Our blog editor Vasiliki Antoniadou explores the exchange of position papers between the UK and the European Commission regarding the data protection and GDPR after Brexit .
As the time for the withdrawal of the United Kingdom from the European Union approaches, the necessary and time consuming negotiation processes in the legislative field commence. Considering that the GDPR will come to force in May 2018 and the transition period for Brexit ends in 2019, the UK is bound to implement the GDPR, something not disputed by either side. The question is what will happen post Brexit in relation to the transfers of data between the UK and the EU countries?
As mentioned in our previous article, the UK national law will be aligned with the GDPR through the amendments of the Data Protection Act introduced to the House of Lords last week. However, it is crucial that an agreement is reached in order to ensure the free flow of personal data from the UK to the EU.
The UK position on GDPR after Brexit
In late August, the UK government published a position paper outlining the government’s preferred approach on the exchange and protection of the personal data post Brexit, which concludes with the following points:
- The UK is seeking a finding of adequacy by the EU regarding its amended national law, which is going to implement the GDPR requirements.
- The withdrawing party intends to follow the adequacy decisions of the EU with respect to the data protection laws of the countries outside the EU.
- With a view to regulatory cooperation, the UK is willing to discuss a model including the future involvement of the Information Commissioner’s Office (ICO) in EU regulatory developments.
The EU position on data protection after Brexit
The European Commission replied to the initiative of the UK government by releasing its position paper of September 7th, 2017. The paper refers to data of EU citizens received or processed by the UK or by UK entities prior to the withdrawal date and suggests that the GDPR provisions should continue to apply even after the withdrawal. Moreover, the EU body confirms that after Brexit the EU law will be implemented for data subjects in the UK processed prior to Brexit by the Union institutions.
Further thoughts on GDPR after Brexit
It is obvious that the position of the Commission remained rather general, since it is already known that the amended Data Protection Bill satisfies the requested EU standards even after the withdrawal. Notably, it didn’t cope at this stage with the main UK suggestions as to the adequacy model and the ongoing role of the ICO in the EU regulatory dialogue.