Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)
The GDPR will be applicable as from 25 May 2018 in all EU Member States, which means that the UK will have to comply with GPDR until the effective date of Brexit.
After the effective date of Brexit, the UK will become a 'third country', i.e. it will no longer be a member of the EU or the EEA.
What does this mean?
Territorial scope – UK companies may still have to comply with the GPDR
The GPDR applies not only to the processing of personal data in the context of the activities of a controller or processor established in the EU, but also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g., in the UK after the effective date of Brexit), where the processing activities are related to:
Hence, even after the effective date of Brexit, UK companies may have to comply with the GDPR, given the latter’s extra-territorial effect.Lead supervisory authority – One-stop-shop mechanism – Move to Brussels?
UK headquartered multinationals operating throughout the EU will be accountable to a variety of EU data protection supervisory authorities instead of only to the UK Information Commissioner's Office. Therefore, some of them may consider moving their headquarters to other EU Member States in order to secure the lead supervisory authority benefit.
International data transfers – Adequacy decision in the Brexit package?
Personal data can only be transferred to countries outside the EU and the EEA (a so-called ‘third country’) when an adequate level of protection of personal data is guaranteed by the third country.
The EU Commission has the power to determine whether a third country ensures an adequate level of protection of personal data by reason of its domestic law or of the international commitments it has entered into (the EU Commission then adopts an adequacy decision similar to the one adopted in respect of the EU-US Privacy Shield).
In theory, after the effective date of Brexit, the UK may want to adopt its own data protection rules deviating from the GDPR. In practice, however, it is likely that the UK will want to ensure that the transfer of data to and from the UK is not restricted. The UK government has already stated that it intends “to make sure that we achieve a coherent data protection regime and that data flows within the EU are not interrupted after we leave”. It is therefore likely that the UK government will seek recognition of the UK as an ‘adequate country’ for data transfers from the EU. Given the length of the procedure to adopt an adequacy decision, the UK may even try to avoid it and include it as part of the Brexit package that is currently being negotiated.
In the absence of an adequacy decision, transfers of personal data outside the EU or EEA, and in the present case to the UK, may also be allowed if the transfer is based on Standard Contractual Clauses (approved by the EU Commission) or on Binding Corporate Rules (approved by the relevant supervisory authorities).
Finally, the GDPR also provides derogations from the general prohibition on transfers of personal data outside the EU or EEA for certain specific situations. A transfer, or set of transfers, may be made where the transfer is notably:
Due specifically to the new obligations for data processors, the GDPR provides for changes in standard data processing agreements. If in the future the contract is to be governed by UK data protection legislation, some further modifications may be expected.
Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
The activities which fall within the scope of the proposed Regulation on Privacy and Electronic Communications are quite sensitive, involving, inter alia, interference with confidential communications and terminal equipment, which are not addressed by the GDPR.
The text is currently under discussion, and the Article 29 Working Party recently issued an opinion. It welcomes the text but has some specific concerns regarding the tracking of the location of terminal equipment, WiFi-tracking, analysis of content and metadata. The proposed regulation also deals with questions related to direct marketing and cookies.
It is unclear whether the proposed regulation will be adopted before or after the effective date of Brexit. In any case, its content will have an impact on UK data protection law and UK companies.
Before the effective date of Brexit
After the effective date of Brexit