The UK is seeking a bespoke deal with the EU that will enable the continued free exchange of personal data after Brexit — an arrangement considered vital to the British economy.
In the latest of a series of position papers by UK ministers on Britain’s future relationship with the EU, the government called on Thursday for the early mutual recognition of both sides’ data protection regimes.
It also wants the Information Commissioner’s Office, the UK’s data protection watchdog, to have a continued role working with European regulators.
The UK proposals come as companies and public bodies across Europe are gearing up for the biggest changes to data rules for two decades. The EU’s general data protection regulation, which will be mirrored by the data protection bill in the UK, enters into force in May 2018.
The new EU regime will introduce broader definitions of personal information, and force businesses and public bodies to be clearer about how and why they are collecting, storing and sharing data. In some cases, these organisations will have to obtain the explicit consent of customers for their personal information to be stored and shared.
The new EU regime will also introduce much stiffer penalties for serious breaches of the rules — something that has alarmed businesses who lack the expertise to map and control the information they collect.
“The UK is a significant player in global data flows,” says the government’s latest Brexit position paper on personal data. “Estimates suggest that . . . 75 per cent of the UK’s cross-border data flows are with EU countries.”
After Brexit, Britain will no longer be part of the EU-wide framework on data protection although, as the government says in its paper, the two systems will be closely aligned.
It is therefore seeking its own version of the test applied by Brussels to ensure that third countries have an “adequate” system of data protection to allow for the free flow of information.
However, the proposed model throws up some challenges, particularly if Brussels judges the UK to have deviated from EU norms.
The government admits there is no upside for Britain in leaving the EU when it comes to data protection — only business risks to be mitigated.
Under current rules, the European Commission decides which countries comply with its “adequacy” test permitting free flow of information. It could unilaterally decide to withdraw its approval if Britain changed its own data protection regime, potentially causing chaos to any UK business that offers goods or services to customers within the EU.
In particular, any British data-sharing agreements with third countries that Brussels believes falls foul of its rules could expose UK organisations to fines, or to the curtailing of their ability to move information across borders.
EU and UK law enforcement agencies also share data under a separate agreement, including on money laundering, terrorist financing and other forms of financial crime.
The British paper also talks of extending the existing rules on personal data during a transition period, a view backed by Tom Thackray of the CBI employers’ group, who said the document represented “a step forward”.
He added: “In the short term, a seamless transition deal is necessary to protect the free flow of information . . . If no transition deal is agreed, the UK’s potential £240bn data economy is at risk of isolation.”
Copyright The Financial Times Limited . All rights reserved. Please don't copy articles from FT.com and redistribute by email or post to the web.