Q&A: Brexit: the EU data protection package

The EU Home Affairs Sub-Committee of the UK House of Lords published on 18 July 2017 a Report entitled 'Brexit: the EU data protection package,' which follows discussions about possible barriers to UK trade and security if UK-EU data transfers are hindered post-Brexit. Liz Fitzsimons, Partner at Eversheds Sutherland, gave Digital Business Lawyer her take on the Report.

What is your response to the Committee’s statement that they ‘were struck by the lack of detail on how the Government plans to deliver’ on unhindered cross-border data flows? Do you have similar concerns?

The Report considers the impact of Brexit on data protection issues, primarily focusing on data transfers between the UK and the EU, bearing in mind the impending application in the UK of the General Data Protection Regulation (GDPR), replacing the current EU data protection directive. It also notes the onward transfer issue, where the UK sends on EU data to further countries, such as the US, to which data transfers are facilitated currently by the UK being able to rely on EU negotiated Privacy Shield arrangements, or the EU-US Umbrella Agreement for criminal data but which may cease to apply following Brexit. 

In addition, the Report considers the corresponding change pending across the EU in relation to criminal data under the Police and Criminal Justice Directive (PJC) and the anticipated changes in respect of ePrivacy laws across the EU. It also considers the impact of key CJEU decisions in respect of data protection and privacy, including Schrems I (the standard for adequate safeguard for data transfers), Schrems II (the current challenge to the validity of the current approved form of Standard Contractual Clauses used to secure adequate safeguard for data transfers) and Tele2 and Watson (considering the validity of legislation in respect of data retention and interception). 

The Committee quizzed witnesses on how the Government would ensure continuing uninterrupted data flows to and from the UK post Brexit, in the event that the UK became a “third country” like the US. It looked in particular at whether the UK would seek a Commission decision confirming “adequacy” on the UK, as it has previously for non-EU countries like Switzerland and Jersey. 

The Report highlights quoted comments from witnesses, including Matt Hancock MP, Minister of State for Digital, who stated that “there are many different ways this could work”, but did “not want to stress any particular option.”1 The evidence in the Report indicates that the Government did not share any preferences about how it wishes to secure the goal of seamless data flows, or give away any real detail on what plans it has to achieve that goal. It is impossible to say whether that is because no such plans are in place or underway, or whether the Government wishes to keep its options open and not provide any levers which could be pulled in respect of the current Brexit negotiations. It would have inspired more business and investment confidence, especially for those in the digital economy, to see reported confirmation that the Government has worked up detailed planning on a number of options to secure seamless data transfers post Brexit, including an adequacy decision, which are currently being implemented – even if their details were not then shared. 

The details consider the issue of seamless data flows post-Brexit in a very UK-centric way. However, they do not explore the importance to non-UK businesses and organisations in the remaining 27 EU member states of being able to continue to send personal data to the UK, to continue to work with their affiliates in the UK, and to do business with people in the UK. 

The need for easy data transfers to the UK to protect the UK’s digital economy and its continuing growth was highlighted, commenting on how the US had safeguarded data flows to it through the Privacy Shield mechanism for civil data (and by the Umbrella Agreement for other data). The importance of confidence in the UK as a data centre and the ease of continuing to do business with it cannot be underestimated. But stepping back slightly, it is worth noting that the ability of US providers to conduct business successfully with EU customers, especially in the digital economy, does not seem to have been hampered to date by being a third country without adequate safeguard status, and despite that “gap” only being closed for limited recipients (2343 certified to date) under Privacy Shield, although most of the bigger tech players are now certified.  

Current data protection laws prohibit data transfers to third countries ie non EU countries, as does GDPR. In reality, due to arrangements in place between the EU and the European Economic Area (EEA) countries of Norway, Iceland and Liechtenstein (who are not EU member states), the European safe zone for cross border transfers includes the EEA countries, with adequate safeguards only being necessary outside the EEA. Interestingly, the Report does not mention that currently the UK has only given notice to exit the EU not the EEA.  The UK Government’s view on the exit mechanism for leaving the EEA is currently unclear and may come down to a future policy decision following negotiations with the EU. However, the Government appears to be saying that once the UK leaves the EU, even if the UK remains within the EEA, that that will not amount to functional membership of the Single Market. The recently published proposed European Union (Withdrawal) Bill which deals with the repeal of the European Treaties, envisages the transposition of what it refers to as EEA law into domestic law in the short term, but without giving any detail on formal exit from the EEA or the impact on data transfers.

If greater detail does need to be given by the Government on its plans for unhindered data flows post-Brexit, as the Report says, what more do we need to see? What promises does the Government need to make to reassure UK digital businesses that their business will not be negatively impacted by Brexit?

One of the major concerns in relation to the impact of Brexit is that upon leaving the EU, the United Kingdom will become a ‘third country’ under GDPR and outside the “safe zone” of cross border data flows between EU member states. GDPR makes transfers of personal data from EU member states to third countries unlawful unless certain criteria are met to ensure “adequate safeguard” for the personal data and the rights of individual data subjects. 

Moving from the current regime where such data transfers from the EU to the UK happen without additional measures being needed, to one where they cannot take place without such measures being adopted is causing concern on a number of fronts. Unless steps are taken at Commission/Governmental level to grant the UK an adequacy decision as a third country, which is the easiest solution for business, each exporting business or organisation in the EU needs to satisfy itself that an appropriate lawful solution is in place for each planned dataflow to an identified importer recipient or group of them in the UK. It is feared that this need for a transfer solution will take time to put in place and incur additional unnecessary costs – as well as being less flexible than an overarching country level solution. UK business, especially in the digital economy, is concerned that these challenges and costs will make the UK a less attractive place to contract with in comparison to other countries and that it will lose business and opportunities as a result. 

In the Report, the consensus of the witnesses spoken to was that an adequacy decision would “provide the most comprehensive platform for the UK to continue receiving data from the EU post-Brexit.”2. The Information Commissioner, Elizabeth Denham, told the Committee that an adequacy decision would be “the best way forward” and “the most straightforward arrangement for the commercial sector and certainly for citizens and consumers.”3

Even if the Government does not want to reveal its preference, or game plan to this area of negotiations, it would be helpful to have some information to indicate a number of options which are under consideration, if possible to set out in headline terms their respective advantages and disadvantages and most importantly to confirm some details of the process being undertaken by Government in relation to them and to give comfort that this issue is being properly addressed.

What impact would a greater level of friction around data transfers between the UK and the EU post-Brexit have on digital businesses operating in the UK?

In the event that the UK becomes a third country outside the GDPR safe zone for data transfers, each UK business will need to reconsider all data flows from the EEA countries to it. Unless there is an overarching solution in place in time, this will affect current business relationships and contracts which will need to be supplemented to deal with adequate safeguard issues, plus addressing the issue in future procurements and contracts in advance. 

Having to consider and implement such adequate safeguard solutions may increase the costs of working with a UK provider compared to a provider without similar data transfer issues e.g. because they are in an EU member state, or certified under Privacy Shield, making the UK option less attractive. The relevant costs are unlikely to make a material difference. 

Some may try to use any concerns about whether the UK offers a safe and lawful haven for personal data to competitive advantage to move business and opportunities away from the UK to more certain havens, such as keeping the relevant services local.  We have seen that where EU member state supervisory authorities, or works councils in the 27 EU member states have concerns about outsourcing or partnering arrangements, data transfer concerns become an important issue to be resolved and can delay transactions, increasing costs. In serious cases, concerns may prevent transactions closing as planned. 

Although with no little inconvenience, adequate safeguard solutions like the standard contractual clauses can be adopted and put in place where necessary to safeguard data transfers and ensure that they can continue lawfully. The Report notes that these too are under legal challenge but this is not unique to the UK and is part of a wider issue which will affect all data transfers from EEA countries to outside the EEA based on that solution. Any such successful challenge would have to be addressed at EU Commission level, as was the case following the collapse of Safe Harbour when data continued to flow to the US and the EEA continued to trade with it.

Why do you think the Government has perhaps not been specific in its plans for cross-border data transfers post-Brexit?

It is likely that the Government wishes to keep the details of its preferred approach and plans for data transfers confidential due to the nature of the Brexit negotiations and to maximise its negotiating position. For instance, saying the UK only wants an adequacy decision, but it must be in place by the time of Brexit or any brief transitional period agreed is likely to trigger objections from privacy campaigners opposed to UK national security activities, and may trigger complaint from those third countries already waiting patiently in the long pending approval adequacy decision queue. 

The Report also notes that adequacy decisions “can only be taken in respect of third countries, and there are therefore legal impediments to having such decisions in place at the moment of exit.”4. So rather like the approach to the Brexit negotiations of exit first and then future relationship discussions, stating publicly at this point that the UK wishes adequacy status to be negotiated before exit is likely to cause unwanted attention, criticism and disruption.  

An influencing factor will be the general uncertainty about all solutions for lawful data transfers affecting even those in the remaining EU 27 Member States. Current standard contractual clauses and Privacy Shield are already subject to legal challenge; all adequate safeguard solutions will need to be revisited to upgrade to GDPR standards, including third country adequacy decisions already in place and Privacy Shield; and there are additional concerns surrounding this, for example what the relatively new US Administration’s policy will be in this area5.

The UK Government stated in its White Paper on Brexit its objective of maintaining the stability of data transfers between the EU, Member States and the UK. Is such a statement a bigger attribution of importance to data in the Brexit negotiations than you were expecting? Is this something to be commended? Do you think cross-border data flows are as important as other aspects of the Brexit negotiations?

It is not surprising that data protection has received such a high billing in the Brexit negotiation objectives as both the UK and the remaining EU 27 member states are hugely dependent on seamless cross border data transfers continuing and not just for ongoing business and economic growth but also for national security, crime prevention and individual security. As the Report notes, “Police and judicial cooperation across national borders also relies on cross border flows of data.”6.

The one issue likely to change therefore in the data protection context is the UK’s potential move from being an automatic safe zone for EU personal data, to overnight becoming by default an unsafe zone for data. It therefore makes perfect sense for the Government to identify and focus on this issue – and businesses and organisations would be more concerned had it not done so. The ability to safely transfer personal data is key to building on any arrangements agreed in respect of single market access and trading as without personal data exchanges, it will not be possible to benefit from those negotiated terms in reality.

Given that, as the Report states, three quarters of the UK cross-border data flows are with EU Member States, is it inevitable that the UK must establish a GDPR level of data protection adequacy post-Brexit? Might such high levels of regulation deter digital businesses that might be hoping to see a UK that is a safe haven from such restrictions?

The UK Government and the ICO have committed to comply with GDPR which applies in the UK for several months prior to any Brexit. Many UK businesses have or are part of businesses with establishments across the other 27 EU member states and will need to comply with GDPR in any event, so maintaining aligned approaches simplifies matters for business and reduces time and costs involved in compliance. In any event, UK organisations may be subject to GDPR in any event due to activities in the UK captured by the GDPR’s extra territorial reach. For those reasons, GDPR will come into application in the UK regardless of any Brexit issues. 

Having implemented GDPR already in the UK, it is highly unlikely that there would be any appetite to turn back the clock post Brexit to a pre GDPR landscape. The Government will be keen to make life as easy and efficient for business as it can and to avoid wasted costs and time. 

The pressure to maintain GDPR will also come from the desire to secure seamless data transfers, as having lower standards in the UK would give critics ammunition for arguments that the UK would not be a trusted data centre or place to do business and could not deliver adequate safeguard. 

If the UK chose to pursue a third country adequacy decision, it would have to demonstrate parity with GDPR and despite potential permitted derogations allowed to be adopted by the UK under GDPR, would need to be careful to follow an acceptable line to maintain confidence from the other EU supervisory authorities. 

Even if the UK chose not to pursue an adequacy decision as a third country but to rely on adoption of standard contractual clauses for data transfers, EU supervisory authorities or interested parties may challenge reliance on them to countries deemed unsafe for personal data, such as where standards were noticeably soft in respect of data protection. 

The current Information Commissioner in the UK has already publicly taken a stance to toughen enforcement of privacy laws in the UK, issuing fines to a number of businesses and showcasing a genuine direction of travel to the higher standards and requirements of GDPR. Although a risk based, pragmatic line is expected to be taken to enforcement in the UK,  the Information Commissioner looks likely to be adopting a tough line to protect personal data and individual rights. Arguably, this is at least in part to ensure there are no easy excuses for those who wish to argue the UK is weak on compliance and cannot be trusted as a key data centre. 

Maintaining high levels of regulation in the UK is unlikely to deter digital businesses because standards will be the same or similar in very many countries, not just across the EU but also in other regions. Depending on their activities, businesses outside the EU may have to be GDPR compliant in any event where they support EU clients, or focus on the EU market, so for them GDPR standards in the UK would be expected.

Liz Fitzsimons Partner


Eversheds Sutherland (International) LLP

1 European Union Committee, Brexit: the EU data protection package, 18 July 2017, para 78 

2 Ibid, para 80

3 Ibid, para 80

4 Ibid, para 113

5 Ibid, para 56

6 Ibid, para 5

Take a 7 day free trial: click here


For more detailed infromation on our subscription options please contact Conor Molloy on +44 (0) 20 70 121 387 or email conor.molloy@cecileparkmedia.com

Search Publications

Canít find what you are looking for?
Try an Advanced Search

Subscribe to Publications
Register for a Free Trial to Publications
Publication Pricing