In preparation for the Brexit negotiations, the European Commission has published a position paper on the 'Use of Data and Protection of Information Obtained or Processed before the Withdrawal Date'.
The paper starts from the position that the UK's access to networks, information systems and databases established by EU law will, as a general rule, terminate on the date of withdrawal and that the UK may only keep and continue to use data or information received and/or processed in the UK before the withdrawal date if the UK complies with certain conditions and principles set out in the position paper; otherwise the data or information (including any copies thereof) should be erased or destroyed.
The position paper covers the following principles:
- Protection of personal data before the withdrawal: EU law on the protection of personal data should continue to apply to personal data in the UK processed before the withdrawal date in relation to data subjects from the Member States of the EU. EU law should also apply to data subjects outside the EU provided that their personal data is covered by the data protection laws of the EU. The personal data of UK data subjects should also be protected in accordance with EU law while data protection investigations that are ongoing on the withdrawal date should be carried out in accordance with the Withdrawal Agreement.
- EU and national classified information: The position paper also emphasises that EU and national classified information exchanged prior to the withdrawal date should continue to be protected in accordance with the provisions of EU law that are applicable on the withdrawal date. The paper stresses that any UK agencies or contractors carrying out projects under contracts concluded before the withdrawal date and which involve the creation, handling or storing of EU and national classified information should continue to handle such information in accordance with EU law.
- Other restrictions of use and access to data obtained before the withdrawal date: Data and information received by the UK from EU Member States, EU agencies, bodies and other institutions, which are subject to EU law restrictions in relation to the use or access to such information should continue to be safeguarded. Examples of such restrictions are: rules concerning the obligation of professional secrecy in the context of merger, antitrust and state aid proceedings; provisions relating to the protection of regulatory studies (e.g. pre-clinical, clinical and toxicological studies); and rules concerning the protection of information acquired by customs authorities.
The European Commission's position paper states that these principles should also apply to personal data, data or information which was received or processed by the UK after the withdrawal date subject to the Withdrawal Agreement. According to the position paper, these principles set out the conditions which need to be fulfilled for the continued flow of data to be allowed; otherwise such data or information should be erased or destroyed.
The data protection position paper belongs to a series of EU position papers for the Brexit negotiations which are available on the European Union website. For information about the UK's position on the protection of personal data, please see our article entitled 'UK publishes proposals for data protection post-Brexit'.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms and conditions.