30 08 2017 Insights Cyber and Data Protection

Brexit - The Road Travelled, the Path Ahead and the Bandit in the Bush


By Gillian Keating and Ciara Ni Longaigh

30th May, 2017

The pathway to Brexit is slowly revealing itself however, there is no doubt that obstacles lie ahead. We anticipate one such obstacle which if not removed early on has the potential to significantly retard economic growth in the UK.

In triggering Article 50, Theresa May activated the legal mechanism that allows the UK to formally leave the European Union. The following timeline highlights the road travelled so far:



The UK’s departure will be a lengthy process. Once Article 50 was triggered, the UK began its journey down a one-way street towards the UK’s departure from the EU. Article 50 states that the treaties relating to EU membership will remain in force until a withdrawal agreement is signed or, failing that, two years from the notification of intent to withdraw. The following timeline indicates what the next steps are likely to be:


Key priorities:




Safeguard the rights of EU citizens

Northern Ireland

Financial settlement

Trade agreement



Both the UK and the EU have identified the same key concerns and priorities ahead of the negotiation talks. While the same key issues have been raised, both parties diverge in relation to the timing of the discussions surrounding each issue. By way of example, the EU require the issue of the financial settlement to be addressed before all other priority points and they have stated they will not address the issue of a Trade Agreement until the withdrawal agreement has been substantially agreed. On the other hand, the UK want each of its priorities to be addressed on a step-by-step basis with the trade agreements being dealt with early on and financial settlement coming at the end of the process.


Theresa May has made it very clear that she intends to take a hard line approach to the negotiation process, “no deal will be considered better than a bad deal for the UK”.

The UK will;

  1. not seek membership of the single market;
  2. prioritise the rights of UK citizens living in the remaining member states, as well as EU citizens living within the UK;
  3. require “a fair settlement” of the UK’s financial rights and obligations;
  4. strive to minimise disruption and give as much certainty as possible to investors, businesses and citizens alike;
  5. be mindful of the “unique relationship with the Republic of Ireland and the importance of the peace process in Northern Ireland”, and;
  6. propose a “bold and ambitious” Free Trade Agreement.


The EU have set their own hardline approach across the key priorities.

Discourage bilateral agreements

The European Council is aware that the UK may attempt bilateral negotiations with the members of the EU. Therefore, the European Council intends to expressly prevent this within the negotiating directives.

Financial settlement

The EU expects one single financial settlement relating to:

  1. the Multiannual Financial Framework;
  2. the European Investment Bank;
  3. the European Development Fund, and;
  4. the European Central Bank.

This settlement will be a top priority for the EU and should cover all commitments as well as liabilities.

Trade Agreements

The EU will maintain a strict approach to any future free trade agreement and will not commence negotiation until all of its other priorities have been substantially agreed. It will ensure that any such agreement will encompass safeguards against unfair competitive advantages..

Safeguard the rights of EU citizens

The EU have also pledged to safeguard and respect the rights of all EU citizens throughout the Brexit negotiations.

Data Protection – the Bandit in the Bush

Data, the movement and protection of it, should be a point of real concern to both the Brexit negotiators and EU citizens working in the UK as well as UK citizens working within remaining EU Member States. It cuts across nearly all of the Brexit priorities from immigration and security to safeguarding EU citizens rights and of course data is one of the most valuable assets of the highly prized technology and life science companies that the UK wishes to secure pre and post Brexit.

The GDPR, a game changer in data protection, will become law across all member states less than one year from now. It remains to be seen what approach the UK intends to take in this regard but the implications for both individuals and businesses operating out of and in to the UK will be extensive. While EU negotiators will be keen to maintain the free flow of personal data between the UK and the EU Member States post-Brexit, a strong emphasis will be put on the protection of such personal data and the legislative framework which regulates and enforces this. The UK’s stance in this regard may become a point of contention during the negotiations and in our view should be addressed early on as one of the key priorities.

The free flow of data between EU Member States and the United Kingdom could be in jeopardy post-Brexit. While the existing UK Data Protection Act 1998 (the “1998 Act”) derives from EU law and the UK’s Information Commissioner’s Office has stated that this Act will remain in force post-Brexit, the EU legislative landscape of data protection is on the cusp of change with the forthcoming General Data Protection Regulation (the “GDPR”). If the UK is to break from the EU model, it will be faced with a restricted list of options in terms of maintaining commercial relations with businesses operating within the EU Member States.

  1. Adopting the GDPR

The GDPR will apply directly to all Member States and will enter into force on the 25th May, 2018. Given the requisite timeline provided by Article 50 (3) of the Lisbon Treaty, the GDPR is likely to become law across the EU in advance of the conclusion of the Brexit negotiations.

Despite the UK’s departure from the EU, it remains probable that the UK will endeavour to fall in line with EU data protection laws to remain a commercially viable option for multinational corporations. The GDPR is a text with European Economic Area (the “EEA”) relevance which means the UK will need to adopt the GDPR should it intend to join the EEA post-Brexit. Effectively the UK will need to incorporate the text of the GDPR into its domestic legislation. However, even if the GDPR is incorporated into domestic legislation by the UK post-Brexit, it will not be a quick-fix solution for data protection issues. The wide ambit of the GDPR means UK-based businesses that offer goods or services to individuals located within Ireland, or any other Member State, will still need to comply with the GDPR. The relevant enforcement mechanisms provided by the GDPR will not be available outside the Member States. Thus, the UK will have to exercise caution and provide for adequate enforcement procedures at a domestic level which will be capable of interacting to the fullest extent with the EU wide mechanisms available in Member States.

  1. Alternative Options

“Adequacy decision”

If the UK chooses not to adopt the GDPR, it may strive to obtain an “adequacy” decision from the European Commission under Article 45 of the GDPR. This determination would allow the transfer of data to and from the UK on the grounds that the UK maintains an adequate level of data protection. However, it may prove difficult for the UK to obtain such a decision. The European Commission are reluctant to declare data protection system “adequate” and will only do so where the relevant system can be said to be “essentially equivalent”. It will be difficult for the UK to reach such a threshold without adopting the GDPR. Furthermore, the recent introduction of the UK Investigatory Powers Act 2016 (the “2016 Act”) may make it even more difficult to obtain such a decision. The 2016 Act gives the UK government the power to collect communication data which is problematic from a GDPR compliance perspective. Many commentators have also noted that the political will to grant the UK an “adequacy” decision may not be forthcoming. A number of MEPs have already stated they would not support such a declaration. Even if the UK were to be given a green light in terms of “adequacy”, it appears that data protection authorities within individual Member States will still be able to block exports of data to countries outside the Member States.[1]

Independent trade deal

If the UK does not obtain an “adequacy” decision, the UK may choose to follow the approach taken by the United States by seeking an independent trade deal with the EU. The UK should take heed of the cautionary tale of the Safe Harbor data sharing arrangement. The recently implemented EU-US Privacy Shield provides a framework of principles protecting personal data, imposing “stronger obligations on companies” and includes provisions on enforcement and complaints handling. EU authorities have consistently demonstrated a very strict approach to legislating for non-EU data protection legislation.


It appears that the benefits of UK harmonising its domestic legislation with the GDPR outweigh the sacrifices that the UK may have to make. The UK digital Minster Matt Hancock alluded to such an approach speaking to the House of Lords Home Affairs sub-committee in February of this year. It is most likely that the UK will effectively adopt the GDPR into domestic legislation after Brexit in order to maintain commercial relationships with businesses operating within Member States.

An alternative approach could severely impede the efficient sharing of data between the UK and Member States and undermine the global confidence in UK data protection mechanisms and as a result weaken the UK’s position as a destination of choice for multinational companies to either locate in or do business with.

There are endless questions to be answered around Brexit, no sector will be left unscathed. However, as we now live in a world where data is the new currency, those tasked with negotiating Brexit ignore data and its protection at their peril; unregulated or poorly regulated it has the potential to wreak havoc across many sectors, accelerate the exodus of many companies from the UK and further isolate the UK as a destination of choice post Brexit.

For more information on the content of this Insight, please contact:

Gillian Keating, Partner, gillian.keating@rdj.ie, +353 21 4802712

[1] See further Maximillian Schrems v Data Protection Commissioner C-362/14.

Stay loop bg
Sign up

Stay in the loop

Sign up to our newsletter