The outcome of the UK's recent EU membership referendum has
raised a host of questions on what will happen next following the
UK's decision to exit from the EU. One major concern for
businesses sending personal data to and/or from the UK will be the
effect of Brexit on the data protection landscape over the coming
The timing of the UK's likely exit from the EU is
significant as a major overhaul of existing EU data protection law
is scheduled to come into effect in May 2018 with the commencement
of the General Data Protection Regulation ("GDPR"). Given
that the UK must serve a two year notice period under Article 50 of
the Lisbon Treaty, the GDPR will most likely be in effect in the UK
for a number of months (if not longer) before it exits the EU.
Territorial scope of GDPR
Regardless of Brexit, a UK business trading in the EU post-May
2018 will need to comply with GDPR as the obligations in GDPR apply
to businesses located anywhere in the world which process EU
citizen's data in connection with the provision of
goods/services or the monitoring of customer behaviour.
The eventual data protection landscape in the UK will likely
reflect the nature of the UK's post-Brexit relationship with
the EU, with the folowing representing some of the possible
UK obtains an adequacy
decision from the European Commission. The UK's data
protection laws currently implement EU data protection law which
means that in theory it should not be difficult for the UK to
obtain an adequacy decision, which would result in transfers of
personal data between the UK and the EU continuing as before
Brexit. However, the UK would probably have to update its data
protection laws in 2018 to comply with GDPR in order to obtain
and/or sustain any adequacy decision granted in its favour.
Switzerland as a non-EEA member currently benefits from an adequacy
decision and has indicated that it intends to sustain its adequacy
UK joins the EEA. As
a condition of the joining the EEA and being able to access the EU
single market, it likely that the UK would have to comply with the
GDPR. Norway, Iceland and Liechtenstein (the non-EU members of the
EEA) all currently comply with existing EU data protection
UK decides to reduce personal
data restrictions to become a more business-friendly
destination. The UK may choose to reduce the burden on
those dealing with personal data in the UK by reducing restrictions
on processing personal data in the UK and sending personal data
overseas. While this might be beneficial in some respects, this
might also restrict UK companies' ability to receive personal
data originating from the EU.
UK agrees a "UK Privacy
Shield" with the EU. UK companies could voluntarily
agree to provide enhanced data protection in return for being able
to receive personal data from companies in the EU. The enhanced
standard would, at least from May 2018, be measured in comparison
with the GDPR.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Organization for Economic Cooperation and Development ("OECD") established in Paris in 1961 was a convention of European member countries of the European Economic Community.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).