GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU
With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.
The GDPR is an EU regulation and will technically no longer apply in the UK (in its current guise) after Brexit if we leave the EU without a deal. On 19 December 2018, UK Parliament published new draft regulations called The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 with the core objective of creating a version of GDPR that works in a UK-only context rather than across the EU as a whole. The new regulations will only come into effect on 29 March 2019 if approved by the UK Parliament.
The new regulations would achieve this by amending the Data Protection Act 2018 (“DPA 2018”) which tailors and implements GDPR into UK domestic law. Technical amendments would include removing references to the UK’s participation as a Member State of the EU. This is important because GDPR (as modified) will continue to be effective in the UK after Brexit due to the European Union (Withdrawal) Act 2018. In practice, this means that the UK data protection regime will operate with little change to the data protection principles, rights and obligations set out in GDPR even if we leave the EU without a deal.
According to the government, data transfers from the UK to the EEA will not be restricted after Brexit. If the UK leaves the EU without an adequacy decision or a Brexit deal the DPA 2018 will remain in place together with GDPR standards which apply to data coming from the EEA into the UK. It is important to note that there is no guarantee that the adoption of the new regulations will facilitate an adequacy decision.
With this in mind, you should consider no deal and no adequacy decision contingency planning in accordance with the ICO’s guidance for appropriate safeguards, for example entering into standard contractual clauses as between the sender and recipient of the personal data. If you are a multinational corporation reliant upon binding corporate rules for making transfers into and out of the UK, you will need to update these to reflect the fact that, under the EU GDPR, the UK becomes a third country on exit date. As noted in the ICO guidance, if as a result of Brexit you will be making transfers of personal data from the UK that will become restricted transfers (e.g. transfers between the UK and the EEA which were previously permitted as transfers between EU Member States), you should update your documentation and privacy notice to expressly cover those transfers.
Skip to content Home About Us Insights Services Contact Accessibility