The UK government has said it wants an early agreement on a post-Brexit data-sharing deal with the European Union, as well as a continued seat at the table for Blighty's data protection watchdog.
In the latest of its position papers for how the UK will extricate itself from decades of EU policy, the government set out what it described as “ambitious” plans for rules on safeguarding and exchanging people's private information.
The document – a slim 15 pages [PDF] for what is ostensibly a complex area – reiterates the government’s view that unhindered flows of citizens' personal records are essential for both the UK and the EU’s security cooperation and business. The EU data economy is estimated to reach €643bn by 2020, the paper noted.
In other words, there has to be rules in place to allow companies and snoops to swap people's personal information, and the rules have to be agreed on both sides, the British and the EU.
The Tory-run government argued that the UK “starts from an unprecedented point of alignment with the EU”, and as such that it should seek a deal that goes beyond existing measures the EU has with non-EU nations.
“In recognition of this, the UK wants to explore a UK‑EU model for exchanging and protecting personal data, which could build on the existing adequacy model”, which is where the EU certifies that a country provides the right standard of protection to allow data sharing to continue.
The extras the UK wants are for the Information Commissioner’s Office to have an “ongoing role ... in EU regulatory fora” and for the pair to “agree early in the process to mutually recognise each other’s data protection frameworks”.
Whether or not the EU will welcome a non-EU nation’s data protection bod onto their panel remains to be seen – even the chair of the House of Lords committee that recommended this in a detailed report on data protection post-Brexit said it would “not be straightforward”.
Meanwhile, the early agreement is no doubt being proposed in a bid to ensure that data flows – and the business of business – are not interrupted after Brexit, because an adequacy decision cannot be made until the UK has left the bloc.
However, when the EU considers the UK’s adequacy, it will not just look at the data protection regulations in a country – where the UK has agreed to align itself, with its proposed Data Protection Act expected to closely mirror the EU’s General Data Protection Regulation.
It also considers other data retention and surveillance measures, which will include the UK’s controversial Investigatory Powers Act. As it stands, the UK can rely on the national security exemptions offered to the member states to carry out bulk data processing.
The Brexit paper makes no mention of this, nor of the landmark EU Court of Justice ruling on mass data retention, which was brought by deputy Labour leader Tom Watson and David Davis, before he excused himself from the complaint on being made Brexit secretary.
Heather Burns, internet law expert and cofounder of Web Matters, told The Reg that the proposals amounted to “delusional fantasy”.
She said: “Adequacy isn’t just about GDPR. When the EU looks at the UK to determine if it’s an adequate country, it will be about all the other things, including the IP Act.”
Burns also lamented the lack of detail in the document, especially when compared with the detailed work done by committees of MPs and peers in recent months.
The paper has been more warmly welcomed by industry body TechUK, whose comments regularly appear in government-issued tech news releases.
“The government’s paper suggests that they have listened to the tech sector, and the thousands of businesses across the whole economy who rely on data transfers to serve their businesses and their consumers,” Antony Walker, deputy CEO, said. ®