Thank you for contacting me about data transfer clauses in the UK-Japan Comprehensive Economic Partnership Agreement (CEPA).
I know there has been a great deal of discussion surrounding data protection issues relating to this agreement and it is important to address the misconceptions which have emerged.
Regarding claims that the CEPA places the free flow of data over data protection rights, nothing in the agreement undermines the UK’s data protection framework. In fact, the CEPA contains a commitment that parties maintain a legal framework that provides for the protection of personal information. The UK and Japan have agreed to avoid unjustified restrictions on the free flow of data between the UK and Japan, facilitating the collection, processing, and transfer of data between both parties. Restrictions can, however, be adopted or maintained to achieve legitimate public policy objectives, such as protecting personal data.
In terms of the idea that the agreement could act as a gateway for UK data to flow to third countries via Japan without protections, the article in the agreement on cross-border data flows is designed to prevent either country from arbitrarily restricting data being sent to the other country. It does not, however, require the UK to send any specific type of data to Japan or vice versa. Instead, the provisions clear the way for the flow of data between countries for business purposes; but any resulting transfer of personal data would still have to adhere to the UK’s data protection legislation.
I would like to reassure you that concerns of potential ‘data laundering’ are unfounded. Through our data protection legislation, the UK maintains high levels of data protection both domestically and with our trading partners. It is important to note that CEPA does not alter the UK’s existing data protection framework and legal safeguards for personal data.
Thank you again for taking the time to contact me.