Will GDPR Apply after Brexit?
The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the processing of personal data. 'Personal data' is information about any living, identifiable person, whilst 'processing' refers to what the data is used for and the way it is treated (e.g. it may be stored on a server) once it has been gathered. GDPR applies to all organisations within the EU as well as any outside of the EU that supply goods/services to, or monitor citizens within, the EU.
Since the UK was still in the EU at the time of GDPR's implementation in May 2018, and since it was also a driving force behind constructing the new legislation, the country is bound to comply with GDPR regulations. The way in which the UK implemented GDPR was through the Data Protection Act (DPA) 2018 – an updated DPA that is GDPR compliant. It is likely that, post-Brexit, the DPA 2018 will remain in place (in June 2017, The Queens' Speech explained that GDPR would become a part of UK law after we leave the EU), but the UK will be able to make amendments.
There is widespread apprehensions regarding how a post-Brexit UK could operate without the security of the EU single market. Whilst the progression of the UK through Brexit negotiations is uncertain, we may still consider some hypothetical outcomes.
The European Single Market
The European Single Market is a common market ensuring free movement within the EU. It consists of EU member states, EFTA member states (Iceland, Liechtenstein and Norway) and Switzerland. The EU and EFTA together form the European Economic Area (EEA). The EEA agreement includes:
- Free movement of goods, persons, services and capital
- System to prevent competition being distorted
- Closer cooperation in some other fields, like research, environment, education and social policy
The GDPR prevents EU data being exported outside of the EEA unless adequate safeguards are in place. Whilst Article 50 stated the UK's leave from the EU, no reference was made to our membership status within the EEA. Therefore, when the UK leaves the EU, it will not necessarily leave the EEA. Those pushing for a 'softer' Brexit are urging the UK to remain part of the EEA, which would mean that free transfer of data to the UK would be permitted under the GDPR.
Another hypothetical post-Brexit scenario is if the UK leaves both the EU and the EEA, it would then be classed as a third country. As a third country, we would hopefully come to an adequacy agreement with the EU. In this situation, the EU will examine the UK's legal framework, domestic regulator and international commitments to data protection rules. If we achieve an adequacy agreement then EU member states are free to transfer their citizen's data to UK organisations for processing.
If we fail to secure a positive adequacy decision, data transfer could still occur, but only if the UK puts in place appropriate safeguards such as standard contract clauses or binding corporate laws. This would incur extra costs for businesses and more restriction. For this reason, an adequacy decision would be the preferred option.
Data Protection Post-Brexit
The UK's decision to remain largely compliant with GDPR, even after exiting the EU, should facilitate a smooth transition, however the realities of this endeavour are yet to be uncovered. Similarly, the future of the Information Commissioner's Office (ICO), the UK's data protection regulator, within international negotiations is uncertain. Hopefully, it will have continued involvement in international data protection talks, but this is yet to be established. For now, at least, businesses must continue to comply with GDPR as it is current UK law.
It is important to remember that regardless of our data protection policies post-Brexit, businesses that wish to supply goods or services to, or conduct monitoring of, EU citizens will have to continue complying with GDPR.