Skip to Main Content.
  • What’s next? Data protection in the United Kingdom after Brexit

    • Item
    • Item
    • Item
    • Item

The United Kingdom (UK) has formally withdrawn from the European Union (EU) effective January 31, 2020, at 6 p.m. EST/11 p.m. GMT. The UK leaves the EU with a deal in place after successfully negotiating and approving a withdrawal agreement with the EU.

Since May 25, 2018, the General Data Protection Regulation (GDPR), which governs how data is collected, processed and shared globally, has been the law of all member states of the EU, including the UK. The UK’s exit from the EU has raised many questions about the future of data protection law in the UK and whether GDPR compliance programs that have been put in place by organizations will still be appropriate in the UK post Brexit.

We’ve addressed some frequently asked questions below.

What’s next?

The UK and the EU have agreed to an 11-month transition period—through December 31, 2020—during which time they will negotiate many aspects of their new relationship, including trade and cross-border transfers of personal data.

Is the GDPR still applicable in the UK during the transition period?

Yes. The UK’s Information Commissioner’s Office (ICO) has published Information rights and Brexit frequently asked questions to answer questions about the data protection in the UK post-Brexit. According to the ICO, the GDPR will continue to apply in the UK through the transition period. Because of this, organizations do not need to take any action at this time and should continue to follow previously published guidance and guidelines on the GDPR.

Will the GDPR still be applicable in the UK after the transition period?

No and yes. The GDPR will no longer be the law of the UK at the end of the transition period. However, the ICO expects that the GDPR will be incorporated into UK law as the “UK GDPR” effective at the end of the transition period, resulting in very little change to “core data protection principles, rights and obligations found in the GDPR.” The UK’s Data Protection Act of 2018, which currently supplements and modifies the GDPR, is expected to supplement and modify the new UK GDPR instead.

Even though the GDPR will no longer be the law of the UK after the transition period ends, UK organizations that have establishments in the EU, offer goods or services to individuals located in the EU, or who monitor the behavior of persons located in the EU will still be required to comply with the GDPR because the territorial scope of the GDPR reaches outside of the EU.

How will Brexit affect data transfers to the UK from the European Economic Area (EEA)?

The GDPR currently regulates the transfer of data outside of the EEA. During the transition period, the government has said that the transfer of data into the UK from the EEA will not be restricted. However, after the transition period, organizations will need to consider the GDPR’s transfer rules for transfers into the UK from the EEA.

What about data transfers from the UK to the United States?

Like with EEA to UK transfers, the GDPR will continue to apply during the transition period. For companies that have self-certified to the EU-US Privacy Shield Framework to transfer data from the EEA to the United States lawfully, the US Department of Commerce has issued its own Privacy Shield in the UK FAQs. According to the FAQ:

During the transition period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. In addition, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.

However, before the end of the transition period, Privacy Shield participants will need to update their public commitment to comply with the Privacy Shield Framework to explicitly include a reference to the UK. The Department of Commerce has provided recommended language to do this. In addition, companies must maintain their Privacy Shield certification by recertifying annually.