European Commission publishes its post-Brexit stance on data protection

The European Commission's position paper on data protection and information flows suggests that Britain needs to abide by EU data protection laws or destroy personal data gathered prior to Brexit.

27 September 2017

What has happened?

The UK government has published its position paper on post-Brexit data protection where it declared its intentions to:

  1. play a leading global role in setting data protection standards
  2. work alongside the EU and create "new arrangements" to ensure the continued flow of personal data between Britain and Europe
  3. seek to continue to be involved with EU data protection fora, such as the new European Data Protection Board which will be established by GDPR.

The European Commission’s (EC) Brexit negotiators have responded with a number of position papers voicing its opinion on topics such as intellectual property, public procurement and data flows. These papers provide some insight into the EC's current stance on key issues for Brexit negotiation.

What does the EC position paper on data protection say?

The EC position paper outlines the requirements for protection and use of data post-Brexit and suggests that Britain needs to either abide by the European Union data protection laws in respect of personal data gathered prior to Brexit or else destroy that data.

The paper firmly establishes that the UK will only be able to continue to use and process data or information obtained prior to Brexit if it does so in strict accordance with certain conditions. This means that post-Brexit UK businesses must continue to abide by EU laws with respect to EU data subjects in the same way that any other non-EU territory with be required to under GDPR.

Protecting personal data

The paper confirms that personal data belonging to UK citizens that is being processed within the EU27 will continue to be protected in accordance with EU laws from the date of Brexit. This is good news for UK citizens as it means that they will still benefit from strict data protection standards when dealing with European businesses and governments. 

It is also suggested that the Withdrawal Agreement should allow for the completion of any investigations or procedures for monitoring compliance with personal data protection provisions between the UK authorities and EU27 authorities.

Protecting EU Classified Information (EUCI)

EUCI was addressed because EU officials are concerned about the amount of EUCI that has been shared with the UK, which would then not be subject to the EU's high privacy standards once the UK leaves.

The EC’s position is that the Withdrawal Agreement should ensure that EUCI is protected and that any UK agencies or contractors carrying out projects under contracts agreed before withdrawal should continue to perform that contract in accordance with EU laws.

Other restrictions on use and access to data

The last section of the paper considers other restrictions on use and access to data and information obtained before Brexit. This included regulatory information such as competition activity, health and environment studies and customs data.

Noted omissions

Interestingly, the EC did not address how it foresees the operation of data flows after Britain leaves the EU. This topic was a focal point of the UK government’s paper which firmly set out its intentions of a close collaboration with the EU after Brexit and highlighted the "unprecedented" alignment of data protection rules between the EU and UK at that stage, because the UK will be subject to GDPR prior to Brexit.

Nor were there any comments on the UK’s desire to retain a position on the European Data Protection Board. Again, a continued influence in developing European data protection laws and a role for the UK’s ICO is something that the UK determinedly put forward in its paper.

Concluding remarks

In summary, the position paper describes the EC’s likely objective to ensure that EU laws shall continue to apply in the UK to any data obtained before the data of Britain's withdrawal. Whilst the stance is clear, there were no suggestions for facilitating future data flows or ideas for continued collaboration, this is in stark contrast to the UK's paper. However, given how brief the paper is, it is difficult to suggest whether this is telling of a lack of intention for a future relationship.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

How will Brexit affect your business?

The implications of Brexit are far-reaching. We can help you understand how Brexit will affect your organisation.
Find out more