Data Protection Report - Norton Rose Fulbright

On Friday, June 24, the UK electorate voted through a referendum to leave the European Union by a 52% majority. The mechanics of leaving the European Union will be complex, given that the referendum question did not spell out what relationship the UK would have with the EU once it has left, and there is widespread disagreement within the UK government around how and when the United Kingdom’s separation from the European Union should be implemented. One question is what effect Brexit will have on the continued application of the EU General Data Protection Regulation (GDPR) in the UK.

The GDPR will apply across the EU beginning May 25, 2018, without the need for national implementing legislation. This is likely to be before the UK has left the EU; and, therefore, by its own terms, the GDPR would apply in the UK. Conversely, once the UK has left the EU, as the GDPR is an EU regulation, the GDPR will automatically cease to apply unless the UK passes new legislation to give it continuing effect. Although some UK politicians and businesses may advocate that the UK reject the stricter GDPR regime as being unnecessarily bureaucratic or inconsistent with the British concept of data privacy, others may argue that the UK should keep the GDPR or a close variant of it because a less-protective data privacy regime would create inefficiencies for business and trans-national trade.

Regardless of the outcome of the political decision to keep the GDPR or a close variant, after the UK’s departure from the EU –

  • In order for EU companies to continue transferring personal data to the UK without the use of model contracts or UK companies implementing binding corporate rules, the European Commission will need to find the UK to have an “adequate” level of data protection. Continued force of the GDPR, or a close variant, in the UK would likely establish “adequacy” and continue to offer EU companies a straightforward method of transferring data to the UK.
  • Global businesses will still prefer dealing with a single set of data protection rules across Europe. If a company must comply with different requirements in the UK, the UK may be a less attractive place to initiate new services in Europe or to locate European headquarters.
  • UK businesses that target or monitor individuals in the EEA (i.e., many online services) will be subject to the GDPR due to the GDPR’s territorial scope rules, regardless of the data protection rules that the UK enacts. Therefore, UK businesses would be likely to have to comply with many of the GDPR rules in any event.

Our Take

This backdrop, although uncertain, does not extend the timeline for compliance with the GDPR for UK businesses: the safest action is to continue to plan for implementation of its provisions by the 25 May 2018 deadline. We will keep readers of the Data Protection Report updated regarding developments.

For additional Norton Rose Fulbright coverage on Brexit, please see our Brexit – What next? publications.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.