Brexit & International Data Flows: Still in Choppy Waters

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...


The U.K.'s Data Protection Bill reflects the government’s desire to maintain international data flows with the European Union post-Brexit, but its confidence that U.K. surveillance laws won’t pose an obstacle to continuing data flows will only become apparent when the Brexit negotiations turn to data protection issues, the author writes.

Rohan Massey

By Rohan Massey

Rohan Massey is a partner at Ropes & Gray LLP in London and leads the firm’s privacy and cybersecurity practice in Europe.

By Rohan Massey

The U.K. government has produced a response to the House of Lords’ European Union Committee’s Brexit: EU Data Protection Package Report which was published on July 18, 2017. The Department for Digital, Culture Media & Sport’s position may be seen as generic rather than detailed in addressing some of the conditions raised by the Lords and in supporting the assurances as to the U.K. government’s commitment to continued alignment with the EU on data protection issues and maintaining a strong influence on international data protection standards.

Forging a Strong Future Partnership

The government, of course, acknowledges the importance of sharing personal data for commercial purposes and wider cooperation, with the prospect of any friction around data transfers presenting not only a threat to security but, in the committee’s words, “a non-tariff barrier to trade, particularly in services, putting companies operating out of the U.K. at a competitive disadvantage.” In his response letter to the committee of Oct. 26, 2017, Digital & Culture Secretary Matt Hancock stated that the U.K. will continue to align its own database protection framework with that of the EU, “to enable us to forge a strong future partnership…in the interests of the both the U.K. and the EU.” As to how that might be achieved, besides taking forward in the Data Protection Bill the new EU stance for data protection in the GDPR, he refers to the government’s proposal that the U.K. and EU agree a model for protecting and exchanging personal data. The letter refers to the parliamentary discussions around the need for an “enhanced mechanism” that builds on the existing model of adequacy provided for third countries. It is a model that the government would like to see to maintain the free flow of data across the Channel along with continued regulatory cooperation whilst respecting U.K. sovereignty and not imposing unnecessary additional costs to business.

Continued Alignment With EU Rules

Even with the U.K.’s data protection rules aligned with those of the EU, the committee’s further concern is that if, as is likely, the EU continues to amend or update its rules, the U.K. must continue to align its data protection rules with EU rules that it no longer participates in setting. Again, the U.K. government’s answer is that it is seeking to establish a new partnership with the EU that provides for ongoing regulatory cooperation on data protection issues, that the Data Protection Act 1998 is seen as the gold standard which the government is committed to maintaining, and that the Data Protection Bill will ensure that organisations that handle personal data do so in accordance with the same set of rules as those organisations in the EU. A convincing answer to the committee’s concerns, however, is unlikely to emerge until the prospect of a new partnership with the EU, upon which regulatory cooperation is based, becomes a reality.

Losing the National Security Exemption

Another concern for the committee is that the U.K., post-Brexit, could find itself held to a higher standard by the EU as a third country than it has been as a member state. This is because it will no longer be able to rely on the national security exemption in the Treaty on the Functioning of the European Union that is currently engaged when the U.K.’s data protection and surveillance regime is tested before the EU Court of Justice. In his letter, Hancock merely says that the U.K. is confident that its national security legislation should not present a significant obstacle to data protection negotiations. The activities of U.K. security and intelligence agencies, he argues, are governed by one of the world’s most robust legal frameworks and oversight arrangements. This will “ensure U.K. intelligence activity adheres to strict principles of necessity and proportionality.” The letter does not refer to specific legislation, such as the Investigatory Powers Act, but again the committee’s concerns in this respect are unlikely to be allayed until “data protection negotiations” begin in earnest and yield the answers. We expect this to be in 2018.

Arrangements With the U.S.

Turning its attention to the U.S., the committee asked for assurances that the U.K. government is seriously thinking about how it can demonstrate to the EU that it has put in place arrangements with the U.S. that afford the same level of protection as the EU-U.S. Privacy Shield. The government’s assurance on this point is merely to confirm that it wants to ensure that data flow between the U.K. and third countries with EU adequacy decisions, such as the U.S., can continue on the same basis and that it will continue to work closely with the EU and other international partners to ensure the necessary safeguards for citizens’ rights are in place. There is no reference to any tangible progress in this regard which may suggest that so far little has been made, so again this may be an issue for 2018.

An International Treaty

As to the long term, the committee discussed the prospect that an international treaty on data protection could emerge as a result of better coordination between data protection authorities in the world’s largest markets. Perhaps concerned that the U.K. will lose influence in shaping such developments by ceding its position in one of those largest markets, namely the EU, the committee urges the U.K. government to work in partnership with the EU to maintain that influence. In response, the U.K. government refers to its ambition for the U.K. to remain a global leader on data protection by promoting both the flow of data internationally and appropriate high standards. Not surprisingly, however, it acknowledges that it must continue to work closely with the EU to achieve those objectives.


From a policy perspective, the publication of a Data Protection Bill that seeks to align U.K. standards with the new EU regime and indeed run seamlessly alongside that regime when it takes effect in May 2018 reflects the U.K. government’s desire to protect international data flow. However, this position does not deal with significant concerns over the U.K.’s prospects of being granted adequacy status by the EU in a sense that such status is operable from the very day of Brexit.

The extent to which the U.K.’s national security rules impact on the privacy rights of individuals is potentially a key focus of any data protection negotiations surrounding adequacy on Brexit. Whether the U.K. government’s confidence that this will not be a significant obstacle is justified will only become apparent once negotiations have begun in earnest, as will the longer term prospects of the U.K. maintaining or regaining influence over the interpretation and continued development of international data protection standards.

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security