GDPR and Brexit are two expressions that have struck fear and confusion into Europeans in recent years. What happens when you put them together?
To quote former UK Prime Minister, Theresa May, the short answer is that “nothing has changed” and nothing is likely to change until the end of the year. Then all bets are off.
The United Kingdom withdrew from the European Union on 31 January under the European Union (Notification of Withdrawal) Act. It did so on the terms of the UK/EU Withdrawal Agreement of 19 October 2019. That Withdrawal Agreement provides for a transition period lasting until 31 December 2020, or such later date as may be agreed.
The Withdrawal Agreement maintains the status quo with regard to data protection throughout the transition period. Specifically:
- Article 71 provides that GDPR will continue to protect data subjects outside the UK, where their personal data is processed in the UK during the transition period, unless the EU Commission makes an earlier determination that UK law provides an adequate level of protection under GDPR Article 45; and
- Article 73 provides that, during the transition period, the EU will treat personal data obtained from the UK in the same manner as it treats data from Member States.
The hope is that the UK and EU will reach a wide-ranging trade agreement during the transition period. This would include either an agreement on mutual treatment of personal data or a reciprocal deal with the EU and the UK making cross - adequacy decisions, which would have the same effect. If this happens, then, indeed, little will change.
If the two sides cannot reach a trade agreement, they may nevertheless make adequacy decisions, allowing personal data to continue to flow freely between the EU and the UK. However, for political or other reasons the EU and UK may refrain from making those decisions in the absence of a wider deal. In that case, the UK becomes a genuine “third country” and organisations would need to put in place special measures to allow EU-UK transfers, such as using the EU model clauses. In addition, US organisations subject to GDPR may need to appoint a data protection representative both in the EU and the UK.
For the next few months, Brexit and GDPR is a question of “watch this space”. The position will need to be re-assessed toward the end of the year, when we may be able to predict whether a deal or adequacy decisions is likely.