As the United Kingdom (UK) rapidly approaches a potential exit (BREXIT) from the European Union (EU), confusion abounds as to the applicability of the revolutionary data privacy rules of the EU’s General Data Protection Regulation (GDPR). In today’s digital economy, this is especially so for entities that move information to and from the UK after an exit from the EU. The consequences of BREXIT depend in large part upon whether there is a deal that the UK brokers with the EU, or whether there is a crash or a no-deal exit. In either circumstance, compliance with the norms and standards established by the GDPR is likely to be protected from regulatory consequences either by the UK’s Information Commissioner’s Office (ICO) or the GDPR’s Data Protection Authorities (DPA).
If the UK exits the EU with or without a deal, a transition period will be in effect until the end of 2020. Under UK law, data protection is presently governed by the GDPR. Though the GDPR will no longer be legally binding when the UK exits, the UK has indicated that it is committed to maintaining an equivalent data protection regime following departure. The legal mechanisms for this regime will likely be established through the EU (Withdrawal) Act of 2019 and the UK’s Data Protection Act of 2018, which is also referenced as the UK GDPR. The data protection culture in the UK has steadily grown accustomed to GDPR standards, and we expect that these norms will continue unless expressly abrogated.
If there is no deal, the transfer of data from the UK to a “third country” may be restricted depending on the data protection standards of that country. The government of the UK has made clear that after an exit, there is no domestic intention to restrict the transfer of personal data from the UK to the EU. The predictability of such open two-way transfer, however, will only be evident if, under Article 45 of the GDPR, the EU Commission decides that the UK ensures an adequate level of data protection. Despite this posture, the EU has not indicated that transfers from the EU to the UK will be adequately secure. Without a ruling by the EU Commission, those who are transferring data from the EU will need to adopt the safeguards that are commended in the GDPR, which consist of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) which are approved by the EU, or specific additional UK data protection measures which may be needed to satisfy the EU. If an entity is transferring information between the EU and the UK post-BREXIT, the onus is on the entity that is transferring the personal information, and we recommend a more detailed analysis to identify the legally appropriate strategy.
If there is a withdrawal agreement, we expect that:
- The GDPR and related EU privacy laws will continue to apply to the UK during the transition;
- The UK will likely continue to interpret the GDPR and related EU laws consistent with existing legal principles;
- References in the GDPR to “Member States” could be understood to include the UK. This means that the UK would not be subject to restrictions on data transfers to “third countries” under the GDPR during the transition period, and references to the GDPR that predate BREXIT could be interpreted as including the UK;
- EU would be expected to apply GDPR in a way that does not discriminate against the UK;
- The GDPR will continue to apply within the UK as EU law during the transition period. Whether this will apply after the transition period will depend on developing laws and data protection measures. If an adequacy decision is obtained from the EU, then this protection will be extended.
To summarize, data transfers in a “No Deal” Brexit could depend on the circumstances:
- UK -> US [Transfer mechanism needed, but existing arrangements are ok]
- UK -> EU [No transfer mechanism needed and GDPR restrictions do not apply]
- EU -> UK [Transfer mechanism needed]
- UK -> non-EU, non-US [Transfer mechanism needed, but existing arrangements are ok]
In a “Deal” BREXIT situation, compliance with the GDPR will likely continue after the UK leaves the EU.
