Image credit: Flickr Creative Commons/Paul Hudson
UK Information Commissioner Elizabeth Denham has called for an international treaty on data protection to be set up within the next ten years.
"That is on the horizon, that's where we need to go if we recognise the global nature of data," Denham said during a House of Lords EU Home Affairs Sub-Committee.
She also recommended the UK applies for an adequacy rating with Europe after triggering Article 50.
An adequacy rating - described by the EU as when a third country ensures an adequate level of protection through domestic law or international commitments - would ensure the free flow of data between the UK and countries in the EU.
The requirements for meeting a full adequacy rating are stringent and in practice would probably mean the UK fully adopting the policies of the upcoming General Data Protection Regulation. It would require a negotiation between the UK government and the European Commission, because the latter is the body that grants adequacy ratings to third countries.
"There are other ways for data to flow, or agreements that could be put in place, but it's not as straightforward for businesses to negotiate binding corporate rules and standard contractual clauses," Denham, said.
Denham warned that she is a "long way from the negotiating table" but is advising the government on her field of expertise. "I do think the ministers' doors are open and we are actively providing advice," she said.
But she warned that the government must do its best to help ensure the ICO has a seat at the table so that it can influence debate over the future of data regulation in the EU.
"It's very important the government consider the ICO's place and the ICO's influence in what is going to be the European Data Protection Board," Denham explained. "Anything the government can do to ensure we have some status... if we're a third country, the European Data Protection Board is going to be an adjudicative board - it's not just an advisory board the way it is right now."
"It will make decisions about the data processing of companies and organisations that impacts on UK citizens," she said. If the ICO isn't close to those decisions, it could prove frustrating for both citizens and government, Denham warned.
Denham explained that the ICO meets with many countries outside of Europe, for instance Japan and Singapore, where their data regulation policies are less mature than the UK's - which brought in the Data Protection Act in 1998.
The ICO has created a business case and put this to government for an increase in resources over the next three years - specifically to address the complexities that GDPR might bring - and that even if Britain were to remain in the EU, international work has become increasingly important to the organisation.
Sign up for CIO Asia eNewsletters.