Negotiating Data Policy: Post-Brexit Cooperation between the EU and UK.

Posted on by
‘Data Protection’, by Nick Youngson. License: CC by 3.0. Source: https://www.thebluediamondgallery.com/legal08/d/data-protection.html

New technology is continuing to evolve at an unprecedented rate posing a need for governments to implement effective data policies to traverse this continually growing technological landscape focused on data protection. The European Union (EU) introduced the General Data Protection Regulation (GDPR) for its member states to ensure adequate data protection. However, in the wake of Brexit this posed issues for the United Kingdom (UK). This Blog post will discuss several points regarding the issue of data protection within the UK including the reform of GDPR, and the implication of leaving the EU on data protection policies and data flows.

The Problem

With the exit of the UK from the EU posed a challenge for policy making and data protection within the UK. Implications arose concerning transferring data between the EU and the UK, posing problems for businesses and organisations that operated across borders. Over 70% of trade in services is validated through data flows and the digital sector has contributed over £118 billion to the economy in the UK (Vanberg, Maunick, 2017, p.190). Considering this Information, to prevent significant finical loss it is crucial the UK provide an effective data protection framework that facilitates data flow from the EU to the UK (Vanberg, Maunick, 2017, p.190). Corporations and business highlighted this issue thus it became a pressing issue and was put forward in the agenda for policy making.

To try and eliminate the issue of data flow between the EU and the UK, the UK set up its own data protection policy referred to as The Data Protection act 2018 (DPA) that aligned with the GDPR in 2018 (GOV.UK, n.d.). The aim of the GDPR was to implement an extensive data protection regulation that would standardise data protection laws throughout member states including providing increased protection to individuals rights to their personal data (Chase, 2019). While it was still a member of the EU the UK utilised the manufacture of the DPA to mirror the GDPR and simultaneously guarantying the legal framework for data protection was robust and aligned with UK’s legal system (Bhaimia, 2018, p.22).

‘GDPR & ePrivacy Regulations’, by Dennis Van Der Heijden, March 2018. Source: https://www.flickr.com/photos/160103778@N03/38938511550. License: CC by 2.0

Finding a solution

Prior to Brexit, data flows between the UK and nations within the EU were facilitated seamlessly under the GDPR’s unified regulatory framework (Kuskonmaz, 2017). However, Brexit changed this dynamic and now the UK is considered a ‘Third party country’ under the GDPR, thus requiring extra measures to ensure data transfers are lawful (McCullagh, 2022, p.38). To be considered a third party, policy makers must secure an Adequacy decision from the European Commission, this adds an extra layer of complexity in creating data protection policy to ensure free data flows within the UK (Voss, 2016, p.230). In essence the UK must be found to provide an ‘adequate’ level of protection, this is reliant on various factors such as data protection laws, government surveillance practices and judicial redress mechanisms (Chase, 2019, p.7). To strengthen its case for adequacy it was paramount that the DPA aligned with the GDPR.  

Other options

Since 2021, the EU has provided a successful Adequacy decision to the UK and therefore free flow networks can occur (GOV.UK, 2021). However, in the case that the Adequacy decision was not formalised policy makers had other alternative mechanism to rely upon. During the formulation stage policy makers can look at other countries who have a similar problem such as Norway. An option for the UK (like Norway) would be by becoming a signatory to the European Economic Area (EEA) Agreement thus joining the EEA (Moerel, Tigner, 2016, p.381). This encompasses that under article 7 of the EEA Agreement, the UK is required to accept being tied to EU laws that represent the four freedoms that includes the GDPR (Moerel, Tigner, 2016, p.381). However, Piris argues that joining the EEA is not politically feasible as many other aspects of the EEA agreement would have to be adopted such as the free movement of persons which was an important factor as to why British citizens wanted to leave the EU in the first place (2017).

Conclusion

Navigating data policy has proved a difficult task for UK policy makers in the technological age. While the DPA provides a necessary step towards data protection, the complexities of Brexit and the GDPR has seen significant challenges faced such as securing free data flows between the UK and the EU. Being considered a third-party country under the GDPR it was essential to secure an Adequacy decision which the UK were successful in doing securing data flows.

Bibliography

Addis, M., Kutar, M. (2018). ‘The General Data Protection Regulation (GDPR), Emerging Technologies and UK Organisations: Awareness, Implementation and Readiness’, UK Academy for Information Systems Conference Proceedings 2018, 29(1), [Online]. Available at: https://aisel.aisnet.org/ukais2018/29 (Accessed: 17 February 2024).

Bhaimia, S., 2018. The general data protection regulation: the next generation of EU data protection. Legal Information Management18(1), pp.21-28.

Chase, P. H. (2019). Perspectives on the General Data Protection Regulation Of the European Union. Washington DC: German Marshall Fund of the United States, [Online]. Available at: http://www.jstor.org/stable/resrep21227 (Accessed: 17 February 2024).

EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK (2021). Available at: https://www.gov.uk/government/news/eu-adopts-adequacy-decisions-allowing-data-to-continue-flowing-freely-to-the-uk (Accessed: 17 February 2024).

Kuşkonmaz, E. (2017). ‘Brexit and Data Protection: The Tale of Data Protection Bill and UK-EU Data Transfers’, EU Law Analysis, 26th September 2017. Available at:  http://eulawanalysis.blogspot.co.uk/2017/09/brexit-and-data-protection-tale-of-data.html. (Accessed: 17 February 2024).

McCullagh, K. (2022). ‘Post-Brexit data protection in the UK–leaving the EU but not EU data protection law behind’, in Research Handbook on Privacy and Data Protection Law: Values, Norms and Global Politics. Cheltenham: Edward Elgar Publishing. pp. 35-58.

Piris, J. (2017). ‘Why the UK will not become an EEA member after Brexit’ Encompass, September, [Online]. Available at https://encompass-europe.com/comment/why-the-uk-will-not-become-an-eea-member-after-brexit (Accessed: 17 February 2024).

The Data Protection Act (2024). Available at: https://www.gov.uk/data-protection (Accessed: 17 February 2024).

Vanberg, A., Maunick, M. (2018). ‘Data protection in the UK post-Brexit: the only certainty is uncertainty’, International Review of Law, Computers & Technology, 32(1), pp.190-206, [Online]. Available at: DOI: 10.1080/13600869.2018.1434754  (Accessed: 17 February 2024).

Voss, W. G. (2016). ‘European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting’, The Business Lawyer, 72(1), pp.221–234, [Online]. Available at:  https://www.jstor.org/stable/26419118 (Accessed: 17 February 2024).