Global menu

Our global pages

Close
Brexit: the impact on General Data Protection Regulation

Brexit: the impact on General Data Protection Regulation

  • United Kingdom
  • Brexit
  • Competition, EU and Trade - Brexit
  • Privacy, data protection and cybersecurity - GDPR

06-01-2017


Brexit and the legal implications for businessesSpeed-read

What do I need to know?

- On 23 June 2016 the UK held a referendum to decide whether or not to remain in the EU and the majority voted to leave it.

- Following the referendum, the UK government has stated its intention to give notice to leave the EU under Article 50 of the Treaty on European Union by the end of March 2017.

- Once the UK gives notice to leave the EU, it would then leave on the sooner of withdrawal terms being agreed and the expiry of two years from giving notice, so by end March 2019.

- After giving notice to leave, there would then be an intense period of preparation and negotiation between the UK and EU to agree the terms of withdrawal and for their future relationship.

- The terms agreed between the UK and the EU will affect the extent to which the UK continues to comply with and/or keep up with EU laws and requirements and remains within or outside the European Economic Area.

- GDPR will come into force on 25 May 2018, when the UK is likely to still be in the EU.

- GDPR is an EU regulation applicable in the UK without the need for domestic UK legislation (and so will apply between May 2018 and any departure from the EU).

- As a regulation, GDPR will automatically fall away in the event that the UK leaves the EU – unless and to the extent the UK adopts domestic legislation to retain GDPR in whole or part. Current UK government announcements support such retention.

 

What do I need to do?

- Start to consider which parts of your operations are established in the UK and may be affected by proposed changes.

- Identify personal data flows from the European Economic Area to the UK.

 - If the UK also leaves the European Economic Area at the time of leaving the EU, flows of personal data from the European Economic Area countries to the UK will become prohibited without new adequate safeguard measures being adopted.

- Identify your UK establishments which monitor the behaviour of, or offer goods and services to, citizens in the EU/EEA.

- Such UK establishments may be subject to GDPR despite Brexit due to the new territorial scope of GDPR which extends beyond the EU.

- Monitor the UK data protection authority’s statements on Brexit, GDPR and how to remain compliant – current ICO guidance is to continue to prepare for GDPR.

- If your main EU establishment is currently in the UK, consider where your No. 2 establishment in the EU is based, as that is likely to be where your lead EU data protection supervisory authority will be located under GDPR.

- Consider with expert input how best to marry your UK compliance programme with approaches which also appropriately anticipate sensitivities and requirements from your expected lead data protection supervisory authority.

- Check for relevant developments at regular intervals and keep your plans up to date accordingly.

 

Full briefing

What is the current position following 23 June 2016 until the UK gives notice to leave the EU?

A referendum on whether the UK should leave or remain within the EU took place on 23 June 2016.

The UK voted to leave the EU, but it is still not absolutely clear what will happen, and when, following this vote.

The UK Government intends to give notice to leave the UK, using the procedure set out in Article 50 of the Treaty on European Union. This would then trigger the need to agree withdrawal terms with the EU and hopefully future relationship terms as well. The UK would leave the EU on the sooner of agreeing terms and the expiry of two years from giving notice to leave. It is not known for certain when notice will be given but the UK Government have announced their intention to give notice on or before 30 March 2017. On that basis, the UK would leave the EU on or before 30 March 2019, unless otherwise agreed.

Businesses and organisations should continue to plan and prepare for GDPR compliance in this period.

What will stay the same?

There are different types of EU law. Indirect EU laws, such as the Directive, need to be implemented by domestic UK legislation – the DPA - to become applicable and enforceable in the UK. Those domestic UK laws will be unaffected by Brexit and so the DPA will continue unless and to the extent the UK Parliament repeals or amends the DPA, whether to deal with GDPR and / or Brexit.

Other EU laws, such as EU regulations, are direct and so apply directly in the UK without the need for UK domestic legislation. This applies to the GDPR. GDPR comes into force in the UK on 25 May 2018 before the UK will have been able to leave the EU. UK businesses will therefore need to prepare for and start to comply with GDPR notwithstanding Brexit.

Other EU member states must also comply with GDPR from 25 May 2018 whether or not the UK leaves the EU. As now under the Directive, under the GDPR, transfers of personal data to outside the EEA can only be made lawfully in certain limited circumstances due to the need to ensure adequate safeguard for the relevant personal data.

What will change during the notice period?

Currently, as a result of section 2(1) of the European Communities Act 1972, the UK has committed toaccept and comply with EU laws made under the various EU Treaties: 

“All such rights, powers, liabilities, obligations and restrictions from time to time created or arising by or under the Treaties, and all such remedies and procedures from time to time provided for by or under the Treaties, as in accordance with the Treaties are without further enactment to be given legal effect or used in the United Kingdom shall be recognised and available in law, and be enforced, allowed and followed accordingly.”

EU regulations fall within Article 288 of the Treaty on the Functioning of the EU:

“To exercise the Union’s competencies, the institutions shall adopt regulations, directives, decisions, recommendations and opinions. A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.”

GDPR is an EU regulation and whilst the UK is a member of the EU and the above legislation is in force, GDPR will automatically come into force in the UK. This will not be affected in the event that the UK gives notice to leave the EU, whether it does so before or after 25 May 2018.

As a result, GDPR is set to come into force automatically in the UK on 25 May 2018, possibly almost 10 months before the UK is expected to leave the EU. So businesses and organisations in the UK should still prepare for the introduction of GDPR, regardless of whether, and if so when, Article 50 notice is given and expires. The ICO is planning for GDPR introduction on time and will expect those in the UK subject to GDPR to comply with its terms notwithstanding the outcome of the referendum.

What will change at the end of the Article 50 procedure?

At the end of the Article 50 procedure, the UK will cease to be a member of the EU. The exact nature of the changes to data protection laws in the UK will depend on the terms of the UK’s future relationship with the EU and on the exact laws which the Great Repeal Act (which the UK Government intends to enact) will save.

Other EU member states must also comply with GDPR from 25 May 2018, regardless of Brexit.

Whether or not the UK is within or outside the EU, UK businesses and organisations may still be subject to GDPR ‘as is’ where, from 25 May 2018, they monitor the behaviour of, or offer goods and services to, citizens in the EU from the UK. Exactly how those new provisions extending the EU’s jurisdiction into non-EU territories will work in practice and be enforced remains to be seen. [See our GDPR briefing on territorial scope and application. [See our GDPR briefing on territorial scope and application].

What is changing?

The UK Government also plans to review all legislation adopted by the Great Repeal Act following departure from the EU to assess what, if any, changes to it should be made. This will include GDPR. Depending upon the terms agreed with the EU on any departure from it by the UK, minor changes to GDPR provisions in the UK are likely in any event, to ensure the legislation “makes sense” on a standalone UK basis outside of the EU. For instance, GDPR provisions in relation to the EDPB, cooperation and enforcement between member states and the consistency mechanism would need careful consideration and some adjustment to work effectively if the UK were outside the EU, the ICO ceased to be a “supervisory authority” recognised by GDPR and lost its membership of the EDPB.

As now under the Directive, under the GDPR, transfers of personal data to outside the EEA can only be made lawfully in certain limited circumstances, due to the need to ensure adequate safeguard for the relevant personal data. For so long as the UK remains a member of the EU, it remains within the EEA. In the event that the UK leaves the EU, and ceases to be within the EEA, regardless of its domestic legislation and whether or not it has adopted GDPR, the UK would no longer be part of the EU safe zone for personal data. Personal data transfers to the UK from within the EEA would no longer carry automatic adequate safeguard. Additional measures would need to be adopted to ensure adequate safeguard for all personal data flows to the UK once outside the EEA. [See our GDPR briefing on international data transfers. [See our GDPR briefing on international data transfers].

Any proposed tailoring of GDPR provisions for the UK would have to take account of the extra territorial reach of GDPR, and of the impact of data transfer rules. The UK Government and the ICO will need to ensure UK businesses have a clear idea of the requirements with which they will need to comply to minimise confusion and maximise efficiency.

It is highly likely that the UK would seek to become an EU Commission approved white listed country, deemed to provide adequate safeguard for personal data, without the need for additional measures being adopted by UK data importers. This would take time but the process would be quicker and easier if the UK maintained parity with EU data protection standards under GDPR. This mitigates away from material changes to GDPR provisions once domestic UK legislation.

It remains to be seen whether the UK, like other member states, will make use of current GDPR provisions which permit local member state variations and derogations to standard GDPR rules. And the UK will still need to ensure that GDPR-UK style works smoothly with related UK legal obligations, such on the privacy of e-communications, monitoring and interception of communications.

How UK courts and tribunals will deal with the interpretation of UK privacy laws following the departure by it from the EU is a different matter. Traditionally, UK courts have taken a narrow and no nonsense approach to personal data and privacy, especially compared to the wider and more liberal approach adopted by the ICO, influenced by the other EU privacy regulators. More recently, this divide has narrowed, with courts and tribunals starting to embrace the EU concepts of personal data, privacy and fundamental charter rights, just as they have with human rights.

It is less clear how the Government will approach the impact of case law developed whilst in the EU, following any UK departure. Absent action, the case law and its influence will remain and even decisions of the CJEU following any Brexit may continue to impact the UK, having a persuasive value which may be taken into account by the ICO or UK courts and tribunals.

How will your business be affected?

Continue to plan and prepare for GDPR to take effect in May 2018 without delay. If you operate across the UK and other EU countries, you may need to re-assess where your GDPR “main establishment” is located and any change to your lead data protection supervisory authority under GDPR. The effect on any pending or planned BCR applications will also need to be considered.

Next steps…

If the UK ceases to be within the EEA once it leaves the EU, personal data transfers to the UK – even intra-group – will come under the spotlight. You need to identify which systems and servers are located in the UK; which entities and operations transfer personal data to the UK and where UK operations access personal data held elsewhere in the EEA. New adequate safeguard measures may need to be put in place for all these scenarios, such as European Model Clauses, if the UK leaves the EU. Do not forget to consider similar data transfers from other global regions to the UK which are compliant based on the UK being within the EU or EEA, as additional steps may also need to be taken in those cases.

Further information about Brexit can be obtained from our Brexit hub

Visit our Brexit Legal Advice Hub for in-house lawyers

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings