The European Commission has warned that a post-Brexit data-sharing agreement between the EU and Britain that supports cross-border business and services could be terminated immediately if London strays too far from privacy standards.
It follows an announcement of plans by the UK government to reform its data laws and reduce “unnecessary barriers and burdens” to sharing data with non-EU countries including the US and South Korea.
British newspapers briefed on the plans reported that the reforms would include scrapping aspects of the EU’s data protection standards, called GDPR. However, the UK government said in a press release that it intends to achieve its reforms while “maintaining parity with EU data standards”.
The EU’s seal of approval for the British Data Standards is vital for many Irish companies operating across the border as well as providing north-south healthcare, which depend on the seamless transmission of personal data to the UK.
The European Commission announced just two months ago that it had reached so-called data adequacy decisions in relation to the UK, which meant that data flows could continue as it judged UK data protection standards to be essentially equivalent to EU standards.
A spokesperson for the European Commission said the executive would “closely monitor any developments regarding UK data protection rules”.
Spokesman Christian Wiegand said: “In adopting the UK’s suitability decisions, the Commission was well aware of the risk of potential further divergence of the UK system from that of the EU.”
He added: “In the event of problematic developments that negatively affect the level of protection that was found to be appropriate, the adequacy decision can be suspended or modified, at any time by the committee.”
“This can be done immediately in case of justified urgency. So we will continue to ensure that Europeans’ data is protected with strong safeguards when crossing the Channel.”
When the Commission announced its appropriate decision in June, it acknowledged concerns raised by the European Parliament, member states and the European Data Protection Council that Britain might deviate from EU standards in the future, putting the data of EU citizens at risk.
If Britain signs data-sharing agreements with countries outside the EU, those agreements will have to be constantly monitored to ensure they do not “undermine the level of personal data protection set forth in the EU” by exposing data from EU citizens, the Data Protection Board warned in April.
The UK government said it hopes to make its data laws “more ambitious and fit for innovation” and aims to sign data sufficiency arrangements that allow free data transfers with the US, Australia, Korea, Singapore, the Dubai International Financial Center and Colombia.
EU member states have long expressed concerns about whether the UK’s approach to data protection could expose EU citizens to surveillance by foreign intelligence services.
In the absence of a data sufficiency determination, companies must use the “Standard Contractual Clauses” to send data, a contract that obliges the organization receiving the data to observe EU standards, and that gives the individuals to whom the data relates the ability to pursue legal complaints.
Alternatively, “binding company rules” can be used by large companies or groups of companies to transfer data both internally and externally – but both approaches add cost and complexity to the business.
a job Today
Get the latest business news and reviewsRegister here
“Spécialiste de la télévision sans vergogne. Pionnier des zombies inconditionnels. Résolveur de problèmes d’une humilité exaspérante.”