Member area

GDPR and Brexit – the ICO’s adequacy struggle

04 June 2018
Sabine Paul-Pettinicchio


In his speech on 26 May 2018 to the 28th Congress of the International Federation for European Law, the EU’s chief Brexit negotiator, Michel Barnier, has said that the UK’s Information Commissioner Office (ICO) cannot remain in the European Data Protection Board, EDPB after Brexit.

Michel Barnier further said that the UK would not be able to participate in the One Stop Shop: “Brexit is not, and never will be, in the interest of EU businesses.  And it will especially run counter to the interests of our businesses if we abandon our decision-making autonomy.  This autonomy allows us to set standards for the whole of the EU, but also to see these standards being replicated around the world.”  He asked ‘Who would launch an infringement against the United Kingdom in the case of misapplication of the GDPR? Who would ensure that the UK would update its data legislation every time the EU updates the GDPR?  How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?

"The United Kingdom needs to face up to the reality of the European Union. It also needs to face up to the reality of Brexit,” he said.

Earlier this month, the ICO’s Information Commissioner, Elizabeth Denham, gave evidence to Parliament’s Exiting the EU Committee.  She said she would favour a treaty or an agreement as opposed to an adequacy decision by the European Commission. She said that a treaty, which is negotiated, would be a better option for the UK than an adequacy decision, which is a one-sided review of the UK’s data privacy framework.  A bespoke agreement or treaty is preferable, as that would provide mutual acknowledgement of data protection systems on both sides.

Michel Barnier has now made his views clear: “ The UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision.

It is worth noting that in the new UK Data Protection Act 2018, exemptions for immigration data is a new element that is not included in the 1998 Act or the GDPR. This aspect might well raise questions should the UK apply for an adequacy decision for international data transfers.

If you have questions about updating your policies and practices to ensure they are compliant with the GDPR and the Data Protection Act 2018, do get in touch with our GDPR group who will be happy to help you.


For further information, please contact:

Sabine Paul-Pettinicchio, Senior Associate

ebl miller rosenfalck, London


t: +44 (0)20 7553 6009


The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice.  Appropriate legal advice should be sought for specific circumstances and before action is taken.
© Miller Rosenfalck LLP, May 2018


To the overview