UK data regulator Elizabeth Denham says the government will need alternative arrangements for GDPR and Privacy Shield commitments outside EU, but will have advantage of 40 years of integration with the bloc
Information Commissioner Elizabeth Denham has spoken before the House of Lords EU Home Affairs Sub-Committee to discuss potential challenges with regards to data regulation due to the UK's exit from the European Union.
Speaking in her role as UK data regulator, a position she took up last July, Denham highlighted the importance of maintaining compliance with EU regulation up until Brexit and ensuring a free flow of information in and out of the UK for private and public sector bodies including law enforcement afterwards.
She was also questioned on the role the Information Commissioner's Office may currently be playing to support and educate organisations and departments on the potential incoming changes to data control requirements and regulations that may arise from Brexit.
Denham responded that a key focus of current work had been on working with data controllers and processors on changes facing their operations from the General Data Protection Regulation (GDPR), which will become part of UK law from mid-2018.
"Even though we have to educate and we have to change our own functions, we still have to keep up with the day to day work of the office. It feels a lot like changing tires on a moving car," she said.
"When it comes to what is going to be the regulatory environment post-exit, we don't know the answers to that. But we have a lot of work going on in terms of our policy staff so that we can give advice to government and to parliament - and pretty much to anyone who asks - about what the various impacts would be of different arrangements post exiting the EU."
The committee also asked the ICO chief about the potential default position the UK would likely have to take as a non-EU member should it fail to secure data protection equivalence with the bloc to maintain current standards.
As a non-EU member, Denham said that it would be challenging from day one of the UK's new status to achieve adequacy due to required legal processes, such as assessments and obtaining opinions from European data protection counterparts.
It may therefore fall on government to arrange a transition arrangement to prevent the possibility of abrupt service disruption, she argued.
Should attempts to ensure equivalency with the EU fail for any period of time post-brexit, the information commissioner told the committee there were alternative, albeit more complicated, mechanism with regard to data sharing.
"It's not for me as the regulator to determine what the regulatory measures and environment will look like after exit, but there are measures, other than adequacy so that data can flow. In the GDPR, similar to existing laws today, companies can rely on standard contractual clauses, on binding corporate rules, on the consent of individuals," she said.
"These are all legal measures to provide for the transfer of data. It's just more difficult than having an adequacy finding so data can flow."
Theoretically, Denham argued it was hard to imagine that data flows would stop following Brexit, driven not least by company interest in maintaining services.
"If there is no underlying legal authority for the transfer of data, then you have issues of complaints, investigations and enforcements, including by the courts," she added.
Denham added that GDPR and related data arrangements such as the EU-US Privacy Shield were seen as having a shared purpose to enable the flow of information for appropriate purposes whether through law enforcement or government bodies.
The Privacy Shield had been devised to set out clear safeguards and transparency obligations for US-based organisations processing data from EU citizens, ensuring their rights with regard to confidentiality in the States, impacting technology functions across the public and private sector.
The arrangement is already set to face legal action on both sides of the Atlantic that could see a similar invalidating of its assurances.
However, from the perspective of the UK leaving the EU and related arrangements like the Privacy Shield, the committee also asked the information commissioner for her views on the potential impact of data sharing and whether it might be possible to follow a model such as that used by Switzerland.
As a non-EU state, Denham said that an arrangement would need to be reached to ensure information could be transferred to the US with protections in place.
"I don't see why we would completely need to reinvent the wheel. I think looking at both the existing privacy shield and the Swiss example that has just been struck would be a starting point," she said.
"Again I go back to my earlier point that the UK is in a special situation because of the integration of everything we have done in the last 40 years with the EU."