Brexiting the GDPR: New draft UK data protection regulations introduced

8 January 2019

The government has recently published draft legislation to deal with the UK’s post-Brexit GDPR regime, namely “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”.

The new legislation proposes to introduce an amended version of the GDPR (creatively titled “the UK GDPR”), the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data Protection Act 2018.

Why are these regulations required?

Once the UK exits the EU (currently scheduled to take place on 29 March 2019), all EU laws, including the GDPR, will automatically become part of UK domestic law due to the provisions of the European Union (Withdrawal) Act 2018. Therefore, as many GDPR provisions/EU references within the GDPR will not be relevant to the UK post-Brexit, the new regulations have been introduced to make “necessary and appropriate changes to the GDPR and to the DPA 2018 so that the law continues to function effectively after the UK has left the EU”. [1]

Amongst other things, the regulations introduce transitional provisions in relation to adequacy decisions, standard contractual clauses and binding corporate rules, to ensure that established data flows from UK data controller establishments to organisations outside of the UK can continue after the UK leaves the EU (in the attempt to minimise disruption to UK businesses that have an EU presence). However, note that in relation to transfers of personal data from the EU to the UK, it will now be required for the UK to apply to the EU for adequacy status and join the list of 12 currently approved countries.

For the purposes of PECR, the regulations will also bring in line the definition of “consent” with the GDPR definition, which imposes a higher standard and no longer recognises pre-ticked boxes or implied consent by silence as being adequate.

When will they come into force?

The regulations are currently in draft form, however, if approved they will come into force on 29 March 2019. Progress can be tracked at the following link: https://beta.parliament.uk/work-packages/aGjGrgmF


Footnote:

  1. Paragraph 2.10, Draft Explanatory Memorandum: The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Michelle Waknine Author
Michelle Waknine
Associate
About the author