Skip to main content

Companies: Disclosure of Information

Question for Department for Digital, Culture, Media and Sport

UIN 167833, tabled on 24 July 2018

To ask the Secretary of State for Digital, Culture, Media and Sport, what preparations he has made to support the resilience of UK companies' ability to send data across international borders in the event of no agreement being reached under Article 50 of the Treaty on European Union; and if he will make a statement.

Answered on

10 September 2018

As the Prime Minister said in her Mansion House speech, achieving a deal on data protection is one of the foundations that must underpin the UK-EU trading relationship. The recently published White Paper (available on gov.uk) sets out the UK’s ambition for a future EU-UK relationship on data protection, which builds on standard adequacy arrangements to provide for ongoing regulatory cooperation and joined up enforcement action between UK and EU data protection authorities. The government is ready to begin preliminary discussions on an adequacy assessment straight away to provide the earliest possible reassurance that data flows can continue.

However, a responsible government should prepare for all potential outcomes, including the unlikely scenario in which no mutually satisfactory agreement can be reached on data protection. That is exactly what we are doing across the whole of government, including on data transfer. Without an adequacy decision or new model in place, it is still possible for personal data to be transferred to third countries in some circumstances. The EU’s General Data Protection Regulation and Law Enforcement Directive sets out alternative methods of transfer, which companies and public authorities may use to transfer data to third countries in the absence of an adequacy decision. Further guidance on this issue is available from the ICO website.

As such, we will continue to engage with organisations that transfer personal data across borders to help them understand how they would need to operate under a range of outcomes on data protection.