Impact of Brexit
The UK stopped being a member of the EU on 31 January 2020. However, the UK has agreed a transition period (due to end 31 December 2020) during which EU law will still apply directly to the UK.
GDPR is an EU regulation which is applicable in the UK without the need for domestic UK legislation and as a result it will apply for the duration of the transition period. A domesticated version of the GDPR (an “applied GDPR”) will apply following the transition period, which will work alongside the existing Data Protection Act 2018 (a domestic UK law which currently interoperates with the GDPR).
The government is now engaged in a period of intensive negotiations with the EU to agree the terms of withdrawal and the UK’s future relationship with the EU, including the extent to which the UK will continue to comply with and keep up with changes to EU laws (such as the GDPR) after the transition period.
Once the transition period ends, the UK will be a “third country” for the purposes of the GDPR, and so transfers of personal data from the EU to the UK will be restricted unless the EU makes an “adequacy decision”. An adequacy decision is based on the EU’s assessments of a country’s data protection regime, and would add the UK to a “white list” of countries. The GDPR allows a free flow of personal data from the EU to white list countries. The government’s latest partnership proposal confirms that the UK is committed to achieving an adequacy decision. The timetable for achieving an adequacy decision is not clear, and it appears unlikely that this will happen in time for the end of the transition period.
If the UK becomes a “third country” without an adequacy decision, transfers of personal data from the EU to the UK in most cases will need:
- the informed consent of the relevant individuals (this can be very difficult to obtain); or
- to use “Standard Contractual Clauses”.
“Standard Contractual Clauses” are sets of template clauses approved by the EU which can be executed by entities in the EU exporting data to entities outside of the EU. If they are executed, they are deemed to provide sufficient safeguards for the transfer of that data to the entity outside of the EU, meaning that this can be done in a GDPR-compliant manner. The clauses cannot be altered or amended, but certain details do need to be filled in. There are currently two types of Standard Contractual Clauses, one for “Controller to Controller” transfers (where the entity outside of the EU is choosing how to use the data) and one for “Controller to Processor” transfers (where the entity outside of the EU is simply acting as a processor). For more information on the difference between controllers and processors click here.
Regardless of any domestic implementation of the GDPR after the transition period, UK organisations which process data relating to individuals based in the EU may still be subject to the GDPR due to the new territorial scope of GDPR which extends beyond the EU. If you are based in the UK but you offer goods or services to individuals within the EU (even for free), or you monitor the behaviour of individuals in the EU, then you will be directly subject to the GDPR. This means you:
- will need to comply with the EU’s version of the GDPR, regardless of what direction the UK’s data protection law takes.
- will need to appoint a representative in the EU (who represents you regarding your obligations under the GDPR). This can be an individual or organisation established in the EU. Their details will need to be given to any EU individuals whose data you use (usually by including them in your privacy notice).
To follow our latest updates on the impact of Brexit on the GDPR, you can follow our Media and Technology blog.