UK government makes a case for a legally binding data protection agreement with EU

In a recently issued technical note, the UK government argues that a legally binding agreement would be more beneficial both for the UK and the EU than an adequacy decision.

After Brexit, the UK will be regarded as a third country and will need to have some arrangement in place. The government makes some strong points in favour of an agreement by saying that any significant data breach by an EU company is likely to affect data subjects and businesses in both the EU and the UK, as well as involving websites from a range of different countries. Under a standard Adequacy Decision, the company would face investigation by both the EU and UK regulator as well as two sets of large fines - up to €20 million or 4% of global turnover - for the same breach, it says.

Furthermore, a legally-binding agreement would keep the ICO in the One Stop Shop and EU companies would have to deal with only a single regulator for any breaches that affected both EU and UK.

In addition, the government says that ‘Unilateral Adequacy Decisions do not impose obligations on both parties, or an obligation to deal constructively with challenges. By contrast a legally-binding agreement could oblige both sides to avoid as far as possible any disruption to data flows.’

‘A dispute resolution mechanism for solving problems before they escalate could be included, providing for an agreed handling process to minimise any disruption in the event of a legal challenge, for example.’

Information Commissioner, Elizabeth Denham, explained to Parliament’s Exiting the EU Committee last month that an adequacy agreement is based on an EU evaluation, but a legally binding treaty would reflect the viewpoints of both parties. She also said that the UK is in a unique position having had an EU-level data protection law since 1984, and carries out a large amount of work at European level, partly due to being the largest EU regulator.

There have been concerns whether the UK would meet the EU adequacy requirements due to the surveillance authorities’ extensive powers.

See the technical note at