Will the GDPR still apply in the UK post-Brexit?
The short answer is yes – once the UK exits the EU at 23:00 on 31 January 2020, all EU laws, including the GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018.
As many GDPR provisions/EU references within the GDPR will not be relevant to the UK post-Brexit, the government issued legislation last year to make “necessary and appropriate changes to the GDPR and to the DPA 2018 so that the law continues to function effectively after the UK has left the EU” [1], namely the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the Act).
The Act will introduce an amended version of the GDPR (creatively titled “the UK GDPR”), the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data Protection Act 2018.
When will the UK GDPR come into force?
The UK GDPR will apply with effect from 31 December 2020. However, post-Brexit and up until 31 December 2020, there will be a transition period during which the requirements around the current EU GDPR and the UK Data Protection Act 2018 and the need to comply with them both remain unchanged.
How will all of this affect UK organisations?
In the attempt to minimise disruption to UK businesses that have a non-UK presence, the Act introduced transitional provisions in relation to adequacy decisions, standard contractual clauses and binding corporate rules, to ensure that established data flows from UK data controller establishments to organisations outside of the UK can continue post-Brexit. Below is a summary of the position re personal data transfers to and from the UK following Brexit:
Another issue UK organisations must consider is whether it will be required to appoint an EU representative upon the expiry of the transition period. UK organisations which offer goods or services to individuals in the EEA (or which monitor the behaviour of individuals in the EEA) and do not have an established office in any other EU or EEA state will still need to comply with the EU GDPR, even after the UK leaves the EU. Article 27 of the EU GDPR requires such organisations to appoint an EU representative (unless the organisation is a public authority or if the processing is occasional, low risk and not involving large-scale use of special category/criminal offence data). The representative must be authorised, in writing, to act on the UK organisation’s behalf regarding its GDPR compliance, including cooperating with any supervisory authorities. The representative may be an individual or an organisation/company so long as they are established in the EEA and are able to represent the UK organisation in respect of its GDPR obligations.
Upon implementation of the UK GDPR, UK organisations will also need to consider the impact this may have on their existing data protection policies, for example, privacy policies will need to be refreshed to include details of any transfers of personal data outside of the UK (rather than the EEA).
To conclude, in the post-Brexit world, the GDPR will certainly still have a significant influence on UK data protection laws and it is safe to say that, at least in the immediate aftermath, nothing will change dramatically. The main concern is the real possibility that upon the expiry of the transition period – 30 December 2020 – the EU may not have made an adequacy decision in favour of the UK. In the absence of this, transfers of data from the EEA into the UK would be subject to strict transfer rules, and this could create a significant administrative burden for UK (and non-UK) organisations. Until then, it will be business as usual.
Footnote: Paragraph 2.10, Draft Explanatory Memorandum: The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019