Public Services > Central Government

UK’s Brexit paper on data protection pitches for ongoing ICO role

David Bicknell Published 24 August 2017

Proposals stress importance of continuing existing adequacy model in two key respects: regulatory co-operation and certainty and stability


A new government Brexit paper on the exchange and protection of personal data after the UK leaves the EU says it wants to explore a UK-EU model which could build on the existing adequacy model.

It says this would provide sufficient stability for businesses, public authorities and individuals, enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.

The paper argues that after the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed “as part of the new, deep and special partnership.”

In its summary, the paper says that  the  UK  has  “strong  domestic  personal  data  protection  standards,  set  out  in  the  Data  Protection  Act  (DPA)  1998.  The  UK’s  new  Data  Protection  Bill,  which  will  repeal  and  replace  the  DPA  1998,  was  announced  in  this  year’s  Queen’s  Speech.  It  will  further  strengthen  UK  standards,  ensuring  they  are  up  to  date  for  the  modern  age,  and  it  will  implement the EU’s new data protection framework in our domestic law. At the point of our exit from the EU, the UK’s domestic data protection rules will be aligned with the EU data protection framework,” the paper said.

After leaving the EU, the paper continued, the UK will continue to play a leading global role in the development and promotion of appropriate data protection standards and cross-border data flows.

“In doing so we will work alongside the EU and other international partners to ensure that  data protection standards are fit for purpose – both to protect the rights of individuals, but also to allow businesses and public authorities to offer effective services and protect  the public.”

The government’s paper said it intends to remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules.

It points out that case  law  demonstrates  that  there  are  divergent  views  globally  on  how  to  strike  the  right  balance.

The paper says it is “essential that we agree a UK-EU model for exchanging and protecting personal data” that maintains the free flow of personal data between the UK and the EU; offers sufficient stability and confidence  for  businesses,  public  authorities and individuals; provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection; continues to protect the privacy of individuals; respects UK sovereignty, including the UK’s ability to protect the security of its citizens  and its ability to maintain and develop its position as a leader in data protection; does not impose unnecessary additional costs to business; and is based on objective consideration of evidence.

This, it argues, could build on the existing adequacy model in two key respects: regulatory co-operation and certainty and stability.

The paper says that after the UK’s withdrawal, regulatory cooperation between the UK and the EU on a range of issues will be essential, including data protection, not least because the General Data Protection Regulation (GDPR) will continue to apply to UK businesses offering goods or services to individuals in the European Economic Area (EEA.)

The paper argues that a new relationship could therefore enable “an ongoing role for the UK’s ICO in EU regulatory fora, preserving existing, valuable regulatory cooperation and building a productive partnership to tackle future challenges.”

The paper says the ICO “works closely with other EU regulators” and is “well-regarded amongst its EU and international counterparts.” 

The paper adds that a continued role for the ICO will support cross-border business and activity between the UK and the EU by promoting a common understanding of the regulatory challenges and issues faced by businesses,  the  public  sector  and  individuals.  It specifically suggests that the UK  “would  be  open  to  exploring  a  model  which  allows  the  ICO  to  be  fully  involved  in  future  EU  regulatory  dialogue.”

An  ongoing  role  for  the  ICO  would  therefore “allow  the  ICO  to  continue  to  share  its  resources and expertise with the network of EU Data Protection Authorities, and provide a practical contribution at EU level which will benefit citizens and organisations in both the  UK and the EU.”

The paper also argues that given the “existing alignment of our data protection frameworks”, a  UK-EU  model  for  exchanging  and  protecting  personal  data  could  provide  an opportunity  to  give  greater  ongoing  certainty to  business  and  citizens  in  both  the  UK   and the EU as to the rules governing future data flows, reducing the risks for business that the basis for data flows is unexpectedly changed.”

The paper stresses that it is “essential” that we “avoid regulatory uncertainty for businesses  and  public  authorities  in  the  UK,  EEA,  and  EU  adequate  countries  who  currently enjoy an ability to transfer data freely.”

It adds that “such uncertainty over the nature of the data relationship between the UK and EU immediately on exit may force businesses on both sides  to  incur  unnecessary  expense  and  time  in  contingency  planning,  or  put  them  under  pressure  to  renegotiate  what  may  be  less  favourable  contractual  arrangements.

“Ensuring certainty at the point of exit will avoid unnecessary disruption for businesses, public authorities and individuals in the UK and EU,” it suggests.

Specifically, the government says it would be in the interest of both the UK  and  EU “to  agree  early  in  the  process  to  mutually  recognise each other’s data protection frameworks as a basis for the continued free  flows of data between the EU (and other EU adequate countries) and the UK from the point of exit, until such time as new and more permanent arrangements come into force.”

It goes on, “Early  certainty  around  how  we  can  extend  current  provisions,  alongside  an  agreed  negotiating timeline for longer-term arrangements, will assuage business concerns on  both  sides  and  should  be  possible  given  the  current  alignment  of  our  data  protection frameworks.”

As well as ensuring that data flows between the UK and the EU can continue freely, the UK also wants to make sure that flows of data between the UK and third countries with existing EU adequacy decisions can continue on the same basis after the UK’s withdrawal, “given such transfers could conceivably include EU data.”

The paper argues that the UK is, and will remain after the point of withdrawal, a safe destination for personal data with some of the strongest domestic data protection standards in the world. For this reason, the UK does not see any reason for existing data flows from third countries to the UK to be interrupted.”

Having made the case for an adequacy decision, the paper contains an annex that discusses the alternatives. It says that without an adequacy decision or new model in place, it is still possible for personal  data  to  be  transferred  to  third  countries  in  some  circumstances.

In addition  to  various   limited  derogations  from  the  general  requirements,  the paper says,  both  the  GDPR  and  the  Data Protection Directive (DPD)  set  out alternative methods of transfer, which companies and public authorities may use to  transfer data to third countries in the absence of an adequacy decision.

It continues, “Under  the  GDPR,  alternative  legal  bases  for  transfers  of  personal  data  outside  the EEA include:

  • Binding Corporate Rules, that allow the transfer of data between the establishments of a company located inside and outside the EU;
  • Standard Contractual Clauses, that data controllers can adopt as the basis for data transfers; and
  • Approved Codes of Conduct, or approved certification mechanisms.

But it makes the point again that “none  of  these  alternatives  are  as  wide  ranging  as  an  adequacy  decision  or  an  agreed  new  relationship.  They can also  be  costly  and  onerous  for  businesses,  especially for small and medium sized enterprises (SMEs).”

Related content:

Department for Exiting the European Union page , including proposals for shared approach on data protection



We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.