EU sinks UK hopes for post-Brexit role for UK in developing data protection laws

The UK will be relegated to "third country" status, and lose its seat on the European Data Protection Board

The European Union (EU) has dealt a fatal blow to the UK's hopes of maintaining a post-Brexit role in the body that develops rules on data protection, privacy and AI.

In a speech over the weekend Michel Barnier - the EU's chief negotiator in Brexit talks - ruled out any post-Brexit UK involvement in the European Data Protection Board (EDPB) created under the General Data Protection Regulation (GDPR), which came into force 25 May.

The EDPB, an EU body tasked with applying and regulating GDPR consistently across member states, comprises the head of each nation's regulator and the European Data Protection Supervisor (EDPS) or their representatives.

But the Information Commissioner's Office (ICO), the UK's data regulator, will no longer be offered a seat once the UK leaves the EU on 29 March 2019, with the UK relegated to "third country" status.

"It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work," said Barnier, adding: "The United Kingdom wants to leave. That is its decision. Not ours. And that has consequences."

Referencing the UK's position on data protection published this week, Barnier said the UK believes it is in interests of EU business for the ICO to remain on the EDPB. But this was slapped down, as he said Brexit "is not, and never will be, in the interest of EU business".

Speaking to the International Federation for European Law (FIDE) at its 28th Congress in Lisbon this Saturday, Barnier also outlined a few issues this may pose.

These including who would launch an infringement against the UK where GDPR is misapplied, who would ensure the UK would update its own data legislation in conjunction with the EU, and how the EU would ensure the GDPR is uniformly interpreted across both sides of the channel.

"The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges," said Barnier. 

"And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside."

Barnier's comments sunk the UK's hopes for maintaining the ICO's role in the EDPB, which the Information Commissioner Elizabeth Denham warned against in oral evidence before the parliamentary committee on exiting the EU in early May.

Asked which aspects of any future data protection relationship would be the most difficult to achieve, Denham replied: "A bespoke agreement or the treaty option, which gives us more than adequacy, including a role for the ICO at the EDPB and participation in the one-stop shop, which would be really advantageous to business, would have to be negotiated.

"An agreement to go forward on data would have to be negotiated, because otherwise we would be looking at what is already in law, which is an adequacy assessment, and that would make us the same as any third country."

The only option for the UK to gain a sense of parity with the EU in the future would be an adequacy decision which, if granted, would allow a third nation's data to flow more freely between itself and member states.

Adequacy, which can be granted by the European Commission following an examination of privacy standards, does not, however, allow for the third country to be involved in contributing to any rules themselves.

Denham continued: "The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies and for regulating big tech.

"We will be a less influential regulator. We will continue to regulate the law and protect UK citizens as we do now, but we will not be at the leading edge of interpreting the GDPR and we will not be bringing British values to that table if we are not at the table."

A Department for Exiting the European Union (DExEU) spokesperson told IT Pro: "Our Information Commissioner's Office well-respected and it is in the mutual interest of the UK and the EU for the ICO and EU data protection authorities to work together. Negotiations are ongoing in this regard.

"Adequacy does not reflect the full depth and breadth of the UK-EU relationship. It is an effective means of ensuring the free flow of data between the EU and a third country, but it would not allow national data protection authorities to co-operate as effectively as they do now.

"As it currently exists, adequacy alone would lead to more bureaucracy and additional costs for businesses."

Picture: Shutterstock

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021