Opposition MPs criticise Whitehall for not having had “specific” discussions on how information can continue to transfer to and from the bloc post-Brexit
The government has confirmed is it yet to enter into "specific talks" with the European Union on reaching an adequacy agreement on data transfers once it is no longer a member of the bloc, with the Labour Party warning of devastating consequences should an agreement not be reached.
While the UK's present status as an EU member requires it to comply with the incoming European General Data Protection Regulation (GDPR) from 2018 until it formally leaves the bloc, questions remain over how the country may proceed afterwards and what amendments may be needed.
Asked a question in Parliament yesterday on efforts to maintain data flows into the EU post-Brexit, Mark Garnier, the undersecretary of state at the Department for International Trade, said no discussions had yet been hold on the issue of ensuring adequacy to maintain existing service standards.
Garnier said that with the Article 50 process that formally commences the UK's two year exit process from the EU expected to be triggered next week, the issue had not so far been discussed with EU authorities.
Louise Haigh, the shadow minister for the Digital Economy, said the department's response raised significant concerns for the UK technology sector and economy going forward.
"Such is the complexity and importance of an adequacy agreement, work should already be underway to avoid the nightmare scenario of exiting the EU without an agreement on data transfers," she said.
"There is every chance that elements of our current data regime will prevent us from securing an adequacy agreement in good time and protracted negotiations will cost the UK economy dearly. With the stakes so high, it is quite frankly astonishing that no talks are taking place."
With public and private sector organisations having to ensure their operations and management structures are prepared by 2018 for GDPR, such as by having data protection officers in place, Labour has moved to express concerns about ensuring a free flow of information.
Citing recent evidence provided from industry and the UK's own data regulator to the House of Lords EU Home Affairs Sub-Committee, it is anticipated that it could potentially take three years before having a workable data arrangement in place.
Earlier this month, information commissioner Elizabeth Denham told peers that her office did not know yet what the post-Brexit regulatory environment would look like, particularly with regard to data transfer.
"We have a lot of work going on in terms of our policy staff so that we can give advice to government and to parliament - and pretty much to anyone who asks - about what the various impacts would be of different arrangements post exiting the EU," she said.
As a non-EU member, Denham said that it would be challenging from day one of the UK's new status to achieve adequacy due to the required legal processes, such as assessments and obtaining opinions from European data protection counterparts.
She conceded that it may therefore fall on government to arrange a transition arrangement to prevent the possibility of abrupt service disruption.
Should attempts to ensure equivalency with the EU fail for any period of time post-Brexit, Denham told the committee there were alternative, albeit more complicated, mechanism with regard to data sharing.
"It's not for me as the regulator to determine what the regulatory measures and environment will look like after exit, but there are measures, other than adequacy so that data can flow. In the GDPR, similar to existing laws today, companies can rely on standard contractual clauses, on binding corporate rules, on the consent of individuals," the information commissioner said.
Peter Wright, managing director for DigitalLawUK and chair of the Law Society Technology and Law Reference Group has previously argued that outside the EU, existing legislation relating to surveillance powers could create issues with meeting adequacy standards for data transfers.
Wright cited the controversial powers to seize and access data for national security purposes included in the UK's Investigatory Powers Act that was passed last year.
He said that while as an EU member, the country would be cleared to transfer data to other member states under the umbrella agreement, the UK may face much tougher scrutiny as an independent country outside of European court jurisdiction.
This could potentially require similar arrangements that have been introduced by the US government to reach a Privacy Shield arrangement with the EU. The Privacy Shield is already facing legal challenges on both sides of the Atlantic.