GDPR and Brexit: the draft withdrawal agreement and data transfers from the EU
With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.
The GDPR is an EU regulation and will technically no longer apply in the UK (in its current guise) after Brexit if we leave the EU without a deal. On 19 December 2018, UK Parliament published new draft regulations called The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 with the core objective of creating a version of GDPR that works in a UK-only context rather than across the EU as a whole. The new regulations will only come into effect on 29 March 2019 if approved by the UK Parliament.
The new regulations would achieve this by amending the Data Protection Act 2018 (“DPA 2018”) which tailors and implements GDPR into UK domestic law. Technical amendments would include removing references to the UK’s participation as a Member State of the EU. This is important because GDPR (as modified) will continue to be effective in the UK after Brexit due to the European Union (Withdrawal) Act 2018. In practice, this means that the UK data protection regime will operate with little change to the data protection principles, rights and obligations set out in GDPR even if we leave the EU without a deal.
According to the government, data transfers from the UK to the EEA will not be restricted after Brexit. If the UK leaves the EU without an adequacy decision or a Brexit deal the DPA 2018 will remain in place together with GDPR standards which apply to data coming from the EEA into the UK. It is important to note that there is no guarantee that the adoption of the new regulations will facilitate an adequacy decision.
With this in mind, you should consider no deal and no adequacy decision contingency planning in accordance with the ICO’s guidance for appropriate safeguards, for example entering into standard contractual clauses as between the sender and recipient of the personal data. If you are a multinational corporation reliant upon binding corporate rules for making transfers into and out of the UK, you will need to update these to reflect the fact that, under the EU GDPR, the UK becomes a third country on exit date. As noted in the ICO guidance, if as a result of Brexit you will be making transfers of personal data from the UK that will become restricted transfers (e.g. transfers between the UK and the EEA which were previously permitted as transfers between EU Member States), you should update your documentation and privacy notice to expressly cover those transfers.
In this podcast, Gillian Brownlee and Felicity Woof discuss the new EU Settlement Scheme which is due to go live on 30 March 2019.Listen to the podcast
Our Public Law team blogs about secondary legislation and Brexit.View the blog series
A question you may ponder as you relax on that sunlounger in the weeks ahead is whether you need to review your arrangements for any EU based property in light of Brexit.Read the blog
The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact horse racing and all who are part of it.Read Blog Post
Hanging over this year’s Tour de France, at least for this British cycling fan, was the realisation that this is probably the last Tour pre-Brexit, and so there is an additional level of uncertainty about what the 2019 post-Brexit edition will look like.Read the blog
Two Solicitor friends of mine recently asked me to sign their applications to register with the Law Society of Ireland. I asked them if they were thinking of moving.Read Blog Post
As avid golfers focus their attention on the US Masters in Augusta Georgia next month, many at the 19th Hole will be pondering the impact of Brexit on their beloved game.Read the blog
The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact motor racing and all who are part of it.Read Blog Post
On March 7 2018, the House of Commons Library published a Briefing Paper outlining the language testing requirements imposed upon healthcare professionals who qualified outside of the UK.Read Blog Post
No sooner are we one year into the new regime under the Money Laundering Regulations 2017 than a further EU instrument has been adopted.Read Blog Post
Skip to content Home About Us Insights Services Contact Accessibility