Brexit Won’t Relieve U.K. of EU Privacy Obligations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

The U.K.'s statement that it will adopt the European Union’s new privacy regime means it will need to secure the bloc’s approval that its privacy laws are strong enough to safeguard personal data, privacy and security attorneys told Bloomberg BNA Feb. 2.

The U.K.’s Digital Minister Matt Hancock told Parliament Feb. 1 that, regardless of the U.K.’s eventual exit from the trade bloc, it would reform its privacy laws by May 2018 to comply with the EU’s new General Data Protection Regulation. The U.K. “will be treated as a third party once it’s no longer in the EU” without the right to receive EU personal data unless the bloc grants a privacy-adequacy decision, Hancock said. There aren’t any planned alternatives to ensure the free movement of personal data between the U.K. and the other 27 EU countries, he said.

The GDPR is an “important part” of “securing the unhindered flow of data between the U.K. and the EU post Brexit,” Hancock told the House of Lords EU Home Affairs Sub-committee during a Feb. 1 evidence session on the U.K.’s Data Protection Package.

Hancock spoke at a Parliamentary hearing in advance of the U.K.’s Feb. 2 release of a Brexit White Paper outlining the government’s plans for exiting the EU and removing itself from the jurisdiction of the European Court of Justice (ECJ).

Adequacy Decision

Vin Bange, partner and head of the data protection team at London-based law firm Taylor Wessing LLP, told Bloomberg BNA Feb. 2 that “against the uncertainty of not knowing” what “the future relationship with Europe will look like, it is almost inevitable that the EC will be pushed to consider whether the UK provides for a data protection regime which is ‘adequate’” or “provides an equivalent level of data protection to the EU.”

A European Commission-issued adequacy decision “of the type already issued for a select number of countries would allow for the free movement of personal data to the UK from Europe without the need for taking further steps to put tools of legitimization in place,” he said.

Eduardo Ustaran, a partner in the global privacy and cybersecurity practice of Hogan Lovells LLP in London, agreed that “the wisest move would be for the U.K. to apply for some form of ‘automatic adequacy’ for transfers of data originating from the EU post-Brexit.”

“This would be justifiable on the basis that both data protection frameworks would be identical, which will be a logical thing to argue if the UK implements the GDPR,” he told Bloomberg BNA Feb. 2.

A EU-U.K. Privacy Shield?

The EU-U.S. Privacy Shield data transfer program allows U.S. companies that self-certify their compliance with EU-approved privacy and security principles with the U.S. Department of Commerce to legally transfer personal data from the EU to the U.S. The Privacy Shield is relied upon by over 1,000 companies, including Alphabet Inc.'s Google, Microsoft Corp. and Facebook Inc.

The Privacy Shield rests on a privacy adequacy decision from the EC.

Bange said that any post-Brexit data protection regime is likely to include a “toolkit that is not too dissimilar to that already provided under current EU based data protection laws, so something similar to the EU-U.S. Privacy Shield would seem like a more familiar fit for EU countries and how they view adequacy for data passing through the U.K.”

A spokeswoman for the U.K. privacy regulator, the Information Commissioner’s Office, declined comment Feb. 2 on future prospects for the U.K.’s data transfer arrangements with the EU.

To contact the reporter on this story: Ali Qassim in London at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The Brexit white paper is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security