UK businesses should honour pre-Brexit data protection rights of foreign citizens post-Brexit, says EU

In a new position paper on the use of data and protection of information obtained or processed prior to the date that the UK formally leaves the EU, the Commission called for rights that citizens in the remaining 27 EU countries, as well as from outside of the EU, will enjoy under the General Data Protection Regulation (GDPR) to continue to apply in the UK post-Brexit.

The GDPR will apply from 25 May 2018, while the UK government is committed to the UK formally exiting the EU by 31 March 2019 at the latest.

"The data subjects concerned should, for example, continue to have the right to be informed, the right of access, the right to rectification, to erasure, to restriction of processing, to data portability as well as the right to object to processing and not to be subject to a decision based solely on automated processing, on the basis of relevant provisions of Union law applicable on the withdrawal date," the Commission said.

It said UK businesses should also not store personal data for "longer than is necessary for the purposes for which the personal data was processed", and stick to "maximum mandatory storage periods" stipulated in regulated sectors, post-Brexit.

After Brexit, UK businesses should only be able to transfer the data they hold on EU and other data subjects based outside the Union to "non-EU27 countries" and international organisations if they adhere to the rules on data transfers set out in the GDPR, the Commission said.

The Commission also said that EU-based data subjects and others based overseas should continue to be able to enforce their GDPR rights in the UK, including in respect of their rights to effective judicial remedy and potential compensation, post-Brexit.

Last month, the UK government published a 'future partnership' paper outlining its proposed approach to the exchange and protection of personal data post-Brexit. In it the UK government called on the EU to recognise the UK's data protection framework as aligned with its own before the UK leaves the trading bloc as a means of facilitating future data flows between the two areas.