Search Close search

HomePost-Brexit Data Protection Compliance

Post-Brexit Data Protection Compliance

At midnight on January 31 2020, the United Kingdom will leave the EU, and the EU General Data Protection Regulation will no longer apply to processing of data in the UK. Transfers to and from the EU will be possible during a transition period, which will expire on December 31 2020. Organisations transferring data from the UK to the EU and organisations subject to ‘UK-GDPR’ must assess their data transfers and processing procedures, and prepare for a scenario where there will be no adequacy decision after the expiry of the transition period.
31 January 2020

The applicable legislation after the Exit Day:

At midnight tonight, Friday the 31st of January 2020 (‘Exit Day’), Regulation (EU) 2016/679, (‘GDPR’) will no longer apply to the processing of personal data in the UK. The GDPR will be incorporated into the UK domestic legislation (‘UK-GDPR’), and will function as a national ‘UK’ version of GDPR. It is anticipated that the UK-GDPR will be similar to the EU-GDPR, at least during the transition period, but once it is incorporated into domestic law, UK-lawmakers are free to amend the legislation as they see fit.

Furthermore, after Exit Day, the UK will be seen as a third country in relation to GDPR. This will specifically impact personal data transfers to and from the UK. Under the EU GDPR regime, personal data can freely be transferred between EU member states, while certain restrictions apply when personal data is transferred to non-EU member states.

However, under the UK European Union (Withdrawal Agreement) Bill (‘Withdrawal Agreement’) there will be a transition period in which the UK commits to comply with GDPR and the UK Data Protection Act 2018 without any changes to the existing regulation. The transition period expires on December 31, 2020.

Transfers during the transition period:

During the transition period, personal data can be transferred between the UK and EU as usual under GDPR, as the UK has committed to comply with GDPR during this period.

Transfers after the transition period:

When the transition period expires, the transfer of personal data from the EU to the UK will be regulated by GDPR, transfers from UK to EU will be regulated by the UK-GDPR.

Transfers from EU to UK:

After the Exit Day, the UK will no longer be regarded as a member state but as a third country, and after the expiration of the transition period it will no longer be possible to transfer personal data directly to the UK without observing the rules in GDPR Chapter V (Transfers of personal data to third countries or international organisations).

Transfers from the EU to the UK will not be permitted unless there is a legal basis for such transfer, or one of the other requirements for such transfer are satisfied (e.g. explicit consent).

However, it is likely that the European Commission will, at some point, adopt an adequacy decision, securing that transfers to the UK can happen on the same terms as any other EU country, and therefore removing the obligation to comply with GDPR Chapter V. However, this process cannot begin before the UK has left the EU, and it is uncertain whether the European Commission will adopt such an adequacy decision before the expiration of the transition period.

If the European Commission is unable to make an adequacy decision before the end of the transition period, it is uncertain if a grace period for data processors to make alternative arrangements will be granted. Such a grace period was provided in most Member States following the sudden overruling of the Safe Harbor framework, but given that data controllers and processors have been aware of Brexit for a considerable amount of time, it is uncertain if a similar grace period will be granted.

If the European Commission do not adopt an adequacy decision, or the decision is not made prior to the end of the transition period, data controllers and data processors shall have to rely on appropriate safeguards, such as the European Commission’s standard contractual clauses (‘SCCs’) or binding corporate rules. However, none of these legal bases for transfers are as well-established as an adequacy decision, due to uncertainty regarding the requirement in GDPR art. 46 (1) that enforceable data subject rights and effective legal remedies are available in the third country, and that the validity of the SCCs are currently being challenged before the Court of Justice of the European Union.

Transfers from UK to EU:

Transfer from the UK to the EU will be regulated by the domestic UK-GDPR ruleset. During the transition period all EEA and EU countries will regarded as adequate countries; hence, it will be possible to transfer personal data to these countries as usual. Existing adequacy decisions made by the European Commission will also be maintained. Likewise, SCCs and binding corporate rules authorised before the Exit Day will also be maintained. However, this might change if UK lawmakers choose to amend the UK-GDPR in the future.

Two ‘GDPR’ regimes

Organisations based in the EU with no establishments in the UK will be subject to the domestic UK-GDPR if the processing involves the offering of goods, services or monitoring of individuals in the UK (c.f. UK-GDPR art. 3 (2)).

Organisations based in UK with no establishments in EU, will be subject to GDPR if the processing involves the offering of goods, services or monitoring of individuals in the EU (c.f. GDPR art. 3 (2)).

Organisations subject to UK-GDPR will have to accommodate all obligations towards the UK supervisory authority (e.g. organisations will have to cooperate with, and to notify ICO under relevant circumstances), in addition to any potential obligations related to GDPR.

What’s next?

During the transition period, personal data can be transferred as usual. However, there is no guarantee that the European Commissions will adopt an adequacy decision before the expiration of the transition period, or adopt an adequacy decision at all (e.g. due to later changes to UK-GDPR, which that are not compliant with an adequacy decision). Organisations transferring personal data to the EU must review the legal bases for transfers to the EU, and prepare for a situation in which no adequacy decision has been determined, such that transfers must have a legal basis.

Further, organisations with operations subject to both GDPR and UK-GDPR should asses their policies and procedures, and make sure that they accommodate obligations towards both the relevant EU supervisory authority and the UK supervisory authority. Organisations in EU member states subject to UK-GDPR will have to keep an eye on any amendments to UK-GDPR, as later amendments might add further obligations for the organisations when transferring or processing data.

Sign up for our newsletter

Sign up for Gorrissen Federspiel’s news updates and receive the latest legal news and event invitations directly in your inbox.

Thank you for signing up

You have already signed up