On the 20th September 2017, the EU published a position paper in relation to Brexit entitled the ‘Use of Data and Protection of Information Obtained or Processed before the withdrawal date’. The paper sets out in detail the EU’s stance on data protection in relation to three key areas:
- the protection of personal data processed before the withdrawal date,
- the protection of EUCI and national classified information exchanged in the interests of the EU before the withdrawal date, and;
- other restrictions of use and access to data and information obtained before the withdrawal date.
The position paper is strict in its approach and suggests that the conditions in the position paper must be complied with if the UK intends to retain and process the relevant data up to the withdrawal date. While various conditions set out in the position paper will be temporary in nature as they will apply up to the withdrawal date, it is clear that the EU expects Union law to remain applicable beyond the withdrawal date in a number of areas relating to the processing and retention of personal data.
The protection of personal data processed before the withdrawal date
In relation to the protection of personal data, the EU is clear that Union law will continue to apply up until the withdrawal date. The General Data Protection Regulation (the ‘GDPR’) will alter the protection of data across EU Member States when it enters into force on the 25th May, 2018 and the position paper suggests that the provisions of the GDPR will apply to personal data in the UK processed before the withdrawal date. The position paper highlights a list of important personal rights in terms of the retention of this data and clearly sets out that data subjects whose data is held and processed within the UK after the withdrawal date will be able to enforce their rights under the GDPR as long as that data is still being processed. The EU stance is clear in this regard, the effects of the GDPR will reach beyond the withdrawal date. The EU is also of the belief that the withdrawal agreement between the UK and EU27 Member States should expressly deal with investigations into data protection which are ongoing at the withdrawal date. The agreement should allow these investigations to be concluded and ensure that the UK’s departure does not impede the authorities in completing their investigation.
The protection of EUCI and national classified information exchanged in the interests of the EU before the withdrawal date
The position paper also deals specifically with the protection of classified information. EUCI ‘means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States’ as per Article 2 of Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information. Union law as it stands on the withdrawal date will remain applicable to such data. The position paper expressly sets out that contractors and subcontractors should take all appropriate measures to make sure this data is protected. It is also anticipated that the UK will inform the EU of any ‘incident or change of policy regarding the approval of cryptographic products used for the protection of EUCI’.
Other restrictions of use and access to data and information obtained before the withdrawal date
The final category which the position paper addresses relates to other restrictions of use and access to data. This catch all provision envisages that all other data received by the UK from EU27 Member States, and vice versa, will continue to be protected in line with the provisions of Union law as at the withdrawal date. While the position paper sets out examples of the applicable Union rules, the GDPR will again be relevant by the withdrawal date.
The position paper endeavours to address the issues surrounding the use of and protection of data before the withdrawal date but the EU has also utilised this opportunity to set out its stance with regards to the enforcement of Union law post-Brexit in the data protection sphere. The UK has previously acknowledged that it intends to comply with GDPR requirements after the withdrawal date and the EU position paper echoes such an approach. Thus far, it appears that both sides may be in agreement that UK compliance with the provisions of the GDPR is the key to the future free flow of data.