The UK data protection law and Brexit
Last updated: April 2019
The nature of the UK’s future relationship with the EU remains vague, leaving organisations in the UK uncertain about what the future will hold.
This page explains what we know so far about Brexit’s effect on data protection law in the UK, and how it will affect personal data transfers to third countries or international organisations, including transfers that rely on the EU-US Privacy Shield.
It will be updated as and when new information becomes available.
1. Data protection law in the UK before Brexit
UK organisations that process personal data are currently bound by two laws: the EU GDPR (General Data Protection Regulation) and the UK DPA (Data Protection Act) 2018.
The EU GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s Data Protection Directive (DPD) 1995 and all member state law that implemented it – including the UK DPA 1998.
Although it applies directly in member states with all the force of a domestic law, the EU GDPR leaves certain areas to individual member states to interpret and implement. In the UK, this is achieved by Part 2, Chapter 2 of the DPA 2018, which should be read alongside the Regulation.
As well as modifying the EU GDPR, the DPA 2018 applies a broadly similar regime of data protection – known as “the applied GDPR” – to certain areas that fall outside the EU GDPR’s scope, including processing by public authorities.
It also sets out data processing regimes for law enforcement purposes and the intelligence services.
2. Data protection law in the UK after Brexit: the UK General Data Protection Regulation
Although the EU GDPR will no longer apply directly in the UK once it leaves the EU, UK organisations must still comply with the Regulation’s requirements.
First, the DPA 2018 already enacts the EU GDPR’s requirements in UK law.
Second, as part of its contingency planning for a no-deal Brexit, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – under the European Union (Withdrawal) Act 2018.
This amends the DPA 2018 to replace its references to EU laws, institutions, currency and the like with British equivalents, and combines the applied GDPR (Part 2, Chapter 3 of the DPA 2018) with the provisions of the EU GDPR (as amended by Part 2, Chapter 2 of the DPA 2018) to form a data protection regime that will work in a UK context.
This new regime will be known as ‘the UK GDPR’.
The draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 also provide that transfers of personal data from the UK to the US that rely on the EU-US Privacy Shield can continue from exit day in the event of a no-deal Brexit. See Post-Brexit cross-border data transfers, below, for more information.
There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR.
When the UK GDPR comes into force will depend on the nature of the UK’s exit from the EU:
If the UK leaves the EU with a deal, the EU GDPR will – like all other EU regulations – continue to apply in the UK until the end of the transition period (currently set at 31 December 2020, although this could be extended).
From this point, the UK GDPR will apply, either in the form created by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 or in another form created by as-yet-undrafted secondary legislation.
No deal/hard Brexit
If there is a hard Brexit and the UK leaves the EU without a deal, there will be no transition period, so the EU GDPR will cease to apply in the UK on exit day. (Following the extension agreed on 10 April 2019, this is now set at 31 October 2019 at the latest, although it could occur on 1 June 2019 if the UK fails to participate in the May 2019 European elections.)
At this point, the UK GDPR, in the form created by the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, will apply.
If no withdrawal agreement is reached, the UK will be classified as a third country on exit day and UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA until an adequacy decision is reached. This is discussed in greater depth below.
In either scenario, the EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.
Post-Brexit cross-border data transfers
In order for cross-border data flows from the EEA to the UK to continue unhindered after Brexit, the European Commission will need to determine that the UK, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the EU GDPR.
The UK hopes that, by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after it leaves the EU.
To date, the Commission has adopted 13 adequacy decisions: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). Talks with South Korea are ongoing.
If there is a deal, both the EU and UK hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years.
No deal/hard Brexit
If there is no deal and therefore no transition period, the UK government has confirmed that it will continue to allow the free flow of personal data to the EU “in recognition of the unprecedented degree of alignment between the UK and the EU’s data protection regimes”.
However, organisations in the UK will have to rely on binding corporate rules or standard contractual clauses to transfer personal data from organisations in the EEA until an adequacy decision is reached. (The EU GDPR also makes provision for personal data to be transferred to third countries based on approved codes of conduct – such as the EU-US Privacy Shield – but no such code has been agreed for transfers from the EEA to the UK yet.)
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is higher.
Prudent organisations that process EU residents’ personal data will therefore be putting measures in place now in order to ensure they continue to comply with the law after 1 June in the case of a no-deal Brexit.
The Information Commissioner’s Office has published guidance and resources for organisations after Brexit >>
The EDPB (European Data Protection Board) has published an information note on data transfers under the GDPR in the event of a no-deal Brexit >>
As to transfers of personal data to the US, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 make provision to preserve the effect of the EU-US Privacy Shield in the UK in the event of a no-deal Brexit.
The US Department of Commerce has published guidance for US Privacy Shield organisations on how personal data can continue to flow from the UK to the US in a no-deal scenario >>
We will update this page with further information once the nature of the UK’s withdrawal from and future relationship with the EU become clearer.
Last updated: April 2019