October 21, 2018

October 19, 2018

Subscribe to Latest Legal News and Analysis

October 18, 2018

Subscribe to Latest Legal News and Analysis

Brexit and the Free Flow of Data

One of the less publicised but nonetheless important aspects of Brexit is whether or not UK companies will be able to maintain a free flow of personal data between the United Kingdom and the European Union.

The forthcoming General Data Protection Regulation (GDPR) will have a significant effect on businesses that process personal data. Its extra-territorial effect means that it will apply to non-European businesses if they do business in Europe or monitor the activities of Europeans. The GDPR becomes directly applicable across all EU Member States from 25 May 2018, 10 months before the United Kingdom is expected to leave the European Union.

On 14 September 2017, the UK Government introduced an extensive Data Protection Bill that runs to over 200 pages and includes provisions dealing with the flow of personal data after Brexit.

The Bill seeks to do a number of key things, including: i) take advantage of provisions in the GDPR that permit more specific rules to be introduced in particular areas, most notably employment; ii) address certain processing that does not currently fall within EU law, for example, in relation to immigration and the intelligence services; iii) implement the EU Law Enforcement Directive; and iv) deal with Brexit. In relation to Brexit, the Bill suggests replacing references to European data protection authorities with references to the Information Commissioner’s Office (ICO), which is the UK data protection authority. In addition, it provides that the ICO will co-operate and conduct joint operations and joint enforcement with European data protection authorities, and “have regard” to decisions and advice from the European Data Protection Board (EDPB).

This last provision is particularly important. The EDPB will comprise representatives of each of the national data protection authorities in the European Union, and its function is to ensure consistent application of the GDPR, provide additional guidance reflecting best practice, and issue official opinions in relation to the GDPR. It is likely that, without the pragmatic voice of the ICO within its membership, the EDPB will provide ever-more data subjectfriendly recommendations and opinions. The key question currently relates to the extent to which the ICO will import that guidance into post-Brexit UK law.

In its policy paper The exchange and protection of personal data, the UK Government has stated that it hopes UK law will remain “adequate” so there can be a free flow of personal data between the European Union and the United Kingdom. In contrast, in its position paper on the Use of Data and Protection of Information Obtained or Processed before the withdrawal date, the European Union says it is concerned that UK law will not be adequate and, moreover, demands particular protection for EU data that remains in the United Kingdom after Brexit.

Until a concrete decision is in place, companies’ best course of action is to prepare for compliance with UK data protection law and the European GDPR if they have entities or customers in the European Union; and keep a close eye on the ICO’s adoption of EDPB opinions.

Gemma Cullen also contributed to this article

© 2018 McDermott Will & Emery


About this Author


Ashley Winton focuses his practice on global data protection and privacy, information governance and cybersecurity compliance. He has particularly in-depth knowledge of cyber breach response, cybersecurity in the context of payment systems, the lawful interception of data, and the conflict of laws in relation to corporate and government investigations and international litigation. Ashley frequently represents major corporations, trade associations, charities and government entities on a range of data privacy and cybersecurity issues and he has significant experience in...

Paul McGrath, Employment Law Attorney, McDermott Will Emery Law firm

Paul McGrath is an associate in the law firm of McDermott Will & Emery UK LLP, based in its London office. His practice covers all areas of contentious and non-contentious employment law in the UK.