Impact of Brexit
The UK’s exit from the EU was triggered under Article 50 on the 29 March 2017. Article 50 allows for a two year transition period which can only be extended by unanimous agreement from all EU countries. If no extension is agreed, the UK will automatically leave the EU on Saturday, 30 March 2019 at 00:00 CET (“Brexit Day”).
GDPR is an EU regulation which is applicable in the UK without the need for domestic UK legislation and as a result it will apply between 25 May 2018 and Brexit Day. A domesticated version of the GDPR (a new “Data Protection Act”) will apply following Brexit Day. While a draft version of this (which closely mirrors, and often refers to the GDPR) is currently working its way through the UK Parliament, it’s not clear exactly what the final version will look like.
The government is now engaged in a period of intensive negotiations with the EU to agree the terms of withdrawal and the UK’s future relationship with the EU, including the extent to which the UK will continue to comply with and keep up with changes to EU laws (such as the GDPR) after Brexit Day.
Once the UK is no longer a member of the EU, it will be a “third country” for the purposes of the GDPR, and so transfers of personal data from the EU to the UK will be restricted unless the EU makes an “adequacy decision”. An adequacy decision is based on the EU’s assessments of a country’s data protection regime, and would add the UK to a “white list” of countries. The GDPR allows a free flow of personal data from the EU to white list countries. The government’s latest partnership proposal confirms that the UK is committed to achieving an adequacy decision.
Regardless of any domestic implementation of the GDPR after Brexit Day, UK organisations which process data relating to individuals based in the EU may still be subject to the GDPR due to the new territorial scope of GDPR which extends beyond the EU.
To follow our latest updates on the impact of Brexit on the GDPR, you can follow our Media and Technology blog.