Buttarelli gives the post-Brexit options for the UK and insights into the EU DP Board


Giovanni Buttarelli, European Data Protection Supervisor, in London yesterday, explained that Elizabeth Denham, UK Information Commissioner, has been working hard to explore different scenarios to ensure that the UK will continue working as a partner with the European Union after 29 March next year when it becomes a 3rd country.

He referred to the data protection impact of the UK staying one or two steps outside the European Union.

Option 1 is for a transition period which the European Commission has offered until the end of 2020. In this case, nothing would change for this period. But this option has not been accepted by the UK government.

Option 2 is if the UK joins the European Economic Area, like Norway and Iceland, then it would be almost Business as Usual. The ICO would be a member of the new European Union Data Protection Board (EDPB) but its membership would be downgraded to the status of an Observer. The UK would then be able to attend meetings of the EDPB, like Norway and Iceland, but not have a vote. He reminded his audience of the declaration of the governments of France and Germany that “The EU is not a supermarket where you can buy what you want.”

Option 3 is for the UK to join the European Free Trade Area, like Switzerland. Such a move would lead to time-consuming negotiations, including a detailed assessment of the UK’s data protection law. Such a scrutiny process would take months. For example, the UK Intelligence Services will need to demonstrate the principles of “necessity and proportionality” in its collection, use and sharing of personal data. UK-based companies will need to comply with the international transfer rules, as they will be outside the EU. If the UK is accepted as having an adequate data protection law, then like Switzerland the ICO would be a member of the new European Union Data Protection Board (EDPB) but its membership would be downgraded to the status of an Observer.

The European Data Protection Board

Stewart Dresner, PL&B’s Chief Executive, asked Buttarelli, whether Dr Andrea Jelinek, Director, Austria’s Data Protection Authority, (who earlier this month was elected as Chair of the EU Art 29 DP Working Party), is likely to be elected to become Chair of its replacement, the EU Data Protection Board? He replied that as one can expect little change in the next 60 days, and as for several reasons, there were few other candidates, it is likely that Jelinek will be elected as Chair of the EDPB in May. However, he expects a more collegial style of leadership, and the new Chair to have a more coordinating role, more primus inter pares, first among equals.

On a broader point about advice from the EU Art. 29 DP Working Party, he explained that companies should not expect continuing detailed advice on the GDPR as has been the pattern in recent months. There are only some 2,500 people working in the EU’s 28 national and state Data Protection Authorities. “We need to be selective. We cannot explain everything in the next few months.”


Giovanni Buttarelli was speaking at a Fireside Chat at the law firm, Dentons, London, which was chaired by Chantal Bernier, Partner, Dentons, Canada.


If you would like to comment on this article, please login or register.


Tag cloud