UK

Subscribe to UK via RSS

Understanding the practical implications of a “No Deal” Brexit (as compared to an exit under an approved Withdrawal Agreement) following last week’s vote against the current withdrawal proposal.

By Gail E. Crawford and Jane Bentham

“No Deal” Brexit

Unless the UK can agree on a deal with the EU that meets the approval of the majority of the UK Parliament, withdraws its Article 50 notice, or can negotiate with the EU an extension to the 29 March 2019 departure (Exit Date), the UK will leave the EU without a ratified Withdrawal Agreement or an agreed Political Declaration (together, the Deal). The political uncertainties around the different scenarios warrant that businesses prepare for a “No Deal” Brexit in all areas, including in relation to the processing of personal data.

Under a “No Deal” Brexit scenario, the General Data Protection Regulation (GDPR) will form part of UK domestic law as “retained EU law” as a result of the EU (Withdrawal) Act 2018 (EUWA), with certain amendments made to it and also to the Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 under the (draft) Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Privacy Exit Regulations), which is intended to come into force on the Exit Date. This is collectively being referred to as the “UK GDPR”.

The English High Court has declared that UK legislation which expanded government powers to require communication providers to retain communication traffic data is incompatible with human rights, and is unlawful.

The legislation is seen by the government as a key power to ensure that such data is accessible by law enforcement and security services to investigate serious crime and issues of national security.

The Data Retention and Investigatory Powers Act 2014 (DRIPA) reinstated the requirements that existed in the UK under the Data Retention (EC Directive) Regulations 2009 which had to be replaced after the European Court of Justice in Digital Rights Ireland declared the data retention provisions of the Data Retention Directive (2006/24/EC) (which the 2009 Regulations implemented) invalid in April 2014.