In the article U.K.’s Post Brexit Strategy on Cross-Border Data Flows, CBDF Research Director Peter Swire provides insight regarding the recent announcements by the U.K. Department for Digital, Culture, Media & Sport (DCMS) and how these announcements intersect with Brexit and the decision of the Court of Justice of the European Union (CJEU) in Schrems II. In addressing this recent activity by the U.K. government, Mr. Swire provides insight into the recent developments between the U.S. and EU following Schrems II and the data flow challenges between the EU and the U.K. Lastly, Mr. Swire offers a number of initial observations about the DCMS announcements and possible changes to cross-border data flows.
More specifically, the author discusses:
- The continuing U.S. and EU negotiations to find a U.S. Privacy Shield replacement which aligns with the Schrems II decision and addresses the court’s two key concerns: U.S. surveillance proportionality and lack of necessary redress for individuals’ complaints. The article also documents how the Schrems II decision has led to increased enforcement activity in the EU against data transfers to the U.S.
- The challenges the U.K. is likely to face from the EU regarding data protection issues as it seeks to “make the country’s data regime even more ambitious, pro-growth and innovation-friendly” as supported by the recent DCMS announcements. Swire provides several statements by EU officials noting that if the U.K. changes its privacy protections, the adequacy decision to allow EU-U.K. data transfers can be revisited.
- The U.K.’s announcement that the U.S. is a top priority for adequacy negotiations and how that could result in the following, depending in part on possible additional safeguards in the U.S.: (1) a U.K.-U.S. Privacy Shield, (2) adequacy decisions based on sectors of the U.S. economy such as healthcare and financial services or regions of the U.S., such as California, with its state privacy laws, and/or (3) a finding that the U.S. does have adequate protections when compared to U.K. law.
- The DCMS’ encouragement of the use of standard clauses and international codes of conduct as adequate transfer mechanisms for data flows, outside of an adequacy decision.
- The indication by the U.K. that it will conduct a broad review of its data protection law and the consequences of that, should it deviate from EU privacy laws and decisions.
The author notes that the recent impact of the series of DCMS announcements is yet unknown but indicates that there will likely be changes to the practice of cross-border data flows, the full impact to be clearer as the U.K.’s “approach to international data transfers becomes reality.”
To read the full article on the Lawfare blog, please click here.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.