At midnight tonight, Friday the 31st of January 2020 (‘Exit Day’), Regulation (EU) 2016/679, (‘GDPR’) will no longer apply to the processing of personal data in the UK. The GDPR will be incorporated into the UK domestic legislation (‘UK-GDPR’), and will function as a national ‘UK’ version of GDPR. It is anticipated that the UK-GDPR will be similar to the EU-GDPR, at least during the transition period, but once it is incorporated into domestic law, UK-lawmakers are free to amend the legislation as they see fit.
Furthermore, after Exit Day, the UK will be seen as a third country in relation to GDPR. This will specifically impact personal data transfers to and from the UK. Under the EU GDPR regime, personal data can freely be transferred between EU member states, while certain restrictions apply when personal data is transferred to non-EU member states.
However, under the UK European Union (Withdrawal Agreement) Bill (‘Withdrawal Agreement’) there will be a transition period in which the UK commits to comply with GDPR and the UK Data Protection Act 2018 without any changes to the existing regulation. The transition period expires on December 31, 2020.
During the transition period, personal data can be transferred between the UK and EU as usual under GDPR, as the UK has committed to comply with GDPR during this period.
When the transition period expires, the transfer of personal data from the EU to the UK will be regulated by GDPR, transfers from UK to EU will be regulated by the UK-GDPR.
After the Exit Day, the UK will no longer be regarded as a member state but as a third country, and after the expiration of the transition period it will no longer be possible to transfer personal data directly to the UK without observing the rules in GDPR Chapter V (Transfers of personal data to third countries or international organisations).
Transfers from the EU to the UK will not be permitted unless there is a legal basis for such transfer, or one of the other requirements for such transfer are satisfied (e.g. explicit consent).
However, it is likely that the European Commission will, at some point, adopt an adequacy decision, securing that transfers to the UK can happen on the same terms as any other EU country, and therefore removing the obligation to comply with GDPR Chapter V. However, this process cannot begin before the UK has left the EU, and it is uncertain whether the European Commission will adopt such an adequacy decision before the expiration of the transition period.
If the European Commission is unable to make an adequacy decision before the end of the transition period, it is uncertain if a grace period for data processors to make alternative arrangements will be granted. Such a grace period was provided in most Member States following the sudden overruling of the Safe Harbor framework, but given that data controllers and processors have been aware of Brexit for a considerable amount of time, it is uncertain if a similar grace period will be granted.
If the European Commission do not adopt an adequacy decision, or the decision is not made prior to the end of the transition period, data controllers and data processors shall have to rely on appropriate safeguards, such as the European Commission’s standard contractual clauses (‘SCCs’) or binding corporate rules. However, none of these legal bases for transfers are as well-established as an adequacy decision, due to uncertainty regarding the requirement in GDPR art. 46 (1) that enforceable data subject rights and effective legal remedies are available in the third country, and that the validity of the SCCs are currently being challenged before the Court of Justice of the European Union.
Transfer from the UK to the EU will be regulated by the domestic UK-GDPR ruleset. During the transition period all EEA and EU countries will regarded as adequate countries; hence, it will be possible to transfer personal data to these countries as usual. Existing adequacy decisions made by the European Commission will also be maintained. Likewise, SCCs and binding corporate rules authorised before the Exit Day will also be maintained. However, this might change if UK lawmakers choose to amend the UK-GDPR in the future.
Organisations based in the EU with no establishments in the UK will be subject to the domestic UK-GDPR if the processing involves the offering of goods, services or monitoring of individuals in the UK (c.f. UK-GDPR art. 3 (2)).
Organisations based in UK with no establishments in EU, will be subject to GDPR if the processing involves the offering of goods, services or monitoring of individuals in the EU (c.f. GDPR art. 3 (2)).
Organisations subject to UK-GDPR will have to accommodate all obligations towards the UK supervisory authority (e.g. organisations will have to cooperate with, and to notify ICO under relevant circumstances), in addition to any potential obligations related to GDPR.
During the transition period, personal data can be transferred as usual. However, there is no guarantee that the European Commissions will adopt an adequacy decision before the expiration of the transition period, or adopt an adequacy decision at all (e.g. due to later changes to UK-GDPR, which that are not compliant with an adequacy decision). Organisations transferring personal data to the EU must review the legal bases for transfers to the EU, and prepare for a situation in which no adequacy decision has been determined, such that transfers must have a legal basis.
Further, organisations with operations subject to both GDPR and UK-GDPR should asses their policies and procedures, and make sure that they accommodate obligations towards both the relevant EU supervisory authority and the UK supervisory authority. Organisations in EU member states subject to UK-GDPR will have to keep an eye on any amendments to UK-GDPR, as later amendments might add further obligations for the organisations when transferring or processing data.