X
    X
    X
    X

    Brexit and GDPR

    Locke Lord Publications

    Introduction

    GDPR and Brexit are two expressions that have struck fear and confusion into Europeans in recent years. What happens when you put them together?

    To quote former UK Prime Minister, Theresa May, the short answer is that “nothing has changed” and nothing is likely to change until the end of the year. Then all bets are off.

    Withdrawal

    The United Kingdom withdrew from the European Union on 31 January under the European Union (Notification of Withdrawal) Act. It did so on the terms of the UK/EU Withdrawal Agreement of 19 October 2019. That Withdrawal Agreement provides for a transition period lasting until 31 December 2020, or such later date as may be agreed.

    The Withdrawal Agreement maintains the status quo with regard to data protection throughout the transition period. Specifically:

    • Article 71 provides that GDPR will continue to protect data subjects outside the UK, where their personal data is processed in the UK during the transition period, unless the EU Commission makes an earlier determination that UK law provides an adequate level of protection under GDPR Article 45; and
    • Article 73 provides that, during the transition period, the EU will treat personal data obtained from the UK in the same manner as it treats data from Member States.

    After Transition

    The hope is that the UK and EU will reach a wide-ranging trade agreement during the transition period. This would include either an agreement on mutual treatment of ­personal data or a reciprocal deal with the EU and the UK making cross - adequacy decisions, which would have the same effect. If this happens, then, indeed, little will change.

    If the two sides cannot reach a trade agreement, they may nevertheless make adequacy decisions, allowing personal data to continue to flow freely between the EU and the UK. However, for political or other reasons the EU and UK may refrain from making those decisions in the absence of a wider deal. In that case, the UK becomes a genuine “third country” and organisations would need to put in place special measures to allow EU-UK transfers, such as using the EU model clauses. In addition, US organisations subject to GDPR may need to appoint a data protection representative both in the EU and the UK.

    Conclusions

    For the next few months, Brexit and GDPR is a question of “watch this space”. The position will need to be re-assessed toward the end of the year, when we may be able to predict whether a deal or adequacy decisions is likely.

    Explore Additional Topics

    Disclaimer

    Please understand that your communications with Locke Lord LLP through this website do not constitute or create an attorney-client relationship with Locke Lord LLP. Any information you send to Locke Lord LLP through this website is on a non-confidential and non-privileged basis. Therefore, do not send or include any information in your email that you consider to be confidential or privileged.