Greetings from Brussels!

You could be forgiven for thinking that nothing of importance is going on in the world outside the confines of the pandemic as it dominates every facet of our reality. However, within the EU and U.K. political spheres, there remains the other equally compelling challenge at hand, that of Brexit. Recent accounts from the negotiation table are not encouraging. A third round of videoconference talks this last week between the EU and the U.K. teams on the post-Brexit relationship stalled. And this ahead of a critical June month with additional talks planned before an EU summit meeting with U.K. Prime Minister Boris Johnson toward the end of the month.

While the draft EU agreement as published in March covers all areas of the negotiation, importantly for privacy pros, it includes provisions around the digital economy and data protection. An important level of emphasis is placed on a mutual commitment to data protection, placing a priority on promoting and preserving the fundamental rights to data privacy and protection.

On the other hand, the U.K. government outlined their position in their recently published approach to negotiations stating that — in regard to data protection — “cooperation will be underpinned by the importance attached by the U.K. and the EU to safeguarding human rights, the rule of law, and high standards of data protection. The agreement should not specify how the U.K. or the EU member states should protect and enforce human rights and the rule of law within their own autonomous legal systems.”  

On the subject of data adequacy, the U.K. government position states that while maintaining the right to independent policy on data protection beyond the transition period of 31 Dec., it will seek to maintain the free flow of personal data from the EU to the U.K. through adequacy decisions both under the GDPR and the Law Enforcement Directive before the end of the transition period. Notably, the position states that these are separate from the wider future relationship and should not form part of the trade agreements.

Recent comments made by EU lead negotiator Michel Barnier, as a reflection of the recent talks, were decidedly downbeat. There is the claim that the U.K. is not wanting to commit to guarantees protecting fundamental rights and individual freedoms resulting from the European Convention on Human Rights. Barnier stated furthermore that the U.K. was insisting on “lowering current standards and deviating from agreed mechanisms of data protection — to the point that it is asking the Union to ignore its own law and the jurisprudence of the ECJ on passenger data (PNR rules).” The detail around these points of discussion are not publicly available; however, the sum of the EU comments would appear to suggest — on the surface, at least — that the EU is not looking to lower its data protection standards to maintain the free flow of data with the U.K.

This is not promising, and the clock is running down. What organizational privacy teams would really like to see at the very least is an interim decision from the European Commission that states that the U.K. will be adequate with respect to data flows before the end of December — if necessary, until a time when a more detailed technical agreement can be reached. This would allow for business continuity responding to market demand for a free and bidirectional movement of data between the EU and the U.K. This is in the interests of all.

One thing is certain: Consensus on data protection and transfer decisions is not the primordial obstacle obstructing trade talk progress. Yet, there are data privacy and utility implications impacting other aspects of the trade talks particularly in what concerns digital trade and possible "localized barriers" related to securing open and trust-based online environments for businesses and consumers alike. Arguably these areas cannot be addressed in isolation.

Something is going to have to give to make progress; fewer empty words from both sides are expected.