(United Kingdom) The UK is apparently at the end of the queue for a data deal with Brussels, come Brexit, given that UK data regulations may not be adequate under EU rules. The Financial Times reports as follows:
The UK is at the “end of the queue” for a deal to allow data to continue to flow freely with the EU after Brexit, according to a senior European official.
Talks over the future trade relationship between the UK and the EU will begin early next year, but officials in Brussels have warned that with only 11 months until a Brexit transition period ends in December 2020, the window may be too tight for an agreement on data.
Wojciech Wiewiorowski, the EU’s new data protection supervisor, said the UK was “13th in the row” of countries that are negotiating data deals with Brussels. Allowing the UK to skip the queue “would be a little bit unfair towards those who have already prepared themselves for this process,” he added.
Officials in Brussels have warned several times that assessing the UK’s data “adequacy” — whether UK regulations on data protection are as robust as those in the EU — will be a lengthy process and that the issue may fall down the list of priorities in the wider negotiations. Mr Wiewiorowski’s predecessor, Giovanni Buttarelli, also warned that reaching a deal “could take years”.
A deal is critical for scores of businesses, especially in the tech, health and insurance sectors, which regularly transfer data — including bank details and other personal information — to and from the continent for analysis or processing. More than three-quarters of UK data transfers are with EU countries, according to industry group TechUK.
(Privacy press clipping sourced via The Financial Times)
Jurisdiction: United Kingdom
After Brexit, the UK faces the problem of how its data laws will interact with those of the EU. The GDPR itself will no longer apply, unless copied across into UK domestic law (this has been the reported intention). Whether the EU will recognise this copy and paste, and how it is implemented, depends on the “data deal” referred to by the FT.
In some sense, the EU position as reported here is a bit rich since the ICO is an experienced and leading data privacy regulator, presently applying the GDPR as EU law in the UK. Substantial conformance with the GDPR also appears a reality for UK law after Brexit. The EU official cited, however, argues that recognition for the UK’s arrangements will be more than a formality and involves a significant process.
Businesses will want a predictable framework for their data interactions across both the UK and EU. Brexit potentially messes with this. While to one view it may be negotiating posturing on the EU’s part, businesses may be affected if the UK cannot get a timely and good data deal from Brussels. Being at the ‘back of the queue’ is therefore not good news. As the FT article points out, standard contractual clauses could be a fall back. Adequacy decisions in respect of countries outside the EU, for example, the US and Japan have taken some time to conclude and are not without hiccups (the US Privacy Shield being one example).