GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU
With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.
The GDPR is an EU regulation and will technically no longer apply in the UK (in its current guise) after Brexit if we leave the EU without a deal. On 19 December 2018, UK Parliament published new draft regulations called The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 with the core objective of creating a version of GDPR that works in a UK-only context rather than across the EU as a whole. The new regulations will only come into effect on 29 March 2019 if approved by the UK Parliament.
The new regulations would achieve this by amending the Data Protection Act 2018 (“DPA 2018”) which tailors and implements GDPR into UK domestic law. Technical amendments would include removing references to the UK’s participation as a Member State of the EU. This is important because GDPR (as modified) will continue to be effective in the UK after Brexit due to the European Union (Withdrawal) Act 2018. In practice, this means that the UK data protection regime will operate with little change to the data protection principles, rights and obligations set out in GDPR even if we leave the EU without a deal.
According to the government, data transfers from the UK to the EEA will not be restricted after Brexit. If the UK leaves the EU without an adequacy decision or a Brexit deal the DPA 2018 will remain in place together with GDPR standards which apply to data coming from the EEA into the UK. It is important to note that there is no guarantee that the adoption of the new regulations will facilitate an adequacy decision.
With this in mind, you should consider no deal and no adequacy decision contingency planning in accordance with the ICO’s guidance for appropriate safeguards, for example entering into standard contractual clauses as between the sender and recipient of the personal data. If you are a multinational corporation reliant upon binding corporate rules for making transfers into and out of the UK, you will need to update these to reflect the fact that, under the EU GDPR, the UK becomes a third country on exit date. As noted in the ICO guidance, if as a result of Brexit you will be making transfers of personal data from the UK that will become restricted transfers (e.g. transfers between the UK and the EEA which were previously permitted as transfers between EU Member States), you should update your documentation and privacy notice to expressly cover those transfers.
A simple chart showing what will happen to EU citizens living in the UK if there's a deal or if there's no deal. September 2019
A simple chart showing what will happen to UK citizens living in the EU if there's a deal or if there's no deal. October 2019
We chat to immigration specialists in Spain, Germany, France and Italy on what British citizens in those countries should be doing now. August/September 2019Click here to listen
5 September 2019READ MORE
20 August 2019READ MORE
30 August 2019READ MORE
5 August 2019Read more
29 August 2019Read more
9 May 2019READ MORE
1 February 2019Read News Item
29 January 2019READ MORE
23 January 2019Rebecca Niblock blogs
November 2018 - In this podcast Gillian Brownlee and Felicity Woof discuss the new EU Settlement Scheme which at the time of recording (in November 2018) is due to go live on 30 March 2019.Listen to the podcast
Our Public Law team blogs about secondary legislation and Brexit.View the blog series
19 September 2018Read the blog
20 September 2018READ MORE
31 August 2018Read the blog
14 August 2018Read the blog
9 August 2018Read the blog
30 July 2018 - Hanging over this year’s Tour de France, at least for this British cycling fan, was the realisation that this is probably the last Tour pre-Brexit, and so there is an additional level of uncertainty about what the 2019 post-Brexit edition will look like.Read the blog
16 July 2018 - A question you may ponder as you relax on that sunlounger in the weeks ahead is whether you need to review your arrangements for any EU based property in light of Brexit.Read the blog
9 July 2018 - Two Solicitor friends of mine recently asked me to sign their applications to register with the Law Society of Ireland. I asked them if they were thinking of moving.Read Blog Post
18 June 2018View Tweet
11 July 2018Read Blog Post
29 March 2018 - As avid golfers focus their attention on the US Masters in Augusta Georgia next month, many at the 19th Hole will be pondering the impact of Brexit on their beloved game.Read the blog
22 March 2018 - The House of Commons Library published a Briefing Paper on 7 March 2018 outlining the language testing requirements imposed upon healthcare professionals who qualified outside of the UK.Read Blog Post
5 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact horse racing and all who are part of it.Read Blog Post
21 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact motor racing and all who are part of it.Read Blog Post
17 April 2018View Tweet
19 March 2018View Tweet
10 July 2018 - No sooner are we one year into the new regime under the Money Laundering Regulations 2017 than a further EU instrument has been adopted.Read Blog Post
27 June 2016View on YouTube
Skip to content Home About Us Insights Services Contact Accessibility