In the last couple of months the EU and the UK have both issued their official positions on the situation as regards Brexit and personal data protection, which can be found here and here. This brief article summarises the respective positions.
What does the EU position paper say?
The EU’s paper is somewhat narrow and also quite generalised as can be gleaned from its title of “Use of Data and Protection of Information Obtained or Processed before the Withdrawal Date.”
The EU’s starting-point is that the UK/UK entities can keep and continue to use personal data processed/received in the UK before the UK leaves the EU “only if” the conditions (referred to as “principles”) set out in the position paper are fulfilled, failing which this data “should be erased or destroyed”; the paper also states at the start that the principles should also apply to personal data processed/received after the UK has left the EU (pursuant to what will be the Withdrawal Agreement between the EU and the UK).
The principles set out in the position paper are mainly referred to in general terms and concern both data subjects in the (other) 27 EU Member States and also data subjects outside the EU (to the applicable extent). Examples of the rights data subjects should have include subject access rights, the right to be forgotten, the right to object to processing, and the right to portability (all of which are set out EU General Data Protection Regulation – GDPR). Further, data retention should not be stored any longer than is necessary.
The EU is also keen that the principles apply to data shared (and governed by EU security rules) between EU/EU Member State bodies and UK bodies known as “EU Classified Information” (EUCI); the EU also wants the UK to ensure that contractors and sub-contractors carrying out projects handling EUCI protect EUCI accordingly. Finally, the EU wants the principles to apply to data shared between EU/EU Member State bodies and UK bodies in the context of: competition/anti-trust: pre-clinical, clinical and toxicological studies; and, customs.
What does the UK position paper say?
The UK is in the process of aligning UK law with the GDPR which we have written and video information about here.
Once the UK’s legislation is in place the UK’s data protection rules will be aligned with the EU data protection framework. For the UK this means that it will be starting “from an unprecedented point of alignment with the EU” in recognition of which “the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model” the benefits of which would include “enabling the […] (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue” after the UK has left the EU. Continued cooperation with the EU as regards personal data sharing and protection in the context of fighting terrorism and serious crime (including money-laundering) is also a key objective of the UK.
A key thrust of the UK’s “future partnership” position paper is to stake its claim to seeking an official “adequacy decision” from the EU, which doesn’t come as a surprise. Interestingly the UK position paper points out (in its view) various downsides to alternatives to an adequacy decision such as Model Clauses and Binding Corporate Rules especially in terms of resources. This process may nevertheless take some time and won’t necessarily be plain sailing, especially as regards consideration by the EU of the UK’s sweeping surveillance legislation (the Investigatory Powers Act 2016).
To fill any gap once the UK leaves the EU, the UK is also proposing that the UK and the EU agree “to mutually recognise each other’s data protection frameworks” so that data flows can continue until “new and more permanent arrangements” are in place.
Although it doesn’t say it so directly, reading between the lines (“[t]he UK would be open to exploring a model which allows the ICO to be fully involved in future EU regulatory dialogue”), presumably the UK wishes to be able to participate in some measure in the European Data Protection Board (which will replace the WP29 under GDPR) – if so, and if the rest of the EU is interested in this, this would take time to negotiate and agree.
The focus of the EU’s paper is on the situation up to the UK leaving the EU, albeit with a nod to the future, whilst the focus of UK’s paper is the situation in the future. The EU’s paper was published after the UK’s paper so its emphasis appears to reflect the EU’s general Brexit stance of mainly focusing on the situation up to the UK’s withdrawal from the EU. Businesses would do well to continue to follow these developments, especially in order for them to gain a better sense of certainty as regards data protection after Brexit.
We have also developed the GDPR NavigatorTM subscription service to help business get ready to deal with GDPR compliance requirements, which you can find more about here. Navigator includes the following resources:
- A Guidance Note on accountability and audit;
- A Guidance Note on appointing processors;
- A Guidance Note on determining who is the data controller and data processor;
- A comprehensive Glossary of data protection terms;
- A Guidance Note on fine determination;
- A 35-minute film on key aspects of GDPR;
- A 10-minute film on the information security aspects of GDPR; and,
- A 25-minute film on Data Protection Impact Assessments.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|