Privacy & Cybersecurity Law Blog

On February 2, 2017, the UK government published a white paper entitled The United Kingdom’s exit from and new partnership with the European Union (the “white paper”). The white paper strikes a conciliatory tone, making it clear that the UK intends to maintain close ties with the European Union and its 27 remaining Member States after Brexit. A large portion of the white paper is devoted to discussing the issues at the heart of the 2016 Brexit referendum, such as immigration controls, continuing trade with the EU and the protection of individuals’ rights conferred under EU law. Among the rights addressed is the free flow of personal data between the UK and the EU.

The white paper emphasizes that the UK will “seek to maintain the stability of data transfer between EU Member States and the UK” and notes that “the European Commission is able to recognize data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.” While the white paper does not explicitly state that the UK will seek an adequacy determination, it appears from reading between the lines that this is the UK’s goal as it exits the EU.

It is unlikely to be a seamless effort for the UK to secure a finding of adequacy for data protection because of the UK’s recent adoption of the Investigatory Powers Act. This law strengthens the hand of national security agencies regarding surveillance in ways that the EU has historically found unpalatable. A December 2016 judgment by the Court of Justice of the European Union regarding the UK’s Data Retention and Investigatory Powers Act 2014, which contains similar provisions that have been replaced by the Investigatory Powers Act, found that it was disproportionate and contravened individuals’ rights to privacy and data protection.