Denham: Best way forward would be to obtain an adequacy finding from the EU

Elizabeth Denham, Information Commissioner, is recommending to the government that the UK applies for an EU adequacy finding for data transfers. Giving evidence at the House of Lords EU Home Affairs Sub-Committee on 8 March, Denham said that an adequacy finding would be much more straightforward than the other mechanisms available - model contractual clauses or Binding Corporate Rules (BCRs).

“Achieving adequacy on day one after leaving the EU may be challenging as it involves a process, and opinions from the EU Article 29 Working Party – but it is up to the government if we can negotiate a transitional arrangement.”

When asked if data flows would stop in absence of any deal, she said that would be hard to imagine, as it is a theoretical question. She said that if data flows were happening against the law, she would need to take action, but hoped that she would not be in that situation.

Any negotiation on adequacy would take place between the UK
government and the EU Commission. She said that given the UK’s current position in the data protection world, one cannot compare possible future negotiations with any other country’s experience. So far, only 9 jurisdictions have an adequacy finding, so there are other types of agreements too. But BCRs and model clauses are not so easy for companies, especially SMEs.

Denham said that the GDPR will require much new resource at her office. She intends to recruit another 200 people in the next two years to meet that demand – lawyers, policy advisers etc.

“We have assessed our need for staffing and resources in the next three years. We have done a business case and have put it in front of the government. Even if the UK is not in the EU, our international work is increasingly important, and will require more resources.”

“From my perspective, the best situation will be to fully implement the GDPR, and put into practice the law enforcement Directive – unified implementation is the way forward. Lowering the level of data protection is not a sustainable business model.”

She said it is paramount that the UK will take part in the future European Data Protection Board (which will replace the EU Art. 29 DP Working Party from May 2018) in some manner. If the UK is not in the EU, it will need a Privacy Shield type of arrangement with the US.

“We do not need to completely reinvent the wheel, a starting point would be to look at the EU-US Privacy Shield and US-Switzerland agreement. The UK is in a different position though - maybe some adjustments could be made” to these arrangements.