For global pharmaceutical and medical device companies handling
personal data in the European Union (EU) or engaged in
transatlantic data transfers, some of the many questions created by
the Brexit vote include what its impact will be on the United
Kingdom's (UK) data protection laws.
These questions also arise in the context of the EU's
General Data Protection Regulation (GDPR), due to come into
force in May 2018, which coincides with the period during which the
UK will be negotiating its EU exit, and the impending agreement by
the EU to the
Privacy Shield. The GDPR is designed to strengthen and
harmonise data protection within the EU and the Privacy Shield is
meant to replace the now invalid EU-US Safe Harbor Framework. Given
this, it is important for manufacturers to consider the
How will personal data be regulated under UK law?
If the UK exits the EU before the GDPR comes into force, it will
not be without a data protection law. The UK's own Data
Protection Act 1998 (DPA) is currently and would remain the law of
the land. Even now, the UK's Information Commissioner's
Office interprets the DPA in a manner that is consistent with some
of the GDPR requirements, such as privacy by design and
accountability through the use of privacy impact assessments.
Compliance with the DPA provides a degree of compliance with the
What will the UK-EU relationship look like with respect
to data protection?
Given that the GDPR may come into force in the UK and EU before
the UK's negotiation period to leave the EU is complete, the UK
should not find it difficult to achieve the 'adequate' data
protection status necessary to maintain current trade and
commercial relationships with the EU. It may be that the UK adopts
much of the GDPR into its law, either as an update to the DPA, or
as a new legislative measure.
How will Brexit affect data transfers?
Brexit will not affect the Privacy Shield agreement, and for the
UK, Brexit should not change UK policy in relation to the Privacy
Shield. Since the DPA permits UK data controllers to make their own
adequacy determination for transferring data outside the UK and the
European Economic Area (EEA), it may be that the UK's
Information Commissioner's Office deems certification to the
Privacy Shield by US companies adequate even if the UK is outside
the EU. Such a stance would not be unprecedented, since other
countries, such as Israel, had taken a similar position in relation
to the US-EU Safe Harbor Framework before it had been ruled invalid
by the CJEU. If that is the case, then transfers of data to the US
on the basis of certification to the Privacy Shield could be deemed
per se adequate by the UK.
In addition, the UK remains a member of the Council of Europe
and a party to Convention 108 for the Protection of Individuals
with regard to Automatic Processing of Personal Data. The
Convention provisions relating to transborder data flows permit the
transfer of data between Convention 108 members, which include not
only the EU member states, but a total of 50 countries, including
Turkey, Russia, and Ukraine, among others.
To learn more about Brexit's potential impact on the United
Kingdom's (UK) data protection laws, and about how Brexit could
provide an unexpected opportunity for the UK to become a data
haven, please read our recent Client Alert, "Data Protection in a Post-Brexit
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
After studying bioengineering and completing a PhD in the San Francisco Bay Area and a two-year postdoctoral research fellowship in London, Mark has spent the past four years analysing global health policy.
World AIDS Day, held on the 1st December each year, provides an opportunity for people to unite in the fight against HIV and show their support for people living with, or having died as a result of, HIV.
Since the enactment of Directive 2001/83/EC ("Community Code Directive") the European Community has conducted a comprehensive review of its legislation on medicinal products. It is not only that the Community since then has adopted Directive 2004/27/EC amending the Community Code. In fact, several other acts of legislation have been issued.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).