Post-Brexit Data Protection & Data Exchange With EU

The UK government has published one of what is likely to be a series of policy papers that outline the government’s vision of what the exchange protection of personal data between the UK and the EU will look like, post-Brexit.


Policy documents that clarify this issue were needed because the proposed new Data Protection Bill published earlier this year didn’t tackle the sharing of information. How data is handled and shared if an important part of the UK and EU economies.

Important And Valuable

The UK economy relies heavily on the service sector, where data is very valuable. Also, 40% of the largest digital companies in the EU were founded in the UK, and 75% of all the UK’s cross-border data flows are with EU countries.

Crucially, the region’s data economy has been forecast to be worth €643bn by 2020.

This means that exactly how data is shared between the UK and the EU is a vital consideration from both a business and a security perspective, and the UK government doesn’t want to lose access to these high-value resources.

What About GDPR?

The Data Protection Bill (which repeals and replaces the DPA 1998) has been introduced to bring the UK’s laws in line with the EU’s upcoming General Data Protection Regulation (GDPR) which is due to come into force next year. Both will give people more say over what companies can do with their data, with GDPR intended to bring data protection laws into line across the EU for all companies and organisations that store and use data about EU citizens.

With this new policy paper, the UK government therefore appears to be saying that it is prepared to recognise and comply with the EU’s new data protection standards (even though the UK is exiting the EU) in exchange for the kind of relationship that is as close as possible to the what the UK would ideally desire.

What Kind Of Model?

The new policy document from the UK is seeking a “special partnership” for exchanging and protecting data with the EU that builds on the existing adequacy model and:

  • Keeps a free flow of personal data between the UK and the EU
  • Offers sufficient stability and confidence for businesses, public authorities
    and individuals
  • Provides for ongoing regulatory cooperation between the EU and the UK on current
    and future data protection issues
  • Continues to protect the privacy of individuals
  • Respects UK sovereignty, including the UK’s ability to protect the security of its citizens, and its ability to maintain and develop its position as a leader in data protection
  • Doesn’t impose unnecessary additional costs to business
  • Is based on objective consideration of evidence.


Critics of the policy document have pointed out that the EU will, of course, look more favourably on laws that are closely aligned with its own when it comes to data-sharing. Also, some critics have said that the UK’s new policy document lacks detail, and makes no mention of the Investigatory Powers Act (or Snooper’s Charter), and how that could affect data protection and sharing.

What Does This Mean For Your Business?

In reality, any agreement is likely to mean a transactional mutual recognition of data protection laws, followed by an adequacy decision from the European Commission when the UK leaves the EU. It is important, therefore, from economic and legal perspectives that the UK and EU data protection and sharing laws are closely aligned. It may be easier, more likely, and less time-consuming for the UK to shape it’s laws more towards the EU than the other way around.

However, ever since the news of the impending introduction of GDPR, UK businesses have struggled to get to get to grips with it, and its implications for their businesses. A further revision of UK law in the form of the recent Data Protection Bill, and the prospect of possible new revisions in how data is shared and protected with the EU could cause more uncertainty and confusion among UK businesses that could leave them open to the legal risks of non-compliance, and the wider risks of possible data breaches.

Some commentators think that a revision of the Investigatory Powers Act will also be necessary because some member states may refuse to transfer personal data to the UK if it stays as it is. This issue could have implications for the UK economy if it is not resolved quickly.