The British government is in favour of a UK-EU model for exchanging and protecting personal data, which could be built on the existing adequacy model that the EU has in place with other EEA countries to decide that a third country’s data protection framework is “adequate.”
UK businesses and public authorities may still be required to meet the standards set by the EU general data protection regulation (GDPR--to come into force in May 2018) for their processing of EEA personal data after Brexit.
The government stresses that the UK has the ambition to “remain a global leader on data protection” and has “played an important role in developing the EU’s approach to data protection, including playing a full part in the negotiation of the GDPR and DPD [data protection directive]”.
The new UK-EU model should recognise, according to the position paper, that the UK is compliant with EU data protection law and wider global data protection standards. The UK will introduce a new bill which will implement the GDPR and DPD.
The UK wants to have an early agreement on mutual recognition of the data protection framework and for negotiations next week to agree on a timeline for longer-term arrangements.
Under the adequacy model, the European commission scrutinises the third country’s domestic legislation and practice and compliance with international standards. The decision by the commission needs to be confirmed by a panel of representatives of EU member states.
The European commission can revoke decisions at any time, and the ECJ may also invalidate these adequacy decisions. These decisions are subject to routine review every four years.
The paper also sets out an ongoing role for the British information commissioner in EU regulatory areas on data protection.