Britain must continue to protect personal data obtained prior to Brexit or delete them

Michelmores' Partner, Tom Torkar comments on the recent European Union position paper on Data Protection

On 7 September 2017, the European Commission (the Commission) published its position paper on the use of personal data and certain classified information obtained or processed before the date on which the United Kingdom (UK) leaves the EU. The paper addresses some uncertainties surrounding data protection in the post-Brexit era, whilst still leaving a number of questions frustratingly unanswered – not least the question of how personal data can be processed post-Brexit.

At the outset, the Commission stresses that the UK may keep and continue to use personal data or information received or processed in the UK before the withdrawal date only if the principles in the paper are fulfilled. Where they are not, such data or information must be erased or destroyed. 

The key principles set out in the paper broadly include:

  • Protection of personal data: EU laws in force on the withdrawal date should continue to apply to the protection of personal data where such data were processed before the withdrawal date. The paper confirms that data subjects (a "data subject" is a living individual to whom personal data relate) concerned should continue to have certain rights; for example: the right to be informed and the right of access; erasure of data upon the expiry of any maximum mandatory storage periods; and restrictions on the transfer of data outside the EU.
  • Protection of European Union Classified Information (EUCI) and national classified information: EU laws in force on the withdrawal date should continue to apply to the protection of EUCI and national classified information exchanged in the interests of the EU, where such information was received before the withdrawal date.
  • Other restrictions of use and access to data and information: Data and information received before the UK leaves the EU which is subject to other EU rules restricting use or access should continue to be protected in accordance with those EU laws applicable on the withdrawal date. This would include, for example, rules concerning the protection of customs data.

The Commission emphasises that the principles set out in the paper should also apply to personal data, or information received or processed by the UK or UK entities after the withdrawal date pursuant to the Withdrawal Agreement. This extends to all personal data pertaining to both data subjects within the EU and outside, and specifically includes the personal data relating to UK data subjects.   The Commission therefore expects our own personal data to be processed in a compliant manner on the basis of equivalence with the rules applying to EU member state citizens.

Whilst the Commission provides some insight into the EU’s position on the use and protection of data obtained or processed before withdrawal, it omits to comment on the movement of personal data and information between the UK and EU post-Brexit. This is in stark contrast to the UK government which has comprehensively set out its ambitions on the post-Brexit landscape for data protection in its "future partnership paper" published last month. Central to the UK's position is its desire to maintain the free flow of personal data between the EU and UK following Brexit and its proposal for an adequacy decision to be made by the Commission. Given the Commission's silence on this point, the approach to be taken once the UK has left the EU is still unknown.  

The UK government, within the Queen's speech (2017), in the draft Data Protection Bill and in its position paper, has made it clear that it wishes to retain regulatory co-operation with the EU following Brexit. This will be based on principles of equivalence with the General Data Protection Regulation 2016 (GDPR). In principle, therefore, it is likely that the treatment of personal data covered by the EU's positon paper will be compliant – this may be a non-issue!

Ultimately, the paper, albeit brief, provides some insight into the EU's approach to certain data protection matters in the Brexit negotiations. The EU position regarding an on-going partnership with the UK in relation to data protection matters post-Brexit, however, remains to be seen.

For commentary on the Commission's recent position paper on intellectual property rights post-Brexit, see here.