GDPR – what happens after Brexit?

Will the GDPR still apply in the UK post-Brexit?

The short answer is yes – once the UK exits the EU at 23:00 on 31 January 2020, all EU laws, including the GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018.

As many GDPR provisions/EU references within the GDPR will not be relevant to the UK post-Brexit, the government issued legislation last year to make “necessary and appropriate changes to the GDPR and to the DPA 2018 so that the law continues to function effectively after the UK has left the EU” [1], namely the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the Act).

The Act will introduce an amended version of the GDPR (creatively titled “the UK GDPR”), the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data Protection Act 2018.

When will the UK GDPR come into force?

The UK GDPR will apply with effect from 31 December 2020.  However, post-Brexit and up until 31 December 2020, there will be a transition period during which the requirements around the current EU GDPR and the UK Data Protection Act 2018 and the need to comply with them both remain unchanged.

How will all of this affect UK organisations?

In the attempt to minimise disruption to UK businesses that have a non-UK presence, the Act introduced transitional provisions in relation to adequacy decisions, standard contractual clauses and binding corporate rules, to ensure that established data flows from UK data controller establishments to organisations outside of the UK can continue post-Brexit. Below is a summary of the position re personal data transfers to and from the UK following Brexit:

• From the UK to the EEA: Under the Act, the UK will transitionally deem all EEA countries (and Gibraltar) as providing an adequate level of protection to receive personal data (i.e. data flows from the UK to the EEA will be unaffected, at least initially).
• From the UK to territories outside of the EEA: Under the Act, the UK will also deem the EC’s list of 12 currently approved countries as providing an adequate level of protection to receive personal data. As at February 2019, these consist of full findings in relation to: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay, and partial findings in respect of adequacy re Canada, Japan and the US. Again, this will mean no change to the current regime re sending personal data outside of the EEA.
• From the EEA to the UK:  The GDPR imposes restrictions with regards to transfers of personal data outside of the EEA to territories that have not been the subject of an “adequacy decision” for approval.  During the transitional period, it has been agreed that personal data flows from the EEA to the UK will be unaffected. However, upon expiry of the transitional period, it will be required for the UK to apply to the EU for adequacy status. If the UK is not approved, it will be considered as a “third country” for GDPR purposes and subject to strict transfer rules.

Another issue UK organisations must consider is whether it will be required to appoint an EU representative upon the expiry of the transition period. UK organisations which offer goods or services to individuals in the EEA (or which monitor the behaviour of individuals in the EEA) and do not have an established office in any other EU or EEA state will still need to comply with the EU GDPR, even after the UK leaves the EU. Article 27 of the EU GDPR requires such organisations to appoint an EU representative (unless the organisation is a public authority or if the processing is occasional, low risk and not involving large-scale use of special category/criminal offence data). The representative must be authorised, in writing, to act on the UK organisation’s behalf regarding its GDPR compliance, including cooperating with any supervisory authorities. The representative may be an individual or an organisation/company so long as they are established in the EEA and are able to represent the UK organisation in respect of its GDPR obligations.

Upon implementation of the UK GDPR, UK organisations will also need to consider the impact this may have on their existing data protection policies, for example, privacy policies will need to be refreshed to include details of any transfers of personal data outside of the UK (rather than the EEA).

To conclude, in the post-Brexit world, the GDPR will certainly still have a significant influence on UK data protection laws and it is safe to say that, at least in the immediate aftermath, nothing will change dramatically.  The main concern is the real possibility that upon the expiry of the transition period – 30 December 2020 – the EU may not have made an adequacy decision in favour of the UK. In the absence of this, transfers of data from the EEA into the UK would be subject to strict transfer rules, and this could create a significant administrative burden for UK (and non-UK) organisations. Until then, it will be business as usual.

 Footnote: Paragraph 2.10, Draft Explanatory Memorandum: The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019