​Extra rules could be agreed to smooth EU-UK data adequacy, suggests European Parliament think tank

The European Parliament Research Service, in its new report EU-UK private-sector data flows after Brexit: Settling on adequacy, has set out ways that the adequacy arrangements between the UK and EU could be made to work.

The detailed analysis, authored by Hendrik Mildebrath, comes ahead of the European Data Protection Board’s opinion on the draft adequacy decision issued by the European Commission in February. The Commission concluded then that the UK offers an equivalent level of data protection to the General Data Protection Regulation (GDPR) paving the way for the continued free flow of personal data after a six-month post-Brexit grace period ends in June.

However privacy professionals, academics, supervisory authorities and civil society organisations have raised the prospect that the UK’s legislative framework and data-related practices may pose some problems to the arrangements and prevent an adequacy decision being fully adopted, said Mildebrath.

Areas of concern listed by Mildebrath are: British surveillance laws and practices; shortcomings in implementation of EU data protection standards linked to immigration and the Digital Economy Act 2017; weak enforcement of data protection rules by the UK’s Information Commissioner’s Office (ICO); potential liberal onward transfer of data; and the UK’s wavering commitment to EU data protection standards.

On the way forward, he writes: “Where risk of non-compliance is low and legal remedies are likely effective, commitments to a specific interpretation of the law as well as assurances of compliance might suffice as a mitigation strategy.

“Where serious doubts regarding UK data adequacy persist, supplementary rules, including additional safeguards, could be agreed and included in the adequacy decision, to bridge the differences between the two data protection systems.

“To promote mutual understanding and foster sustainable cooperation, the parties may consider further aligning visions and expectations, for instance, in the framework of joint governance teams, within a specialised Trade & Corporation Agreement committee or in multilateral councils and organisations.”

Mildebrath also stated: “Clearly, the UK and the EU are faced with the very delicate task of resolving tensions between economic, privacy, security and autonomy considerations, as well as interrelated fundamental rights in the face of an unrelenting data protection regime.”

Register to receive the latest data protection and privacy news and analysis straight to your inbox