection regulations, including national security legislation, for adequacy decisions – while member states can use certain exemptions.

"If the UK were to seek an adequacy decision, the UK would no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the UK's data retention and surveillance regime is tested before the Court of Justice of the European Union," the report said.

The committee's report is one of a series looking at various issues the government is facing as it prepares for Brexit. ®