The UK Law Societies’ Brussels Office and the European Policy Centre held a breakfast event on 25 September 2018 to discuss the possible effects of the UK’s withdrawal from the EU on data protection. It was attended by approximately 90 participants, from a variety of industries and from all around Europe. 

The event was a panel discussion held under Chatham House rules, hosted by Fabian Zuleeg, Chief Executive and Chief Economist, European Policy Centre. The panel comprised:

  • Alistair Robinson, First Secretary (Legal), UK Representation to the EU;
  • Peter Wright, Director, Digital Law UK and Chair of the GDPR Working Group, Law Society of England and Wales; and
  • Chris Gow, Director, EU Public Policy, Government Affairs, Cisco Systems. 

The panel discussed the effect on data protection provisions should an exit deal be struck with the EU, explaining that this would result in the current provisions in relation to the processing of data (the General Data Protection Regulations and the Law Enforcement Directive) continuing to apply until the expiration of the transition period in December 2020.

Various forms of agreement after December 2020 were discussed, including the possibility that there may be two separate agreements; one making provision for commercial data protection and one for law enforcement. The concept of entering an agreement based on the adequacy of the UK’s protection of data was viewed as an attractive approach for both the UK and EU, though the question of whether this form of agreement would go far enough to preserve current data flows was raised.

The panellists discussed the possibility that no deal with the EU would be reached, meaning that after 29 March 2019 data protection would likely be governed in line with the UK’s technical note on data protection in a no-deal scenario. It was suggested that this could result in any adequacy agreement discussions more challenging due to increased tensions.

Though the atmosphere was one of general optimism that a deal on data protection was beneficial to both the UK and EU and therefore likely, a number of issues were explored in relation to future agreements:

  • Timing: in the event that the UK leaves the EU with an exit deal and therefore enters an implementation period until December 2020, this would allow only 21 months for a data protection agreement to be made. The fastest an agreement has been made between the EU and a third country in the past was 17 months, with Argentina. The longest, however, was the agreement reached with New Zealand, which took 4 years. It will be challenging for an agreement to be reached within the implementation period, and there is therefore a risk that the implementation period could end without an agreement being in place.
  • Conflicting aims: the incompatibility of the UK and EU’s approach to data protection and privacy was highlighted as a potential obstacle to an agreement being reached. The UK’s approach to surveillance has been viewed as more invasive than that of other Member States, for example in relation to the Investigatory Powers Act 2018. The concept of how a UK-EU privacy shield would function could be a further source of contention, hindering any agreement based on adequacy.
  • Small and Medium Enterprises (SMEs): with many SMEs still yet to implement the GDPR in full, preparation for an entirely new agreement based on adequacy could be a significant strain on their resources. Additionally, it is possible that customers may pressure SMEs to demand data is processed in the EU, triggering the need to move data centres and customer service agencies.

The event raised some very interesting points and drew attention to some major themes to watch out for as the Brexit process intensifies and the UK’s position on data protection becomes clearer.