June 7, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

UK Data Privacy Laws in a Post-Brexit World

Following the United Kingdom’s nonbinding vote to leave the European Union (“Brexit”), what do businesses need to consider for data privacy compliance?

Being part of the European Union has meant that UK businesses are subject to numerous data protection laws. The United Kingdom has enacted most of its data protection laws, such as the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003, to implement European directives. Additionally, businesses in the United Kingdom are also directly subject to European regulations, such as the Data Breach Notification Regulations 2013, the Clinical Trials Regulations 2014, and the European Commission (the Commission) decisions regarding transfers of personal data outside the European Union as these apply across it without the need for the UK government to pass domestic legislation. Finally, the European Parliament has reached a final agreement on the new General Data Protection Regulation (GDPR). The GDPR will take effect in May 2018 and will apply directly to any business that provides goods or services in Europe or that has European operations. This will include any business within the European Union as well as those outside it.

Following the referendum decision to leave the European Union, many are wondering what Brexit will mean for UK businesses. When the new prime minister elects to invoke Article 50 of the Lisbon Treaty, triggering an exit from the European Union, trade negotiations will commence to secure the United Kingdom’s ability to trade with the remainder of the European Union as a single market.

UK Businesses

Existing domestic legislation would remain in effect unless and until the government changes it. This means that businesses in the United Kingdom would continue to be subject to the Data Protection Act 1998. The Information Commissioner’s Office (ICO) would remain as the data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for noncompliance. Businesses based only in the United Kingdom would not be subject to European data protection legislation, such as the above listed regulations, which have direct effect in Europe or to Commission decisions on, for example, cross-border data transfers (see below). The ICO has announced that UK data protection standards will need to be equivalent to those in the GDPR if the United Kingdom wants to trade with the European single market post-Brexit.

To date, the UK courts and the ICO have adopted a relatively pro-business approach, in contrast to some of the United Kingdom’s continental cousins. For example, the concept of consent has been strictly interpreted throughout the continent, but in the United Kingdom, “deemed consent” is valid, except in relation to sensitive personal data.

Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. Therefore, it seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the United Kingdom, thereby undermining consumer confidence in UK businesses and potentially exposing them to increased data security breaches.

European Businesses

UK businesses with European operations or that otherwise have servers in Europe or that engage processors in Europe will continue to be subject to the data protection laws of those European countries in relation to the European aspects of their business. Additionally, any UK business that offers goods or services to European consumers or that has a website that is accessible in Europe will need to comply with the GDPR and the relevant European laws implementing the Privacy and Electronic Communications Directive in the country where the users are based.

Cross-Border Transfers

Most UK businesses will almost certainly need to transfer personal data to Europe and other countries outside the European Union, such as the United States. Currently, while the United Kingdom remains part of the European Union, there are restrictions against transferring personal data outside it without consent from the individual, other than to certain “adequate” countries (such as Canada or Switzerland), or unless the business has in place a legally permissible mechanism (such as model clauses or binding corporate rules). If the United Kingdom leaves Europe, the UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the United Kingdom will need to decide if it will adopt a similar model for data transfers from the United Kingdom to the United States if the current restriction on such data transfers is retained.

Additionally, the United Kingdom is likely to apply to the Commission for a decision of “adequacy,” which allows European countries to transfer personal data to the United Kingdom. This will, of course, depend on whether the government has passed laws that differ from the current DPA and whether the Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective, which seems likely. In such an event, in 2018 post-Brexit, the United Kingdom, like other currently “adequate” countries, will need to apply for adequacy status with the Commission.

Data Breaches

The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of a breach and without undue delay and, in certain circumstances, the individuals affected by the breach. The government will, therefore, need to decide if it will pass a data breach notification law, either similar to the strict GDPR requirement or one adapted to an approach of pro-business legal requirements.


Although the United Kingdom was one of the dissenting voices in negotiations about the GDPR and was particularly vocal about the onerous effect on UK businesses, it seems unlikely that the United Kingdom will reduce the extent of data protection obligations on UK businesses. To do so would necessarily reduce the current level of data privacy protections afforded to individuals. It will be interesting to see how cross-border issues such as data transfers and data breach notification requirements will apply post-Brexit. The United Kingdom is unlikely to want to be seen as being out-of-step with the rest of Europe, which will, to a large extent, remain the biggest UK trading partner. The potential alternatives are that the United Kingdom becomes a member of the European Economic Area, such as Norway or Iceland, which would enact many laws similar to European laws, or that it becomes a separate member of the single market, such as Switzerland. Both alternatives mean that the United Kingdom will need to amend the DPA or pass new laws similar to the GDPR.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

Matthew Howse, Employment law attorney, Morgan Lewis

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670
Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...