The UK data protection law and Brexit
Last updated: 30 October 2019
On Tuesday, 29 October 2019, parliament voted in favour of a general election on 12 December.
Although a no-deal Brexit is now less likely, the UK will leave the customs union and single market on 31 January 2020 by default if a withdrawal agreement cannot be agreed.
As long as the nature of the UK’s exit from and future relationship with the EU remain vague, organisations in the UK continue to be uncertain about what the future will hold.
This page explains what we know so far about Brexit’s effect on data protection law in the UK, and how it will affect international transfers of personal data once the UK leaves the EU.
It will be updated as and when new information becomes available.
Speak to a Data Protection expert
If you need guidance, or advice on how Brexit will affect the data protection obligations within your organisation, get in touch with one of our experts. Simply call 0333 800 7000, or request a call back using the form below.
1. Data protection law in the UK before Brexit
UK organisations that process personal data are currently bound by two laws: the EU GDPR (General Data Protection Regulation) and the UK DPA (Data Protection Act) 2018.
The EU GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s DPD (Data Protection Directive) 1995 and all member state law that implemented it – including the UK DPA 1998.
Although it applies directly in member states with all the force of a domestic law, the EU GDPR leaves certain areas to individual member states to interpret and implement. In the UK, this is achieved by Part 2, Chapter 2 of the DPA 2018, which should be read alongside the Regulation.
As well as modifying the EU GDPR, the DPA 2018 applies a broadly similar regime of data protection – known as “the applied GDPR” – to certain areas that fall outside the EU GDPR’s scope, including processing by public authorities.
It also sets out data processing regimes for law enforcement purposes and the intelligence services.
2. Data protection law in the UK after Brexit: the UK General Data Protection Regulation
Although the EU GDPR will no longer apply directly in the UK once it leaves the EU, UK organisations must still comply with the Regulation’s requirements.
First, the DPA 2018 already enacts the EU GDPR’s requirements in UK law.
Second, as part of its contingency planning for a no-deal Brexit, the UK government issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – under the European Union (Withdrawal) Act 2018.
This amends the DPA 2018 to replace its references to EU laws, institutions, currency and the like with British equivalents, and combines the applied GDPR (Part 2, Chapter 3 of the DPA 2018) with the provisions of the EU GDPR (as amended by Part 2, Chapter 2 of the DPA 2018) to form a data protection regime that will work in a UK context.
This new regime will be known as ‘the UK GDPR’.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 also provide that transfers of personal data from the UK to the US that rely on the EU-US Privacy Shield can continue from exit day in the event of a no-deal Brexit. See Post-Brexit international data transfers, below, for more information.
There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR.
When the UK GDPR comes into force will depend on the nature of the UK’s exit from the EU:
If the UK leaves the EU with a deal, the EU GDPR will – like all other EU regulations – continue to apply in the UK until the end of the transition period (currently set at 31 December 2020, although this could be extended).
From this point, the UK GDPR will apply, either in the form created by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 or in another form created by as-yet-undrafted secondary legislation.
No deal/hard Brexit
If there is a hard Brexit and the UK leaves the EU without a deal, there will be no transition period, so the EU GDPR will cease to apply in the UK on exit day. (This is currently set at 31 January 2020, with the option for the UK to leave the EU earlier if a deal is ratified.)
At this point, the UK GDPR, in the form created by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, will apply.
In this situation the UK will be classified as a third country on exit day and UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA until an adequacy decision is reached. This is discussed in greater depth below.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27.
In either scenario, the EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.
Post-Brexit international data transfers
In order for international data flows from the EEA to the UK to continue unhindered after Brexit, the European Commission will need to determine that the UK, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the EU GDPR.
The UK hopes that, by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after it leaves the EU.
To date, the Commission has adopted 13 adequacy decisions: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). Talks with South Korea are ongoing.
If there is a deal, both the EU and UK hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years.
No deal/hard Brexit
If there is no deal and therefore no transition period, the UK government has confirmed that it will continue to allow the free flow of personal data to the EU and the 13 countries that have adequacy decisions. “There is" it says, "no need to take preparatory action to continue sending personal data out of the UK to the EU/EEA”.
However, organisations in the UK will have to rely on binding corporate rules or standard contractual clauses to transfer personal data from organisations in the EEA until an adequacy decision is reached. (The EU GDPR also makes provision for personal data to be transferred to third countries based on approved codes of conduct – such as the EU-US Privacy Shield – but no such code has been agreed for transfers from the EEA to the UK yet.)
Article 27 of the GDPR also requires certain organisations that are not established in the EU to appoint an EU representative if they provide goods or services to, or monitor the behaviour of, EU residents.
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is higher.
Prudent organisations that process EU residents’ personal data will therefore be putting measures in place now in order to ensure they continue to comply with the law after 31 January 2020 in the case of a no-deal Brexit.
The Information Commissioner’s Office has published guidance and resources for organisations after Brexit >>
The EDPB (European Data Protection Board) has published an information note on data transfers under the GDPR in the event of a no-deal Brexit >>
As to transfers of UK personal data to the US, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 make provision to preserve the effect of the EU-US Privacy Shield in the UK in the event of a no-deal Brexit.
US organisations that participate in the Privacy Shield will have to update their "public commitment to comply with the Privacy Shield to include the UK".
The US Department of Commerce has published guidance for US Privacy Shield organisations on how personal data can continue to flow from the UK to the US in a no-deal scenario, including the model language to use in their updated statements >>
We will update this page with further information once the nature of the UK’s withdrawal from and future relationship with the EU become clearer.
Last updated: 30 October 2019