September 23, 2020

Volume X, Number 267

September 23, 2020

Subscribe to Latest Legal News and Analysis

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

Data Privacy Implications of 'Brexit'

As the June 23 referendum on Britain’s membership in the European Union looms, the potential that Britain will exit the European Union (“Brexit”) raises data privacy issues.

Being part of the European Union has meant that UK businesses are subject to numerous data protection laws. The UK has enacted most of its domestic data protection laws, such as the Data Protection Act 1998 (DPA), to implement European Directives. If a “Brexit” occurred, existing domestic legislation would remain unless and until changed by the UK government. This means that businesses in the United Kingdom would continue to be subject to the DPA. The Information Commissioner’s Office would also remain as the UK data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for noncompliance.

Any UK business that offers goods or services to European consumers or which has a website that is accessible in Europe will, in addition to the DPA, also need to comply with European data protection laws such as the new General Data Protection Regulation (GDPR).

Most UK businesses are almost certainly going to need to transfer personal data to Europe and to other countries outside Europe such as the United States. Currently, whilst the United Kingdom remains part of the European Union, there are restrictions against transferring personal data (without consent from the individual) outside of Europe, other than to certain “adequate” countries such as Canada or Switzerland or if the business has a legally permissible mechanism such as model clauses or binding corporate rules in place. If the United Kingdom leaves the European Union, the UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the UK government will need to decide if it will adopt a similar model for data transfers from the United Kingdom to the United States if the current restriction on such data transfers is retained. Additionally, the United Kingdom is likely to apply to the European Commission for a decision of “adequacy” that would allow European countries to transfer personal data to the United Kingdom. This will, of course, depend on whether the UK government has passed laws that differ to the current DPA and whether the European Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective.


Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. It therefore seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the United Kingdom, thereby undermining consumer confidence in UK businesses and potentially exposing them to increased data security breaches.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 69


About this Author

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

Matthew Howse, Employment law attorney, Morgan Lewis

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670