Netherlands raises concerns on UK data adequacy after EU database copying incident

A row of EU flags
(Image credit: Shutterstock)

The Netherlands has refused to share criminal convictions data after the UK copied an EU database, sparking concerns whether Britain will be able to win access to European data after Brexit.

Post Brexit, data flows between the EU and UK will fall to what's known as an adequacy decision. If the European Commission agrees that a non-EU country's data protections are adequate, it can approve the transfer and storage of European citizens' data via that country. With the UK exiting the EU, it will need such approval.

However, at least two EU countries have raised concerns about British data standards, according to a report in the Guardian. A board meeting record seen by the newspaper reveals opposition from France and the Netherlands to sharing criminal convictions data with the UK, though each country had different motivations.

“France are currently not engaging for political reasons, and Holland will not engage due to concerns around the UK’s data adequacy status,” the document reveals, according to the report.

In a statement to the Guardian, the Home Office noted that the discussions in the report were relevant only for a no-deal Brexit. Under the withdrawal agreement now in place for Brexit, the UK will have a transition period until the end of 2020, during which current EU rules will continue to apply, meaning data flows won't be immediately impacted.


Your guide to overcoming Brexit's data management challenges

Understand Brexit and the data law modifications it may cause


However, over those 11 months, the UK must negotiate a new agreement. If nothing is agreed by the end of 2020, Britain and its companies will need additional contracts and agreements in place to handle European data.

This is where an adequacy agreement comes into play. If Britain is deemed "adequate", it will be allowed to handle data just as though it was still an EU country. The European Commission has adequacy agreements with countries including Israel, Canada, and the Isle of Man, as well as the US, though is limited by the Privacy Shield rules.

While the meeting may have happened when a no-deal Brexit seemed likely, the UK will still face challenges agreeing on an adequacy deal if EU countries dispute its data protection abilities.

The Dutch government said in a statement to The Guardian that it was concerned about one breach in particular, the illegal copying of the Schengen Information System (SIS) criminal database by British officials, which sparked a complaint from a Dutch MP who accused Britain of "behaving like cowboys".

A Dutch government spokesman told the newspaper that trust was necessary, but suggested it wouldn't necessarily block the UK from an adequacy decision: "The SIS case only serves to underline this. Given its ambitions the Netherlands actively supports the commission’s approach to achieve an adequacy decision with the UK on data protection in the field of security cooperation."