The UK government’s security could be weakened as a result of hindered data transfers between the UK and EU post-Brexit.
That’s according to an inquiry by the Lords Select Committee in a report dubbed 'Brexit: the EU data protection package', which examines the overhaul of the EU’s data protection standards enacted in 2016, and the implications for the UK and EU data flows.
It takes into account the General Data Protection Regulation (GDPR) and the Police and Criminal Justice Direction (PCJ Directive) that will both come into force in May 2018, as well as the EU-US Privacy Shield and the EU-US Umbrella Agreement.
The UK government has clearly stated that it wants to maintain unhindered data flows, but the committee said that it was struck by the lack of detail on how the government plans to deliver this.
It suggested that any impediments to data sharing could hinder police and security co-operation – particularly as databases such as the Schengen Information System and the European Criminal Records Information System rely on shared data protection standards.
It warned that any post-Brexit arrangement that leads to greater friction around UK-EU data flows could also pose a non-tariff barrier to trade, putting the UK at a competitive disadvantage.
The committee suggested that the government pursues an ‘adequacy decision’ as it believes this is the most comprehensive option for maintaining unhindered data flows post-Brexit. It warned that alternatives such as a reliance on standard contractual clauses would be less effective.
Stewart Room, PwC’s global data protection legal services leader, gave evidence to the House of Lords committee during its inquiry, and explained that only 11 jurisdictions currently have adequacy agreements in place. He said this could point to it being a potentially lengthy process and urged negotiations to begin to provide the certainty that’s needed.
The Information Commissioner’s Office, the UK’s data watchdog, has previously made clear that while the UK will not be bound by EU data protection laws, organizations will have to reach the same standards when dealing with any EU-related data.
This is a point that the report reiterated.
“Legal controls on the transfer of personal data to non-EU countries mean that any changes in the EU data protection regime could affect the standards that the UK needs to meet to maintain an adequate level of protection”, it said.
It is for this reason that it is encouraging the UK to ensure it still has an influence on EU data protection rules – something it will lose after Brexit. It recommends that the government secures a continuing role for the ICO on the European Data Protection Board.