Teal blue header image

UK publishes proposals for data protection post-Brexit

The UK government has released the Partnership Paper, a future partnership paper on the exchange and protection of personal data post-Brexit.

The UK government has released a future partnership paper on the exchange and protection of personal data (the Partnership Paper). The Partnership Paper is the latest in a series setting out proposals regarding the future relationship between the UK and the EU after Brexit.

What is proposed?

The Partnership Paper analyses the current UK and EU data protection regimes and outlines the UK’s objectives for the relationship post-Brexit. It highlights the importance of cross-border data flows in the economy of the UK and the EU, and the significance of sharing personal data in the fight against crime and terrorism. It also acknowledges, however, that effective protections must be in place to ensure that personal data is handled appropriately and protected against misuse.

The Partnership Paper states that as the EU and the UK approach the next phase of their relationship as a result of Brexit, it is essential that the parties agree a UK-EU model for exchanging and protecting personal data that:

  • maintains the free flow of personal data between the UK and the EU;
  • offers sufficient stability and confidence for businesses, public authorities and individuals;
  • provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection;
  • continues to protect the privacy of individuals;
  • respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection;
  • does not impose unnecessary additional costs to business; and
  • is based on objective consideration of evidence.

Particular objectives relate to obtaining an “adequacy decision” from the EU Commission and recognition of the continued role of the Information Commissioner’s Office (ICO).

Adequacy for the UK

The EU Commission has the authority to determine that a third country guarantees an adequate level of protection for personal data. Such an “adequacy decision” ensures the free flow of data between the EU and that third country in compliance with EU data protection law.

After withdrawal from the EU, the UK will be a third country and, without an adequacy decision, post-Brexit organisations transferring data between the EU and the UK will have to explore alternatives to do so in a compliant manner. 

The Partnership Paper stresses the unique alignment between the UK and EU’s data protection regimes that will exist at the point of exit. It sets out the UK’s preferred approach of the UK and EU agreeing early in process to mutually recognise each other’s data protection frameworks, to maintain the free flow of data between the EU (and other EU adequate countries) and the UK from exit until more permanent arrangements are agreed. The need for agreeing a timeline for negotiating longer-term arrangements is also advocated. 

Regulatory co-operation

Co-operation between the UK and EU after the UK’s withdrawal from the EU is described as essential. The Partnership Paper highlights that the ICO works closely with, and is well regarded by, other EU regulators. It advocates a continued role for the ICO in the EU arena, preserving and building upon existing regulatory co-operation.


Minister for Digital, Matt Hancock, stated “…a strong future data relationship between the UK and EU, based on aligned data protection rules, is in our mutual interest.” In accordance with previous communications, the Partnership Paper sets out the UK’s intention to maintain the free flow of personal data between the UK and the EU post-Brexit.

The Partnership Paper outlines how the UK proposes that the model for the protection and exchange of personal data with the EU will operate. It highlights the drivers of: certainty for business and public authorities; the protection of individuals’ data and privacy; and providing for ongoing regulatory co-operation between the EU and UK data protection authorities.

Contributor: Jenai Nissim

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all