The shape of personal data protection, post-Brexit

Until recently, the UK’s positon on Brexit has largely been defined by tautology: Brexit means Brexit. With the recent release of policy papers, some flesh is being added to these bones. The Department for Exiting the European Union’s most recent paper: The exchange and protection of personal data - a future partnership is no exception.

This paper provides two significant updates that clarify (somewhat) how the UK Government sees its post-Brexit data protection relationship with the EU. The outlook negotiated now will shape future data protection in the UK, which will have important implications for biomedical research, innovation and healthcare practice.

Continued commitment to the GDPR

Firstly, The exchange and protection of personal data reaffirms that the UK intends to fulfil its legal obligations and be General Data Protection Regulation (GDPR) compliant before Brexit. Further, the paper confirms that this compliance will continue even after withdrawal. While this commitment is laudable in providing certainty for both business and researchers, it is a no-brainer. GDPR standards will continue to apply to Brexit UK, even if the UK leaves the European Economic Area (EEA). Indeed, the GDPR applies to the processing of data so long as the data is related to the offering of goods and services to individuals in the EEA. Since the EU is by far the UK’s largest trading partner, to comply with the GDPR is tantamount to confirming the intention that UK-EU trade will continue.

The third country process

Secondly, the paper names the specific process likely to govern the UK’s new data protection relationship with the EU. That is, the UK intends to follow the ‘third country’ route. This process allows the EU Commission to consider whether the data protection framework of any given non-EEA country is ‘adequate’, allowing data (and so trade) to flow more easily. Hence, the UK can be free of the EEA but continue to have a similar data protection relationship as if they were still a member.

While the actual assessment of data protection adequacy may only take a year, the negotiations to start the assessment may be many things (including potentially nasty and brutish), but certainly not short.

Keen to stress the feasibility of this route, the paper cites Japan’s experience of the same process: their assessment of adequacy is currently set to be completed within a year. Nevertheless, one should take this timeline with a large caveat, namely that the process of assessing a third country’s adequacy is the end result of extensive negotiations. Hence, while the actual assessment of data protection adequacy may only take a year, the negotiations to start the assessment may be many things (including potentially nasty and brutish), but certainly not short.

Following both of these key points of policy, it seems clear that data protection at the end of Brexit is likely to be much the same as if the UK never left the EU: the UK will accept the same law, but at the end of a potentially costly process, and be left with no say in shaping subsequent legislation. Given this, while the paper stresses the government’s hopes for a ‘special relationship’ and the ‘special bonds’ UK data protection has with Europe, the question is: why sever them?

PHG Foundation's legal and regulatory specialists are focused on the implications of the GDPR for bioscience companies and can offer advice and consultancy to help you ensure that your organisation is equipped to comply.