What Does Brexit Mean For Data Protection?

Author:Ms Kelly McMullon
Profession:Proskauer Rose LLP

With less than a month to go until the UK is due to leave the EU (at 11pm GMT/12pm CET on 29 March 2019), there is still much uncertainty as to whether, and if so how, the UK will exit the EU (commonly dubbed "Brexit"). In light of this uncertainty we outline what will happen, and what should be considered, depending on how things play out especially given the important votes due to take place within the UK Parliament this week.

What happens if there is a deal?

Currently, as the UK is part of the EU and so has implemented the General Data Protection Regulation (the "GDPR"), there are unrestricted personal data flows between the UK and the rest of the EU.

If the UK and EU are able to agree a deal as to how Brexit will be implemented (officially the "Agreement on the Withdrawal of the United Kingdom from the European Union", or "withdrawal agreement"), that will mean that the EU and UK will enter into a transition period (to 31 December 2020, or possibly later) during which time the EU and UK will seek to agree to a new long term trade deal.

During this transition period the UK must abide by all EU rules. With respect to data protection considerations that means that personal data can continue to flow freely during this transition period. The EU will use this time to assess whether the UK's data protection practices are essentially equivalent to the EU's and "endeavour to adopt" an adequacy decision to seek to ensure the continued free flow of personal data after the transition period.

The EU has recognized a limited number of countries as providing "adequate" protection for individuals' personal data, such that personal data can be transferred freely from the EU to these non-EU jurisdictions. The list currently includes Israel, transfers made under the Privacy Shield framework in the USA, Switzerland, and most recently Japan.

The UK will have to be assessed like any other country that wishes to receive an "adequacy decision". The UK has a head start given that it has implemented the GDPR, but the result of the adequacy assessment is not a foregone conclusion. The EU will look at all aspects of UK data privacy protection including the rule of law and the access public authorities have to personal data. On the latter, for instance, the European Court of Justice has been concerned about the access the UK's security services can have to personal data. The UK Government has sought to resolve this concern.

Meanwhile, the UK will incorporate the...

To continue reading