UK will be subject to, but have no say in, EU rules after Brexit

EU has shot down ICO's urging for deeper integration on data protection

The UK will take a backseat on data protection in Europe after Brexit, the European Commission has confirmed - including for any new Europe-wide rules about artificial intelligence.

ICO leader Elizabeth Denham told MPs earlier this month that a bespoke data agreement - which would give the UK's data protection agency a continued role in Europe after the UK leaves the Union - would be far superior to a so-called adequacy agreement.

Denham said, "At this time when the GDPR is in its infancy, participating in shaping and interpreting the law I think is really important. And the group of regulators that sit around the table at the EU are the most influential blocs of regulators - and if we're outside of that group and we're an observer we're not going to have the kind of effect that we need to have with big tech companies. Because that's all going to be decided by that group of regulators."

Denham added a point long argued by the Remain camp: that the UK will have no say on the standards and regulations implemented in the technology industry, which companies will still have to follow if they hope to trade with the Continent:

"The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies, for regulating big tech. So we will be a less influential regulator, we will continue to regulate the law and protect UK citizens as we do now, but we won't be at the leading edge of interpreting the GDPR - and we won't be bringing British values to that table if we're not at the table."

However, the EU's chief Brexit negotiator, Michel Barnier, quashed any hopes of the UK having a seat. Speaking in front of the International Federation for European Law, he suggested that an adequacy decision - which is granted if a non-EU state's laws are in compliance with EU regulations - would be the only thing on that table.

Adequacy decisions enable trade and data flows, but do not allow countries to be involved in shaping regulations or laws in Europe.

"The United Kingdom decided to leave our harmonised system of decision-making and enforcement," said Barnier. "It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges.

"And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside.

"Brexit is not, and never will be, in the interest of EU businesses; and it will especially run counter to the interests of our businesses if we abandon our decision-making autonomy. This autonomy allows us to set standards for the whole of the EU, but also to see these standards being replicated around the world. This is the normative power of the Union, or what is often called ‘the Brussels effect'.

"And we cannot, and will not, share this decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as us."

With the ICO excluded from any sort of GDPR rulemaking - through which European data protection agencies can work together to coordinate regulatory actions - UK businesses will need to use an alternative agency to act as their lead regulator post-Brexit.

We have asked the ICO for a comment and will update when we hear back.