Giovanni De Gregorio (University of Milano Bicocca)
On 31 January 2020, Brexit occurred. The United Kingdom left the European Union and a new transition period began until the end of 2020. During this period EU rules will remain in force while the relationship been the UK and EU will be subject to negotiation. This rule also applies to data protection law. At the end of the transition period, the GDPR will be no longer applicable in the UK. National laws implementing EU Directives in the field of privacy and data protection will, however, remain in force until they are amended or repealed at the domestic level.
Since data are a crucial asset of the digital economy, the field of data protection is of particular concern for several reasons. The impossibility to rely on a clear framework in the field of data could slow down the development of new products and services and increase the degree of uncertainty in the business sector. It is not by chance whether Google reacted to this situation by moving out all its data about British users of its services, including Gmail, YouTube, and the Android Play store, from Ireland to the US, as it seeks to avoid legal risks after Brexit. Beyond corporates’ interests, the lack of legal certainty and the threat to opt-out from one of the most protective system of data protection in the world could also affect the effective protection of individuals’ fundamental rights like privacy and data protection.
The challenges are therefore multifaceted. Among them, the transfer of personal data is one of the most evidently affected areas by Brexit. It is no mystery that the UK hosts one of the most active technological and financial sectors whose innovation and services are important contributions to the European economy. The free flow of personal data is a sensitive field to ensure that both sides can benefit from the opportunities for data sharing. In October 2019, because of the importance of data flow and exchange, the UK and the Union committed to ensuring a high level of personal data protection. In the meantime, the rules established by the GDPR for the transfer of personal data outside the Union borders will apply during the transition period so that data controllers should not rely on other legal bases in the lack of an adequacy decision. Besides, the transition period also allows UK data controllers to transfer data outside the Union based on adequacy decisions and to avoid the appointment of EU-based representatives according to Article 27 GDPR.
Within this framework, the recent policy paper describing the UK’s approach to negotiations can provide further insights into the future of data in the aftermath of the transition period. While the UK has stressed its intention to rely on an independent policy on data protection at the end of the transition period, it committed to high data protection standards and to maintain a cooperative approach. The document underlines that the UK Information Commissioner’s Office will try to cooperate with EU Member State data protection authorities to facilitate the dialogue on data protection issues in the future.
Nevertheless, the document mainly focuses on the Comprehensive Free Trade Agreement (CFTA). The field of data is indeed addressed from a predominant economic dimension. The UK approach stresses the role of data sharing in different sectors like commercial trade, sanitary measures, fisheries, aviation, and migration. Even in the digital field, the aim is to stimulate e-commerce through actions that facilitate the cross-border flow of data. This economic focus should not surprise since it is mainly the result of the political goal of the UK to conduct negotiations on ‘friendly cooperation between sovereign equals, with both parties respecting one another’s legal autonomy and right to manage their own resources as they see fit’.
The focus moves to a more concerned approach to fundamental rights and the rule of law in the field of law enforcement. Despite the main focus on data sharing like criminal records, the document also underlines how police and judicial cooperation will be underpinned by the protection of human rights, the rule of law and high standards of data protection. It is worth mentioning that this approach would not change the general UK’s approach. Indeed, the agreement will only concern this objective but will not deal with how the UK should protect and enforce human rights and the rule of law.
Furthermore, outside the framework of the trade agreement, the document addresses the concerns relating to the transfer of personal data. The document clarifies the intention of the UK to obtain an ‘adequacy decisions’ from the EU under both the General Data Protection Regulation and the Law Enforcement Directive before the end of the transition period.
Brexit is another example of the high political and economic value of data in the information society. Negotiations would focus mainly on data sharing to ensure the free flow of personal data. Nevertheless, if the UK would intend to achieve an adequacy decision and maintain friendly cooperation with the EU competent authorities, it will not be able to disregard the highest level of protection of privacy and data protection as enshrined in the Charter of Fundamental Rights and interpreted by the European Court of Justice during these years.
The views expressed in this article reflect the position of the author and not necessarily the one of the Brexit Institute Blog
Giovanni De Gregorio is a Ph.D. Candidate in Public Law at the University of Milano-Bicocca
 Madhumita Murgia, ‘Google moves UK user data to US to avert Brexit risks’ Financial Times (20 February 2020).
 Political Declaration setting out the framework for the future relationship between the European Union and the United Kingdom as agreed at negotiators’ level on 17 October 2019, to replace the one published in OJ C 66I of 19.2.2019.
 The Future Relationship with the EU. The UK’s Approach to Negotiations (27 February 2020).