Post-Brexit data protection in the UK – leaving the EU but not EU data protection law behind

Research output: Chapter in Book/Report/Conference proceedingChapter (peer-reviewed)peer-review

4 Downloads (Pure)


On 29 March 2017 the United Kingdom (UK) notified the European Council under Article 50 of the Lisbon Treaty of its intention to withdraw from the European Union (EU) following the outcome of the historic ‘Brexit’ referendum on 23rd June 2016 in which a majority of eligible voters in the UK voted to ‘Leave’ the EU. Although the UK and EU have not finalised their future trade agreement at the time of writing, the UK government has nevertheless introduced a legislative programme designed to effect withdrawal from the EU and return legislative sovereignty to the UK yet also maintain a close trading relationship with the EU. As the UK is in a unique position – an EU member state seeking to become a third country for data protection purposes – the UK government has proposed transitional arrangements and bespoke post-exit data protection arrangements. This chapter analyses the proposals to assess whether they are likely to be accepted, either in full or in part, and forecast what the post-Brexit data protection arrangements between the UK and EU will comprise – both in the short and longer term. It also considers the data protection implications of the UK leaving the EU on 29 March 2019 with no transitional or future trade deal in place.
It does so in five sections: firstly, it provides an overview of the data protection framework in place until the date of exit and outlines how and why the General Data Protection Regulation 2106/679 (GDPR) will be incorporated into UK law when the UK ceases to be a member of the EU. Secondly, it briefly outlines how the trade deal that is negotiated between the UK and EU will determine future data protection arrangements. This involves considering the implications of the UK becoming an EEA country, leaving with a trade deal or no trade deal in place and in the process becoming a third country for data protection purposes, and the consequences that would flow from such arrangements in terms of: unimpeded cross border personal data transfers or the UK needing to secure either a bespoke treaty with mutual adequacy recognition or a unilateral adequacy decision by the EC and replication of existing adequacy decisions. Thirdly, it provides a substantive analysis of provisions in national surveillance laws that could prove a potential obstacle to an adequacy decision, should one be needed. Fourthly, it reviews the position of the national supervisory authority, the ICO, and how its membership status of the European Data Protection Board may change, as well as outlining how the ICO may retain or lose the right to participate in the one stop shop mechanism depending on the final trade deal agreed. It concludes that if the UK becomes a third country for data protection purposes it will have to amend national surveillance law, accept a loss of data protection law and policy making influence, and accept continuing influence of the Court of Justice of the European Union (CJEU) in order to initially secure and thereafter retain an adequacy decision. These measures will no doubt disappoint ‘Brexiteers’ who are keen to reclaim legislative sovereignty. By contrast, data protection advocates will frame the UK’s post-withdrawal compliance with the GDPR as evidence of the dawning of a new era in which data protection laws are strengthened and harmonized on a global basis.
Original languageEnglish
Title of host publicationResearch Handbook on Privacy and Data Protection Law
Subtitle of host publicationValues, Norms and Global Politics
EditorsGloria González Fuster, Rosamunde Van Brakel, Paul de Hert
PublisherEdward Elgar Publishing
Number of pages14
ISBN (Electronic)9781786438515
ISBN (Print)9781786438508
Publication statusPublished - 2022


  • GDPR
  • data protection
  • Brexit
  • Data Protection Act 2018

Cite this