Brexit

Subscribe to Brexit

As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes.

By Gail Crawford, Fiona Maclean, and Amy Smyth

The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one of the more significant implications — the UK becoming a third country for the purposes of EU-to-UK personal data transfers — has been mitigated by a four to six-month grace period in the EU & UK Trade and Cooperation Agreement (the Trade Agreement).

The Trade Agreement’s grace period states that personal data may be transferred from the EU to the UK as if the UK has not become a third country on 1 January 2021 (Article FINPROV.10A). This provision means that the requirement for a data transfer mechanism to legalise such transfers under the European General Data Protection Regulation (GDPR) will not be triggered on 1 January 2021, and these transfers may continue as during the Brexit transition period.

“Business as usual” for UK-EU data protection transition in 2020.  

By Gail E. Crawford and Susan Mann

On 29 January 2020, the EU Parliament approved the UK Withdrawal Agreement after the UK Parliament’s ratification via the EU Withdrawal Act 2020 on 23 January 2020 (Withdrawal Agreement). The Withdrawal Agreement maintains the UK pre-Brexit position and clarifies that the GDPR continues to apply in the UK during the transition period (between 1 February 2020 and 31 December 2020, or any extension agreed by UK and EU), allowing both sides to negotiate the future data protection relationship. The ICO confirmed that the GDPR will continue to apply, and that during the transition it will be “business as usual”.

The provisions of the UK GDPR will be incorporated directly into UK law from the end of the transition period, and will sit alongside the current UK Data Protection Act 2018. At the end of the transition period, there will be the current EU GDPR as well as a UK GDPR. The Withdrawal Agreement includes technical amendments to the current GDPR, so that it will work in a UK-only context.

UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit.

By Gail E. Crawford, Fiona Maclean, and Amy Smyth

Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and online marketplaces — that provide services into the UK to nominate a UK representative following Brexit. The representative will also have to be registered with the UK Information Commissioner’s Office (ICO).

Non-UK-based digital services providers will remain liable for breaches, notwithstanding the appointment of a representative. A representative will be required to act on behalf of a provider, but it is not currently clear whether a representative maybe be liable for a provider’s breach; whether the updated UK NIS Regulations will address this point explicitly remains to be seen.

Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices.

By Fiona M. Maclean and Jane Bentham

Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event of a “no deal” Brexit:

  • A general note on the various data transfer mechanisms (and exceptions) under the GDPR
  • A specific note on the Information Commissioner’s Office (ICO), the UK regulator, as a Lead Supervisory Authority for Binding Corporate Rules

The UK government has also issued a paper titled “Implications for Business and Trade of a no Deal Exit on 29 March 2019,” including a small section on data transfers. The paper states that the government’s primary aim is to ensure that the UK leaves the EU on 29 March 2019 (the Exit Date) with an agreed and approved Withdrawal Agreement and Political Declaration (the Proposed Deal). Of course it is possible that Brexit may be delayed by extending Article 50 to give the UK more negotiating time with the EU.

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.

By Gail E. Crawford and Jane Bentham

“No Deal” Brexit

Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.

Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”.