EU sinks UK hopes for post-Brexit role for UK in developing data protection laws
The UK will be relegated to "third country" status, and lose its seat on the European Data Protection Board

The European Union (EU) has dealt a fatal blow to the UK's hopes of maintaining a post-Brexit role in the body that develops rules on data protection, privacy and AI.
In a speech over the weekend Michel Barnier - the EU's chief negotiator in Brexit talks - ruled out any post-Brexit UK involvement in the European Data Protection Board (EDPB) created under the General Data Protection Regulation (GDPR), which came into force 25 May.
The EDPB, an EU body tasked with applying and regulating GDPR consistently across member states, comprises the head of each nation's regulator and the European Data Protection Supervisor (EDPS) or their representatives.
But the Information Commissioner's Office (ICO), the UK's data regulator, will no longer be offered a seat once the UK leaves the EU on 29 March 2019, with the UK relegated to "third country" status.
"It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work," said Barnier, adding: "The United Kingdom wants to leave. That is its decision. Not ours. And that has consequences."
Referencing the UK's position on data protection published this week, Barnier said the UK believes it is in interests of EU business for the ICO to remain on the EDPB. But this was slapped down, as he said Brexit "is not, and never will be, in the interest of EU business".
Speaking to the International Federation for European Law (FIDE) at its 28th Congress in Lisbon this Saturday, Barnier also outlined a few issues this may pose.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
These including who would launch an infringement against the UK where GDPR is misapplied, who would ensure the UK would update its own data legislation in conjunction with the EU, and how the EU would ensure the GDPR is uniformly interpreted across both sides of the channel.
"The United Kingdom decided to leave our harmonised system of decision-making and enforcement. It must respect the fact that the European Union will continue to work on the basis of this system, which has allowed us to build a single market, and which allows us to deepen our single market in response to new challenges," said Barnier.
"And, as indicated in the European Council guidelines, the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision. It is one thing to be inside the Union, and another to be outside."
Barnier's comments sunk the UK's hopes for maintaining the ICO's role in the EDPB, which the Information Commissioner Elizabeth Denham warned against in oral evidence before the parliamentary committee on exiting the EU in early May.
Asked which aspects of any future data protection relationship would be the most difficult to achieve, Denham replied: "A bespoke agreement or the treaty option, which gives us more than adequacy, including a role for the ICO at the EDPB and participation in the one-stop shop, which would be really advantageous to business, would have to be negotiated.
"An agreement to go forward on data would have to be negotiated, because otherwise we would be looking at what is already in law, which is an adequacy assessment, and that would make us the same as any third country."
The only option for the UK to gain a sense of parity with the EU in the future would be an adequacy decision which, if granted, would allow a third nation's data to flow more freely between itself and member states.
Adequacy, which can be granted by the European Commission following an examination of privacy standards, does not, however, allow for the third country to be involved in contributing to any rules themselves.
Denham continued: "The European Data Protection Board will set the weather when it comes to standards for artificial intelligence, for technologies and for regulating big tech.
"We will be a less influential regulator. We will continue to regulate the law and protect UK citizens as we do now, but we will not be at the leading edge of interpreting the GDPR and we will not be bringing British values to that table if we are not at the table."
A Department for Exiting the European Union (DExEU) spokesperson told IT Pro: "Our Information Commissioner's Office well-respected and it is in the mutual interest of the UK and the EU for the ICO and EU data protection authorities to work together. Negotiations are ongoing in this regard.
"Adequacy does not reflect the full depth and breadth of the UK-EU relationship. It is an effective means of ensuring the free flow of data between the EU and a third country, but it would not allow national data protection authorities to co-operate as effectively as they do now.
"As it currently exists, adequacy alone would lead to more bureaucracy and additional costs for businesses."
Picture: Shutterstock

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
The IT industry’s shift to circular, low-carbon solutions
Maximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
Lenovo ThinkPad X9 14 Aura Edition review
Reviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloads
News The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
Tech leaders worry AI innovation is outpacing governance
News Business execs have warned the current rate of AI innovation is outpacing governance practices.
-
Data sovereignty a growing priority for UK enterprises
News Many firms view data sovereignty as simply a compliance issue
-
Elevating compliance standards for MSPs in 2025
Industry Insights The security landscape is set to change significantly in the years to come with new regulations coming into effect next year, here's how the channel needs to adapt
-
How ready is your company for NIS2?
Supported Content The EU’s latest cybersecurity legislation raises the stakes for enterprises and IT leaders - and ensuring compliance can be a daunting task
-
Top data security trends
Whitepaper Must-have tools for your data security toolkit
-
“Limited resources” scupper ICO probe into EasyJet breach
News The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Conquering technology risk in banking
Whitepaper Five ways leaders can transform technology risk into advantage