Go back to menu

Data protection – what happens after Brexit?

UK government update

04 September 2017

The UK government has set out its plans for the protection and exchange of personal data with the EU following Brexit.

A paper issued by the Department for Exiting the European Union, says that the UK will seek to remain “fully involved” in shaping EU data protection regulations after Brexit to keep personal data flowing and ensure legal certainty for businesses.

The UK digital economy was worth £118.4 billion in 2015 and relies on cross border data flows.  Matthew Hancock, the UK’s Minister for Digital said in a statement: “Our goal is to combine strong privacy rules with a relationship that allows flexibility, to give consumers and businesses certainty in their data use.”

In the paper, the government says that at the point the UK exits the EU, it will be fully compliant with EU data protection laws and that it is considering a model that reflects “the unprecedented alignment between British and European law.” The paper also states: “Early certainty around how we can extend current provisions, alongside an agreed negotiating timeline for longer-term arrangements, will assuage business concerns on both sides and should be possible given the current alignment of our data protection frameworks.”

The European Commission already grants “adequacy” arrangements to 12 non-EU countries including Argentina, Israel, Switzerland and New Zealand. However, tech industry leaders have said that the UK cannot take “adequacy” arrangements for granted.

The government says that it is essential that a UK-EU model does the following:

  • allows data to continue to be exchanged in a safe and properly regulated way
  • offers sufficient stability and confidence for businesses, public authorities and individuals
  • provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection
  • respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection
  • does not impose unnecessary additional costs to business
  • is based on objective consideration of evidence

In the meantime, all EU member states, including the UK, need to comply with the General Data Protection Regulation (GDPR) which comes into force in May 2018. The UK government says: “UK businesses and public authorities may still be required to meet GDPR standards” if they are offering goods and services which involve personal data to countries in the European Economic Area.