European regulation will often be complied with, even if the UK is not a member of the EU
European regulation will often be complied with, even if the UK is not a member of the EU

A new House of Lords report has encouraged a greater role for the UK in European data protection, despite the advent of Brexit.

The third report of session, published on July 21, for the Lords' European Union Committee concluded that from a data protection point of view, the UK will be put at a tangible disadvantage: “Our analysis suggests that the stakes are high, not least because any post-Brexit arrangement that results in greater friction around data transfers between the UK and the EU could present a non-tariff trade barrier, putting the UK at a competitive disadvantage.”

Alignment of data protection standards will be a requirement if the UK is to continue to easily transact with European bodies. The UK's comparatively thorough national security legislation, for example, may put the sceptred isle on the back foot compared with other countries.

While the UK was protected from that consideration under the Treaty on the Functioning of the European Union when it was still a bonafide member, Brexit may upend that special dispensation.

“The UK could find itself held to a higher standard as a third country than as a Member State,” the report's authors note.

The EU, broadly more liberal than the UK in terms of offering greater consumer data protection and less state surveillance, has taken issue several times with the kind of security legislation that the UK government has wished upon the country. Sections of the press and various other bodies including some political groupings in the UK have often sought to do away with the European Convention on Human Rights, and European courts have struck down UK national security legislation as unlawful, signifying a cultural dissonance between the supranational body and its departing member.

Valsamis Mitsilegas, professor of European Criminal Law at Queen Mary, University of London testified to the committee that on this particular topic, the UK and the EU are growing apart. He said that the UK was “going down this route of increasing collection of and access to bulk data, which is increasingly incompatible with the EU.”

Mass surveillance and bulk collection, he said, “is a red line for EU law now”, adding that “as long as you have domestic law that allows mass surveillance, you will have problems with EU law.”

Though the UK will not be the explicit beneficiary, nor subject of the European Union's statutes, it will still be adopting many of them. Most notably in this area is the General Data Protection Regulation, a piece of regulation which will form a radically new landscape for data protection when it comes into force 2018.

The GDPR implements new provisions for organisations operating in the EU, including breach reporting rules, encryption requirements and heavy fines for those who infringe its rules. Elizabeth Denham, the UK's Information Commissioner has been clear that the UK would definitely be complying with the GDPR, Brexiting or not. The report too, clearly underlines that fact, pointing out that much of the GDPR's provisions are already part of UK law.

Denham testified to the Lords, saying that though the GDPR's provisions will be applied, “a lot of white space” exists within even this piece of regulation: “There is still a lot of room for manoeuvre so that domestic authorities can carve out and make the laws they want.” The UK can still make its own decisions about children, age of consent and deciding the balance between freedom of expression and data protection.

This focus on alignment will mean that the UK will be forced to update its rules every time the EU does. Anthony Walker, deputy CEO of TechUK stressed the need to stay on top of this process. “We do not want to see a process of accidental divergence happening as the European Union continues to legislate in areas where the UK does not.”

“There needs to be a process”, added Walker, ”that enables us to carefully track what is happening at a European level and to determine whether or not those changes should be implemented into UK law.”

Considering the effect that the EU's decisions will have over UK regulation, the report notes that the UK government must have a presence in the bodies that make those decisions.  The government for example, must secure a role for the ICO on the European Data Protection Board, the body which is largely responsible for enforcing the GDPR.  While the UK had a considerable track record of influencing EU decision making when it had a seat at the table, Brexit means that the institutional platforms that it once took advantage of will have to be recreated.

The report notes that this jostling to align may result in a formal international agreement, stating: “It is conceivable that an international treaty on data protection could emerge as the end product of greater coordination between data protection authorities in the world's largest markets.”