How Will Brexit Affect Data Privacy Law and the GDPR in the United Kingdom?
Q: What Is Brexit and When Is It Due to Happen?
A: Following the referendum of 23 June 2016 and the United Kingdom’s subsequent notification under Article 50 of the Lisbon Treaty, the UK’s membership of the European Union is due to end on 29 March 2019, subject to any transitional or implementation period that may be agreed with the EU (and ratified by its continuing member states).
Q: Will Brexit Stop the GDPR Applying in the UK?
A: No, the GDPR will apply in the UK on and from 25 May 2018. The UK still will be a Member State of the European Union at that point. Brexit does not take effect until 29 March 2019.
Q: How Will Data Protection Law Operate in the UK post-Brexit?
A: The Data Protection Bill (the “Bill”) will replace the Data Protection Act 1998 and will implement the GDPR into the law of England and Wales. The Bill is currently under legislative review. The Bill performs two core functions: (1) it will implement the GDPR into the law of England and Wales, including the UK’s “derogations” under the GDPR (Derogations are elements of the GDPR which can be adapted by each Member State.); and (2) it will ensure that at the point the UK exits the EU, and GDPR ceases to apply directly, the UK will have a data protection regime which is largely aligned with that of the remaining EU member states.
Q: What is the Current Status of the Bill?
A: A consolidated version of the Bill was published on 23 March 2018 and captures the debates that have taken place to date.
Q: What Is the Impact on Data Transfers to the US post-Brexit?
A: When the UK exits the EU, it will, for the purposes of the GDPR, become a “third country” (a country outside of the European Economic Area). The Bill provides a similar data transfer protection regime to that of the GDPR. See our previous alert describing cross-border data transfers under the GDPR. Based on the current draft of the Bill, following Brexit, the transfer of personal data to a third country (e.g., the United States) from the UK can be carried out using a transfer mechanism which has been approved by the European Commission (i.e., subject to an adequacy decision). Such transfer mechanisms include Standard Contractual Clauses and the Privacy Shield. The Secretary of State will have the power to prevent the transfer of personal data to specific third countries where there is an important public interest to prevent the transfer. The Bill provides the framework to preserve the use of current compliance mechanisms (for transferring data from the UK to third countries), however, companies should keep the position under review: (1) the Privacy Shield is subject to an annual review and therefore subject to periodic challenge; and (2) the future of the Standard Contractual Clauses remains uncertain given that the validity of the Standard Contractual Clauses has been called into question by Data Protection Commission v. Facebook & Schrems.
Brexit, an Unprecedented Event
Whether Brexit takes place on 29 March 2019 or is effectively deferred until end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.