EU sinks UK hopes for post-Brexit role for UK in developing data protection laws

The UK will be relegated to "third country" status, and lose its seat on the European Data Protection Board

The European Union (EU) has dealt a fatal blow to the UK's hopes of maintaining a post-Brexit role in the body that develops rules on data protection, privacy and AI.

In a speech over the weekend Michel Barnier - the EU's chief negotiator in Brexit talks - ruled out any post-Brexit UK involvement in the European Data Protection Board (EDPB) created under the General Data Protection Regulation (GDPR), which came into force 25 May.

The EDPB, an EU body tasked with applying and regulating GDPR consistently across member states, comprises the head of each nation's regulator and the European Data Protection Supervisor (EDPS) or their representatives.

But the Information Commissioner's Office (ICO), the UK's data regulator, will no longer be offered a seat once the UK leaves the EU on 29 March 2019, with the UK relegated to "third country" status.

"It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work," said Barnier, adding: "The United Kingdom wants to leave. That is its decision. Not ours. And that has consequences."

Referencing the UK's position on data protection published this week, Barnier said the UK believes it is in interests of EU business for the ICO to remain on the EDPB. But this was slapped down, as he said Brexit "is not, and never will be, in the interest of EU business".

Speaking to the International Federation for European Law (FIDE) at its 28th Congress in Lisbon this Saturday, Barnier also outlined a few issues this may pose.

These including who would launch an infringement against the UK where GDPR is misapplied, who would ensure the UK would update its own data legislation in conjunction with the EU, and how the EU would ensure the GDPR is uniformly interpreted across both sides of the channel.

"The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges," said Barnier. 

"And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside."

Barnier's comments sunk the UK's hopes for maintaining the ICO's role in the EDPB, which the Information Commissioner Elizabeth Denham warned against in oral evidence before the parliamentary committee on exiting the EU in early May.

Asked which aspects of any future data protection relationship would be the most difficult to achieve, Denham replied: "A bespoke agreement or the treaty option, which gives us more than adequacy, including a role for the ICO at the EDPB and participation in the one-stop shop, which would be really advantageous to business, would have to be negotiated.

"An agreement to go forward on data would have to be negotiated, because otherwise we would be looking at what is already in law, which is an adequacy assessment, and that would make us the same as any third country."

The only option for the UK to gain a sense of parity with the EU in the future would be an adequacy decision which, if granted, would allow a third nation's data to flow more freely between itself and member states.

Adequacy, which can be granted by the European Commission following an examination of privacy standards, does not, however, allow for the third country to be involved in contributing to any rules themselves.

Denham continued: "The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies and for regulating big tech.

"We will be a less influential regulator. We will continue to regulate the law and protect UK citizens as we do now, but we will not be at the leading edge of interpreting the GDPR and we will not be bringing British values to that table if we are not at the table."

A Department for Exiting the European Union (DExEU) spokesperson told IT Pro: "Our Information Commissioner's Office well-respected and it is in the mutual interest of the UK and the EU for the ICO and EU data protection authorities to work together. Negotiations are ongoing in this regard.

"Adequacy does not reflect the full depth and breadth of the UK-EU relationship. It is an effective means of ensuring the free flow of data between the EU and a third country, but it would not allow national data protection authorities to co-operate as effectively as they do now.

"As it currently exists, adequacy alone would lead to more bureaucracy and additional costs for businesses."

Picture: Shutterstock

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Four tips for keeping your business secure during mass remote work
data protection

Four tips for keeping your business secure during mass remote work

19 Feb 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

2 Feb 2021
10 ways to protect your company from the next big data breach
data breaches

10 ways to protect your company from the next big data breach

28 Jan 2021
Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021