EU Says U.K. Companies May Have to Erase EU Data After Brexit

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

EU officials will insist that U.K. companies and agencies erase European citizens’ personal data collected before Brexit if they can’t meet the bloc’s strict privacy standards for data protection, according to a position paper released Sept. 7.

Companies that have been free to transfer personal data from EU countries will be faced with the difficult choice of what to do with the information they have collected.

The European Commission, the EU’s executive arm, sent the paper to the governments of the EU’s 27 remaining countries. It stipulates that it will demand in Brexit negotiations that U.K. government agencies and companies provide privacy protection equivalent to EU data protection law or agree to destroy the data at issue before the March 2019 withdrawal of the U.K. from the bloc.

The fourth round of Brexit negotiations is set to begin the week of Sept. 18. The worry is that the U.K. has come into contact with a lot of EU data, and once it leaves the EU, that data will no longer bound by high EU privacy standards, a commission spokesman told Bloomberg BNA Sept. 7.

The paper addresses personal data processed by the U.K. before the Brexit withdrawal date, classified information of the EU and national governments of EU members that was shared with the U.K., and any other data the U.K. received from EU public and private entities.

Brexit Negotiations

In June 2016, U.K. voters endorsed a referendum to leave the EU. In March, EU officials were formally notified of the U.K.'s intent to exit, triggering a two-year window to complete the exit process.

The exit agreement “must create legal certainty in all those areas where Brexit has created—and creates—uncertainty,” Michel Barnier, the chief European negotiator for Brexit, said at a Sept. 7 press conference in Brussels.

After Brexit, EU citizens living in the U.K. must also continue to enjoy data protection in accordance with EU law, the commission paper said. EU citizens should continue to enjoy EU law rights to data access, erasure, and portability, and to object to processing of their data held in the U.K., the paper said. Data also shouldn’t be held any longer than necessary, only for the purposes for which it was processed, and must be erased if that purpose expires, the paper said.

If the U.K. doesn’t make a legally binding guarantee to meet EU privacy standards, data must be erased or destroyed, the commission spokesman said.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The position paper is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security