EU sinks UK hopes for post-Brexit role for UK in developing data protection laws

The UK will be relegated to "third country" status, and lose its seat on the European Data Protection Board

The European Union (EU) has dealt a fatal blow to the UK's hopes of maintaining a post-Brexit role in the body that develops rules on data protection, privacy and AI.

In a speech over the weekend Michel Barnier - the EU's chief negotiator in Brexit talks - ruled out any post-Brexit UK involvement in the European Data Protection Board (EDPB) created under the General Data Protection Regulation (GDPR), which came into force 25 May.

The EDPB, an EU body tasked with applying and regulating GDPR consistently across member states, comprises the head of each nation's regulator and the European Data Protection Supervisor (EDPS) or their representatives.

But the Information Commissioner's Office (ICO), the UK's data regulator, will no longer be offered a seat once the UK leaves the EU on 29 March 2019, with the UK relegated to "third country" status.

Advertisement - Article continues below
Advertisement - Article continues below

"It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work," said Barnier, adding: "The United Kingdom wants to leave. That is its decision. Not ours. And that has consequences."

Referencing the UK's position on data protection published this week, Barnier said the UK believes it is in interests of EU business for the ICO to remain on the EDPB. But this was slapped down, as he said Brexit "is not, and never will be, in the interest of EU business".

Speaking to the International Federation for European Law (FIDE) at its 28th Congress in Lisbon this Saturday, Barnier also outlined a few issues this may pose.

These including who would launch an infringement against the UK where GDPR is misapplied, who would ensure the UK would update its own data legislation in conjunction with the EU, and how the EU would ensure the GDPR is uniformly interpreted across both sides of the channel.

"The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges," said Barnier. 

"And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside."

Advertisement - Article continues below

Barnier's comments sunk the UK's hopes for maintaining the ICO's role in the EDPB, which the Information Commissioner Elizabeth Denham warned against in oral evidence before the parliamentary committee on exiting the EU in early May.

Asked which aspects of any future data protection relationship would be the most difficult to achieve, Denham replied: "A bespoke agreement or the treaty option, which gives us more than adequacy, including a role for the ICO at the EDPB and participation in the one-stop shop, which would be really advantageous to business, would have to be negotiated.

"An agreement to go forward on data would have to be negotiated, because otherwise we would be looking at what is already in law, which is an adequacy assessment, and that would make us the same as any third country."

The only option for the UK to gain a sense of parity with the EU in the future would be an adequacy decision which, if granted, would allow a third nation's data to flow more freely between itself and member states.

Advertisement - Article continues below

Adequacy, which can be granted by the European Commission following an examination of privacy standards, does not, however, allow for the third country to be involved in contributing to any rules themselves.

Denham continued: "The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies and for regulating big tech.

Advertisement - Article continues below

"We will be a less influential regulator. We will continue to regulate the law and protect UK citizens as we do now, but we will not be at the leading edge of interpreting the GDPR and we will not be bringing British values to that table if we are not at the table."

A Department for Exiting the European Union (DExEU) spokesperson told IT Pro: "Our Information Commissioner's Office well-respected and it is in the mutual interest of the UK and the EU for the ICO and EU data protection authorities to work together. Negotiations are ongoing in this regard.

"Adequacy does not reflect the full depth and breadth of the UK-EU relationship. It is an effective means of ensuring the free flow of data between the EU and a third country, but it would not allow national data protection authorities to co-operate as effectively as they do now.

"As it currently exists, adequacy alone would lead to more bureaucracy and additional costs for businesses."

Picture: Shutterstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
data protection

Currys PC World parent firm hit with £500k fine over historic data breach

9 Jan 2020

Travelex disruption caused by devastating ransomware attack

8 Jan 2020