David Erdos (University of Cambridge – Faculty of Law; Trinity Hall) has posted “The UK and the EU Personal Data Framework After Brexit: Another Switzerland?” on SSRN. Here is the abstract:
The UK-EU Trade and Cooperation Agreement sets out a pathway for the UK to have the closest relationship on personal data with the EU outside of the European Economic Area (EEA) and Switzerland. This is principally apparent in the area of justice and security where there is very extensive provision for data exchange including DNA and fingerprints. This exchange rests on specified common standards and will likely be complemented by the first ever EU adequacy agreement under the Law Enforcement Directive. In some contrast, understandings in the general area of data protection (at least outside direct marketing) point only to mutual adequacy. Whilst mandating “essentially equivalent” (GDPR, recital 104) protection, significant flexibility is retained. Given the UK’s distinct approach to data protection, the EU may find that it adopts a more divergent approach in the medium term than, for example, Switzerland. Bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar for a more graduated regime which also seeks to clearly reconcile data protection with competing rights. The paper tentatively examines what that might entail for the proactive transparency rules, sensitive data regime, integrity provisions and specific restrictions. Any such reform would require great care and should not detract from the need for much more effective practical enforcement.