The U.K. should seek privacy adequacy approval from the European Union to allow easier
data transfers to continue after Brexit or businesses will be at a “competitive disadvantage,”
U.K. lawmakers recently said.
After it officially leaves the EU at the end of March 2019, the U.K. will be treated
like other non-EU countries that seek ways to lawfully transfer data from EU member
countries—which will stand at 27 after the U.K.’s departure. Obtaining an official
European Commission finding that the U.K.’s privacy regime is adequate to protect
the privacy of EU citizens’ personal data is critical to maintain effective data transfers
in a digital economy, according to a July 18
report from the House of Lords EU Committee.
The report said that three-quarters of data transfers by U.K. companies are with EU
countries. If the government fails to secure an adequacy decision, “it could present
a non-tariff barrier to trade, particularly in services, putting companies operating
out of the UK at a competitive disadvantage,” the House of Lords report said.
The House of Lords committee highlighted its concern “by the lack of detail” on how
the government plans to maintain “unhindered” data flows post-Brexit, as well as by
its “non-committal” approach to whether it plans “to seek an adequacy decision.”
Ruth Boardman, a data protection partner at London-based firm Bird & Bird, told Bloomberg
BNA that the EU’s new General Data Protection Regulation complicates the post-Brexit
privacy analysis. U.K. companies that conduct business in the EU will have to comply
with the EU’s new privacy regime when it takes effect in May 2018, but that doesn’t
mean the U.K. should rush to change its privacy laws to meet GDPR obligations, she
“Significant change will just add uncertainty and cost—and will damage attempts for
the UK to secure an adequacy decision,” she said.
Jan Philipp Albrecht, a German Green lawmaker and vice-chairman of the European Parliament’s
Civil Liberties, Justice and Home Affairs Committee (LIBE), said at a July 19 Brookings
Institution event in Washington that gaining adequacy approval is difficult, and that
recent changes in the U.K. to allow the government easier access to consumer data
won’t make the task any easier.
Continue GDPR Preparations
A U.K. Department for Digital, Culture, Media and Sport spokesman told Bloomberg BNA
July 19 that the government “is considering all the options” to ensure that the U.K.’s
data protection regime “continues to build a culture of data confidence and trust”
and ”supports businesses in the global economy.“
The House of Lords panel advised businesses to continue to prepare for the upcoming
GDPR, even if the government doesn’t “pursue full regulatory equivalence in the form
of an adequacy decision” with the EU.
The committee said that those that hoped for a “clean break” from the EU won’t realize
that goal. Since U.K. businesses will have to abide by the GDPR, it must follow “legal
controls placed by the EU on transfers of personal data outside its territory,” it
Boardman agreed that companies need to take “significant steps to be GDPR-ready,“
adding that many have already started their preparations. “Post Brexit, UK businesses
who also operate in, or sell to, the EU, will have to comply with GDPR for that portion
of their business,” she said.
U.K.-U.S. Data Transfer Concerns
U.K.-based companies also need to prepare for cross-border data transfers with the
U.S., given that the EU-U.S. Privacy Shield program will cease to apply to the U.K.
post- Brexit, the House of Lords committee said.
The Privacy Shield program is used to more easily transfer data out of the EU by over
2,100 U.S. companies, including Facebook Inc., Alphabet Inc.’s Google, and Microsoft
Corp., that certify to the Department of Commerce their compliance with EU-approved
privacy principles. Limiting U.S. government access to data once it is moved to the
U.S. is a fundamental basis underlying the EU’s approval of the system.
Rosemary Jay, privacy and data protection senior consultant attorney at Hunton & Williams
in London and who appeared before the committee, said that the U.K. may be able to
follow in Switzerland’s footsteps to effectuate cross-border data transfers with the
U.S. Switzerland, as a non-EU member, offered a “possible model” for the U.K. to follow,
“Switzerland has an adequacy finding, so it is regarded as equivalent and adequate,
and then it has a mirror of the Privacy Shield agreement with the US,” she told the
To contact the reporter on this story: Ali Qassim in London at
To contact the editor responsible for this story: Donald Aplin at
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.