Michelmores’ Partner, Tom Torkar comments on the recent European Union position paper on Data Protection
On 7 September 2017, the European Commission (the Commission) published its position paper on the use of personal data and certain classified information obtained or processed before the date on which the United Kingdom (UK) leaves the EU. The paper addresses some uncertainties surrounding data protection in the post-Brexit era, whilst still leaving a number of questions frustratingly unanswered – not least the question of how personal data can be processed post-Brexit.
At the outset, the Commission stresses that the UK may keep and continue to use personal data or information received or processed in the UK before the withdrawal date only if the principles in the paper are fulfilled. Where they are not, such data or information must be erased or destroyed.
The key principles set out in the paper broadly include:
The Commission emphasises that the principles set out in the paper should also apply to personal data, or information received or processed by the UK or UK entities after the withdrawal date pursuant to the Withdrawal Agreement. This extends to all personal data pertaining to both data subjects within the EU and outside, and specifically includes the personal data relating to UK data subjects. The Commission therefore expects our own personal data to be processed in a compliant manner on the basis of equivalence with the rules applying to EU member state citizens.
Whilst the Commission provides some insight into the EU’s position on the use and protection of data obtained or processed before withdrawal, it omits to comment on the movement of personal data and information between the UK and EU post-Brexit. This is in stark contrast to the UK government which has comprehensively set out its ambitions on the post-Brexit landscape for data protection in its “future partnership paper” published last month. Central to the UK’s position is its desire to maintain the free flow of personal data between the EU and UK following Brexit and its proposal for an adequacy decision to be made by the Commission. Given the Commission’s silence on this point, the approach to be taken once the UK has left the EU is still unknown.
The UK government, within the Queen’s speech (2017), in the draft Data Protection Bill and in its position paper, has made it clear that it wishes to retain regulatory co-operation with the EU following Brexit. This will be based on principles of equivalence with the General Data Protection Regulation 2016 (GDPR). In principle, therefore, it is likely that the treatment of personal data covered by the EU’s positon paper will be compliant – this may be a non-issue!
Ultimately, the paper, albeit brief, provides some insight into the EU’s approach to certain data protection matters in the Brexit negotiations. The EU position regarding an on-going partnership with the UK in relation to data protection matters post-Brexit, however, remains to be seen.
For commentary on the Commission’s recent position paper on intellectual property rights post-Brexit, see here.