June 25, 2019

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

How Will Brexit Affect Data Privacy Law and the GDPR in the United Kingdom?

Q: What Is Brexit and When Is It Due to Happen?

A: Following the referendum of 23 June 2016 and the United Kingdom’s subsequent notification under Article 50 of the Lisbon Treaty, the UK’s membership of the European Union is due to end on 29 March 2019, subject to any transitional or implementation period that may be agreed with the EU (and ratified by its continuing member states).

Q: Will Brexit Stop the GDPR Applying in the UK?

A: No, the GDPR will apply in the UK on and from 25 May 2018. The UK still will be a Member State of the European Union at that point. Brexit does not take effect until 29 March 2019.

Q: How Will Data Protection Law Operate in the UK post-Brexit?

A: The Data Protection Bill (the “Bill”) will replace the Data Protection Act 1998 and will implement the GDPR into the law of England and Wales. The Bill is currently under legislative review. The Bill performs two core functions: (1) it will implement the GDPR into the law of England and Wales, including the UK’s “derogations” under the GDPR (Derogations are elements of the GDPR which can be adapted by each Member State.); and (2) it will ensure that at the point the UK exits the EU, and GDPR ceases to apply directly, the UK will have a data protection regime which is largely aligned with that of the remaining EU member states.

Q: What is the Current Status of the Bill?

A: A consolidated version of the Bill was published on 23 March 2018 and captures the debates that have taken place to date.

Q: What Is the Impact on Data Transfers to the US post-Brexit?

A: When the UK exits the EU, it will, for the purposes of the GDPR, become a “third country” (a country outside of the European Economic Area). The Bill provides a similar data transfer protection regime to that of the GDPR. See our previous alert describing cross-border data transfers under the GDPR. Based on the current draft of the Bill, following Brexit, the transfer of personal data to a third country (e.g., the United States) from the UK can be carried out using a transfer mechanism which has been approved by the European Commission (i.e., subject to an adequacy decision). Such transfer mechanisms include Standard Contractual Clauses and the Privacy Shield. The Secretary of State will have the power to prevent the transfer of personal data to specific third countries where there is an important public interest to prevent the transfer. The Bill provides the framework to preserve the use of current compliance mechanisms (for transferring data from the UK to third countries), however, companies should keep the position under review: (1) the Privacy Shield is subject to an annual review and therefore subject to periodic challenge; and (2) the future of the Standard Contractual Clauses remains uncertain given that the validity of the Standard Contractual Clauses has been called into question by Data Protection Commission v. Facebook & Schrems.

Brexit, an Unprecedented Event

Whether Brexit takes place on 29 March 2019 or is effectively deferred until end of a transitional period (31 December 2020) the UK will likely adopt data protection legislation which largely tracks the GDPR. There is no precedent for Brexit and it is impossible for companies to foresee every scenario that may arise and the impact it may have on data protection law in the UK. Companies which process the personal data of citizens of the UK or have operations in the UK will need to keep a close watch on the law over the coming months.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Jackie Gray Public Sector Lawyer Womble Dickinson
Partner

Jackie specialises in public sector projects, public law and information law.

She has acted on a variety of PPP/PFI projects for local authorities, housing associations, bidders and funders in a number of sectors including housing, education, leisure, health and energy. She advises on all aspects of projects including delivery structures, procurement matters and drafting and negotiating project agreements, sub-contracts and related contracts within competitive procurement processes, particularly competitive dialogue. She also advises on general...

+44 (0)113 290 4432
Michael Dowden Regulatory Lawyer Womble
Legal Director

Malcolm is a commercial and regulatory lawyer with extensive experience of contractual regulatory and legislative drafting in the UK and other common law jurisdictions. Since qualifying in 1994 Malcolm has advised commercial, government and public sector bodies on a wide range of issues affecting electronic communications, transport, infrastructure and other development projects.

Malcolm is an internationally-accredited provider of legal and professional training. He has designed and delivered training on issues such as contract risk management, contractual and statutory drafting and regulatory policy in the UK, Africa, South-East Asia and India.

+44 (0)2380 208 428
Matthew Harris, Attorney, Womble
Attorney

Matthew is a solicitor who specialises in Commercial Law. He undertakes a broad range of commercial work, with a particular focus on matters relating to information technology, e-commerce, data protection and privacy.

Matthew has previously undertaken a secondment to an international retailer. Whilst on secondment, Matthew supported the internal legal team on a variety of matters and projects, providing assistance on wide range of commercial issues.

+44 (0)2380 20 8146