• Contact Us

UK Government Seeks to Give Certainty for How to Share Personal Data with the EU After Brexit

on Wednesday, 27 September 2017.

The UK Government has published a series of position papers on Brexit. In one, it has sought to give comfort to citizens, businesses and institutions on the exchange and protection of personal data.

The Government has said it is in the interests of both the UK and the EU to agree early in the Brexit negotiation process a way to mutually recognise each other's data protection frameworks as a basis for continued free flows of data between people in the EU and the UK from the point of the UK's exit from the EU.

Potential Issues for Business

The potential issue for business is that the EU places strict rules on how personal data can be shared and exchanged with people from outside the European Economic Area. One way is if the country concerned is deemed to have 'adequate' data protection laws. To date, very few countries have been deemed to be adequate - examples are Argentina, Israel, New Zealand and Switzerland. Canada and the US have conditional adequacy decisions, depending on whether the organisation is bound by the rules that are adequate. There are other ways of enabling data to be transferred, such as model data protection clauses or binding corporate rules, or seeking the data subjects' consents.

The simplest means for enabling international data transfer and free flow of information is through a European Commission finding of adequacy for a country's data protection laws.

The Government's Position

The UK Government's position is that, since the UK is already working to EU data protection standards and is implementing and recognising the General Data Protection Regulation and Data Protection Directive, both of which come into force in the UK in May 2018, there should not be any difficulties in the EU reaching a finding of adequacy in respect of the UK. That would certainly enable people on both sides on the ground to continue proceeding with certainty - particularly businesses, which are facing enough uncertainty around the Brexit process. That is why the UK Government is calling for an early finding of adequacy in respect of the UK, so as to remove at least one layer of uncertainty over what happens after Brexit and to create stability. 

The UK Government is also calling for regulatory co-operation, since the UK's regulator - the Information Commissioner's Office - already works very well and has a lot of influence with the other data protection regulators around the EU. 

It therefore wants to see a unique close co-operation post-Brexit deal as part of a new, deep and special partnership between the UK and the EU. 

The New Data Protection Co-operation Model 

The key features of the proposed new data protection co-operation model are:

  • Maintaining free flow of personal data between the UK and the EU.
  • Providing sufficient stability and confidence for businesses, public authorities and individuals.
  • Providing on-going regulatory co-operation between regulators in the UK and the EU.
  • Continuing to protect the privacy of individuals.
  • Respecting UK sovereignty.
  • Not imposing unnecessary additional costs on businesses.

What This Means for Business

This is a very welcome step and an early agreement to build on and continue the current free flows of data can certainly be good for both sides. The question is whether the negotiation tactics will get in the way of what should be a common sense position that helps people on the ground such as businesses in the UK or EU.


For further information, please Paul Gershlick in our Pharmaceuticals & Life Sciences team on 01923 919 320

Leave a comment

You are commenting as guest.