A post-Brexit data-sharing agreement between the European Union and Britain that underpins cross-border businesses and services could be immediately terminated if London diverges too much from privacy standards, the European Commission has warned.
It follows an announcement of plans by the UK government to reform its data laws and reduce "unnecessary barriers and burdens" to sharing data with non-EU countries including the United States and South Korea.
British newspapers that were briefed on the plans reported that the reforms would involve scrapping aspects of EU data protection standards, called GDPR. However, the UK government said it intended to achieve its reforms while “maintaining equivalence with the EU’s data standards”, in a press release.
The EU’s stamp of approval of Britain’s data standards is vital for many Irish businesses that operate cross-Border as well as North-South healthcare provision, which rely on the seamless sending of personal data into the UK.
Data adequacy
The European Commission announced just two months ago that it had reached so-called data adequacy decisions regarding the UK, meaning the data flows could continue as it judged British data protection standards to be essentially equivalent to those of the EU.
A European Commission spokesman said the executive would “monitor very closely any developments related to UK data protection rules”.
"When adopting the UK adequacy decisions, the Commission was fully aware of the risk of possible further divergence of the UK system from the EU system," said spokesman Christian Wigand.
“In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended terminated or amended, at any time by the commission,” he added.
“This can be done immediately in case of justified urgency. So we will continue to ensure that Europeans’ data will be protected by strong safeguards when crossing the channel.”
When the commission announced its adequacy decision in June it acknowledged concerns raised by the European Parliament, member states, and the European Data Protection Board that Britain could diverge from EU standards in the future, putting EU citizens' data at risk.
If Britain signed data-sharing agreements with non-EU countries, these would have to be continually monitored to ensure that they do not “undermine the level of protection of personal data provided for in the EU” by exposing EU citizens’ data, the European Data Protection Board warned in April.
Transfer of data
The UK government has said it hopes to make its data laws "more ambitious and innovation-friendly" and aims to sign data adequacy arrangements allowing for the free transfer of data with the US, Australia, Korea, Singapore, the Dubai International Finance Centre and Colombia.
EU member states have long harboured concerns about whether the UK’s approach to data protection could expose EU citizens to surveillance by overseas intelligence services.
In the absence of a data adequacy decision, companies must use “standard contractual clauses” to send data, a contract that commits the organisation receiving the data to observing EU standards, and gives the individuals who the data relates to the ability to pursue legal complaints.
Alternatively, “binding corporate rules” can be used by large firms or company groups to transfer data internally and externally – but either approach adds cost and complexity to businesses.