Skip to main content
Contact us

Brexit - Data Protection

Share this page

Major implications

Before 31 January 2020

The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the GDPR) is applicable as from 25 May 2018 in all EU Member States, including the UK (Great Britain and Northern Ireland).

The UK has also adopted the Data Protection Act 2018, which, amongst others, further implements the GDPR into national law. The competent supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO).

Hence, until 31 January 2020 (the Brexit Date), the GDPR applied fully in the UK and entities operating in the UK had to comply with the GDPR and the Data Protection Act 2018, were be able to benefit from the one-stop-shop principle and were subject to the consistency mechanism (including the competence of the European Data Protection Board (EPDB).
 

Transition Period

The agreement of 19 October 2019 on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (the Withdrawal Agreement) provides for a transition period from 1 February 2020 until 31 December 2020 (the Transition Period). 

During the Transition Period, the UK remains subject to all EU laws (other than those expressly excluded by the Withdrawal Agreement). 

Consequently, during the Transition Period:

  • the GDPR and related EU privacy laws continue to apply to the UK;
  • the UK must continue to interpret and apply the GDPR and related EU privacy laws consistent with wider EU legal principles; EU Member States must continue to apply the GDPR and related EU privacy laws in a way which does not discriminate against the UK;
  • the CJEU continues to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK must abide by CJEU decisions;
  • transfers of personal data from the EU to the UK are not restricted under Chapter V (Transfers of personal data to third countries or international organisations) of the GDPR; and
  • the UK is restricted from participation in EU decision-making and governance bodies/offices, but may be invited to attend on a non-participatory basis; hence, the ICO’s role in the EDPB is limited to attendance in an observer capacity.

The UK and the EU had the option to extend the Transition Period once by joint agreement before 1 July 2020 for one or two years. The UK has however ruled out the possibility of an extension in its domestic law. Consequently, the Transition Period will end on 31 December 2020, in accordance with Article 126 of the Withdrawal Agreement.

After 31 December 2020

Aside from the Withdrawal Agreement, the EU and UK on 19 October 2019 also agreed on a non-binding political declaration setting out the framework for the future relationship between the European Union and the United Kingdom” (the Political Declaration).

The Political Declaration states that the EU and the UK both desire a high level of data protection and establishes a willingness by the European Commission to commence an assessment of the UK’s adequacy, with an ambition to adopt an adequacy decision by the end of the Transition Period. Securing an adequacy decision will be vital to supporting a free flow of personal data between the EU and the UK once the Transition Period ends.

Finally, the Political Declaration contains some high level principles to (i) secure co-operation between data protection regulators; (ii) develop reciprocal arrangements for PNR, DNA, fingerprint and vehicle registration data processing, and (iii) facilitate electronic commerce and cross-border data flows.

During the Transition Period, the UK and the EU will need to negotiate a comprehensive deal covering all aspects of Brexit. 

In the event the Transition Period would expire without a deal on data protection, the implications for international data flows and privacy compliance in general will be severe. If no deal is concluded, the relation between the UK and the EU will be governed by the Withdrawal Agreement and the World Trade Organisation Agreements.

GDPR

The UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK. Article 71 of the Withdrawal Agreement states moreover that the GDPR will remain applicable in the UK to personal data that were processed in the EU under the GDPR before the end of the Transition Period, unless the UK obtains an adequacy decision. When an adequacy decision would not be applicable anymore, the UK shall ensure a level of protection of personal data that is equivalent to the protection offered by the GDPR. The ICO has already published extensive guidance on the consequences of a no-deal Brexit for data protection (see here).

EU Representative

The GPDR applies also to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU (e.g., in the UK after the end of the Transition Period), where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU. Hence, even after the Transition Period, UK entities may have to comply with the GDPR, given the latter’s extra-territorial effect. UK entities subject to the GDPR will need to appoint a local representative in the EU (Article 27 GDPR).

EU to UK Data Transfers

When there is no deal regarding data protection before the end of the Transition Period, the UK will automatically be regarded as a country that does not provide adequate protection of personal data originating from the EU. In practice, this means that EU entities transferring personal data to the UK must ensure that, prior to the end of the Transition Period, appropriate safeguards are put in place (e.g., Standard Contractual Clauses or Binding Corporate Rules). In this respect, it important to remind the Court of Justice of the European Union’s decision in Schrems II and the guidance of the European Data Protection Board (EDPB), which requires data exporters relying upon Standard Contractual Clauses to undertake case-by-case Transfer Impact Assessments.

Use of UK (Sub-)Processors

EU controllers using UK processors or sub-processors will need to ensure that, aside from a data processing agreement in accordance with Article 28 GDPR, express contractual safeguards to ensure adequate protection of personal data (e.g., Controller-Processor Standard Contractual Clauses) are put in place.

UK to EU or Adequate Countries Data Transfers

Transfers from the UK to the EU or other adequate countries (including organisations adhering to the Privacy Shield) are unlikely to be affected. However, onward transfers of personal data originating from the EU by UK entities may become an issue. Indeed, contractual arrangements imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) generally require the same obligations to be passed on to any third parties that will be processing the data. As a result, existing arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU may need to be reviewed and updated. New arrangements between UK entities and entities located elsewhere and that are processing personal data originating from the EU will also require specific attention in order to ensure compliance with the UK entity’s obligations under contractual arrangements to legitimise data transfers from the EU to the UK.

Lead Supervisory Authority

Due to the fact that their main EU establishment is located in the UK, many multinationals operating across the EU are currently subject to the competence of the ICO as lead supervisory authority under the one-stop-shop mechanism foreseen by the GDPR. In the event the UK ceases to be an EU Member State, the ICO will no longer be considered as a supervisory authority for the purposes of the GDPR, will no longer be a member of the EPDB and will no longer be able to act as lead supervisory authority. As a result, UK headquartered multinationals may need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO. UK headquartered multinationals operating across the EU will be accountable to a variety of EU data protection supervisory authorities instead of only to the ICO. Therefore, some of them may even consider moving their headquarters to an EU Member State in order to secure the lead supervisory authority benefit.

To do’s
 
EU Entities

In the event the UK would succeed in securing an adequacy decision by the end of the Transition Period, personal data will continue to be able to flow freely between the EU and the UK. Hence, EU controllers transferring personal data to UK controllers or processors would not have to ensure appropriate safeguards are in place.

If there is no adequacy at the end of the Transition Period:

  • EU controllers transferring (directly or indirectly) personal data to UK controllers or processors need to put in place safeguards to ensure adequate protection of personal data; and
  • EU processors using UK sub-processors need to ensure safeguards to ensure adequate protection of personal data are put in place.

Furthermore, and in any event:

  • EU controllers need to review their current documentation (from records of processing activities under Article 30 GDPR to DPIAs under Article 35 GDPR) in order to reflect the fact that the UK does no longer form part of the EU.
UK Entities

In the event the UK would succeed in securing an adequacy decision by the end of the Transition Period, personal data will continue to be able to flow freely between the EU and the UK. Hence, UK controllers receiving personal data from EU controllers or processors would not have to ensure appropriate safeguards are in place.

If there is no adequacy at the end of the Transition Period:

  • UK controllers and processors that are receiving personal data from the EU need to put in place adequate safeguards to ensure they become safe importers of personal data, unless the UK obtains an adequacy decision; and
  • UK controllers and processors need to review their arrangements with entities located outside the UK that are receiving personal data originating from the EU in order to ensure that contractual obligations imposed upon UK entities to legitimise data transfers from the EU to the UK (e.g., Standard Contractual Clauses) are passed on to any third parties that will be processing the data, unless the UK obtains an adequacy decision.

Furthermore, and in any event:

  • UK controllers and processors subject to the GDPR due to its extra-territorial effect will need to appoint a local representative in the EU;
  • UK headquartered multinationals may need to select an alternative lead supervisory authority (within the EU) or an additional one in parallel with the ICO or may consider moving their headquarters to an EU Member States in order to secure the lead supervisory authority benefit; and
  • UK controllers need to review their current documentation in order to reflect the fact that the UK does no longer form part of the EU.

Our dedicated Lydian team is ready to assist you with any questions you might have regarding Brexit. 

Contact us with all your questions on brexit@lydian.be

Authors

  • Bastiaan Bruyndonckx
    Partner

    Bastiaan Bruyndonckx

    Download VCARD