… we will need an arrangement for data protection.
I made this point in Munich in relation to our security relationship. But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing the UK’s strong trading and economic links with the EU.
That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.
Digital Single Market
On digital, the UK will not be part of the EU’s Digital Single Market, which will continue to develop after our withdrawal from the EU. This is a fast evolving, innovative sector, in which the UK is a world leader. So it will be particularly important to have domestic flexibility, to ensure the regulatory environment can always respond nimbly and ambitiously to new developments.
Intellectual property and civil judicial co-operation
We will want our agreement to cover civil judicial cooperation, where the EU has already shown that it can reach agreement with non-member states, such as through the Lugano Convention, although we would want a broader agreement that reflects our unique starting point. And our agreement will also need to cover company law and intellectual property, to provide further legal certainty and coherence.
Michel Barnier’s 1 March speech continues to make the point that the UK can opt for either a free trade agreement, or single market membership, but that there is little in between. This would preclude the pick-and-mix approach suggested to retain a close relationship on data protection, but to opt-out of the Digital Single Market while perhaps retaining some common intellectual property instruments.
The government’s approach has been consistent since August 2017:
After the UK leaves the EU, new arrangements to govern the continued free ow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing suf cient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Of ce (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the bene t of those living and working in the UK and the EU after the UK’s withdrawal.
It also reflects concerns in Parliament about data protection rules. For instance, the House of Lords noted in 2017:
Brexit means the UK will lose the institutional platform from which it has been able to influence EU data protection rules. We recommend that the Government secure a continuing role for the UK's Information Commissioner’s Office on the European Data Protection Board.
Parts of the Internet industry are also keen that the UK keeps its influence on the evolution of EU data protection:
"The advertising lobby and tech megacorps including Facebook and Twitter are pushing for the UK's data protection watchdog to have full voting rights on a new, powerful European board after Brexit.
Nevertheless, the EU is unlikely to want the UK half-in a data protection regime. It would prove very complicated, as data protection decisions will often have to take account of other EU laws such as e-privacy and jurisprudence. The EU’s general approach is to create adequacy agreements, rather than to put data protection within trade agreements:
The EU data protection rules cannot be the subject of negotiations in a free trade agreement. While dialogues on data protection and trade negotiations with third countries have to follow separate tracks, an adequacy decision, including a partial or sector-specific one, is the best avenue to build mutual trust, guaranteeing uninhibited flow of personal data, and thus facilitate commercial exchanges involving transfers of personal data to the third country in question. Such decisions can therefore ease trade negotiations or may complement existing trade agreements, thus allowing them to amplify their benefits. At the same time, by fostering the convergence of the level of protection in the EU and the third country, an adequacy finding reduces the risk of invocation by that country of personal data protection grounds to impose unjustified data localisation or storage requirements. Beyond this, as indicated in the Trade for All Communication, the Commission will seek to use EU trade agreements to set rules for e-commerce and cross-border data flows and tackle new forms of digital protectionism, in full compliance with and without prejudice to the EU’s data protection rules.
Giovanni Butarelli, the European Data Protection Supervisor, has given some options for the ICO, under transition, EEA and EFTA options. These however would be difficult for the UK. For instance, an EFTA-like deal would create new requirements for the UK:
“for example, the UK Intelligence Services will need to demonstrate the principles of “necessity and proportionality” in its collection, use and sharing of personal data. UK-based companies will need to comply with the international transfer rules, as they will be outside the EU”
In a Switzerland-like deal, the ICO would be a member of the new European Union Data Protection Board (EDPB) but its membership would be downgraded to the status of an Observer.
Michel Barnier spells out the choice in similar terms:
Take the case of personal data: all economic sectors work with personal data, ranging from the financial sector, to the health industry and to the transport sector. In the Single Market, we have a modern and very detailed regulatory framework that allows for the "free movement" of personal data. This facilitates the collection and exchange of such data. It also provides for supervisory mechanisms, overseen by the Court of Justice of the European Union.
The UK is going to leave this regulatory framework. In the future, the transfer of personal data from the EU to the UK will be subject to strict rules. These rules are designed to protect a fundamental right.
Allow me to be precise on this point.
The transfer of personal data to the UK will only be possible if the UK provides adequate safeguards. One example to ensure that adequate safeguards are in place is an "EU adequacy decision". This is an autonomous EU decision. There can be no system of "mutual recognition" of standards when it comes to the exchange and protection of such data.
In the Single Market, we have a modern and very detailed regulatory framework that allows for the "free movement" of personal data.
The same rule goes for standards underpinning free movement of products and services.
In the absence of a common discipline, in the absence of EU law that can override national law, in the absence of common supervision and a common court, there can be no mutual recognition of standards. 
The UK appears to want to avoid the need to seek an adequacy agreement from the EU, because it is vulnerable to decisions of the CJEU, who may find that UK protections for privacy relating to mass surveillance and US data sharing preclude the EU from deciding that UK data protection is “adequate”.
Digital Single Market
The package of EU laws called the Digital Single Market includes the reforms that introduced Open Internet regulations (net neutrality laws), abolished charges for mobile data roaming and additional call charges within the EU, “portability” of on-demand video services and changes to copyright law currently being debated.
Intellectual property and civil judicial co-operation
- See also: Brexit/Intellectual Property
The UK and EU share a number of intellectual property rights which are an obvious area for continued co-operation, including EU Trade Marks and Design Rights. European Patents are not an EU measure, but intertwined with it and the CJEU in particular.
The UK may be interested in common standards for copyright enforcement. These are dealt with in the package of measures known as the Digital Single Market.
- PM speech on our future economic partnership with the European Union, 2 March 2018 number10.gov.uk
- Speech by Michel Barnier at BusinessEurope Day 2018, Brussels http://europa.eu 1 March 2018
- The exchange and protection of personal data gov.uk
- Brexit: the EU data protection package, EU Home Affairs Sub-Committee 18 July 2017
- Big tech wants the ICO on EU data protection board in Brexit fallout, 12 Dec 2017 theregister.co.uk
- Exchanging and Protecting Personal Data in a Globalised World, Communication from the Commission to the European Parliament and the Council, 10 January 2017
- Buttarelli gives the post-Brexit options for the UK and insights into the EU DP Board, privacylaws.com 23 February 2018
- Article 66(a) Draft Withdrawal Agreement, p47