UK-US post-Brexit data flow agreement could water down regulation standards

Leaked documents suggest the Privacy Shield will eventually make way for a much deeper trans-Atlantic relationship

Obtaining commitments that guarantee the free-flow of personal data across the Atlantic is a "top priority" for the US in any discussions with the UK over a future relationship post-Brexit.

Leaked trade discussions suggest the US is lobbying to establish watered-down regulations between itself and the UK for international data transfers. This would be enforced in such a way that a set of common standards will be in place, but there would be no need to harmonise domestic laws, as the General Data Protection Regulation (GDPR) requires.

US representatives, moreover, also see no legal reason why the UK can't commit to free data flows in this way while also guaranteeing adequate data protection domestically under legislation such as GDPR. The Data Protection Act 2018 will apply in the UK once the UK leaves the EU.

Documents highlighted by the Labour Party during the 2019 general election campaign revealed that pharmaceutical matters were being discussed between US and UK trade representatives. The same cache of documents, however, also outlined discussions on other issues ranging from food standards to data protection.

The documents suggest the UK has committed to abiding by the EU-US Privacy Sheild in the immediate future following EU withdrawal and during the transitional period, which should give both parties the time to establish a future agreement. 

Depending on the nature of Brexit, the UK would first need to establish an adequacy agreement with the EU, however, to ensure the free flow of data continues undisrupted. The Information Commissioner's Office (ICO) has warned a no-deal Brexit, for instance, would block critical data transfers as there wouldn't be enough time to establish such an agreement.

There could also be a regulatory arrangement in the mould of GDPR's one-stop-shop principle that would appoint a lead regulator to adjudicate data protection violations.

One DCMS official stressed that attempting to forge free flow of data with non-EU countries, like the US, won't undermine efforts to secure an adequacy agreement with the EU. US representatives agreed there was no legal reason to suggest otherwise, citing arrangements that countries like Japan have in place.

On the potential future relationship, US representatives cited the Asia-Pacific Economic Cooperation-Cross-Border Privacy Rules (APEC-CBPR) agreement as a model the two nations could follow. This is a system that ensures the free-flow of data between borders in Asian countries by enforcing a set of common standards. 

"The suggestion of deep co-operation and a "One Stop Shop" for companies subject to both UK and US regulators will sound particularly attractive to many transatlantic groups," said the chairman of the data protection forum and partner at law firm McDermott Will & Emery, Ashley Winton.

Related Resource

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

"Finally, there is a suggestion that we could abandon the GDPR rules for legitimising the international transfer of personal data and follow the APEC Cross-Border Privacy Rules (CBPR) certification.  

"By APEC's own admission the APEC-CBPR is not as comprehensive nor as strict as the GDPR, it principally facilitates the international transfer of personal data and is does not harmonise domestic law."

The ICO favours arrangements that guarantee the export of personal data from the UK to the US where US firms comply with GDPR principles, he added. The free flow of data under CPBR arrangements "would certainly cause eyebrows to be raised in Brussels", however.

"This arrangement is not without precedent," Winton continued. "Japan has both adequacy under the GDPR and is a signatory to the APEC-CBPR, however, the greater concern is likely to be that adoption of the CBPR arrangements for transfer of personal data to the US would upset the adequacy determination that the UK is seeking to permit EU-UK transfer."

The US also has concerns with how GDPR is being implemented, the documents reveal, with representatives claiming the adequacy mechanism is a "flawed system" that cannot become a global standard, and is difficult for developing countries to adopt. 

IT Pro asked the Department for International Trade (DiT) to comment on whether future data-sharing arrangements with the US could risk undermining the UK's attempts to reach an adequacy agreement with the EU.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Nokia will replace Huawei as BT's largest 5G equipment provider
5G

Nokia will replace Huawei as BT's largest 5G equipment provider

29 Sep 2020