The introduction of the General Data Protection Regulation in May 2018 introduced a number of changes and reinforced a number of existing requirements relating to the processing of personal data.
The GDPR applied to all EU Members from May 25 and in the UK, it was automatically incorporated into national law by the European Communities Act.
When the UK leaves the EU, the European Communities Act will be repealed, however, the GDPR will become part of national law in the UK.
The need for a positive adequacy decision
Brexit may, dependent upon the basis on which the UK leaves the EU, have an impact on cross border transfer of personal data.
Up until March 29th, personal data can be transferred between EU members, including the UK. Assuming a withdrawal agreement is agreed, this is likely to remain the case until the end of the transition period, which is expected to be December 31st 2020.
From there (or in the absence of a deal), a lot will depend on whether the UK can secure an Adequacy Decision from the EU, confirming that an adequate level of protection of personal data is guaranteed by the regulations we have put in place.
Whilst the UK has implemented the GDPR, there is no guarantee that an Adequacy Decision will be made in our favour.
The European Commission has stated that it will endeavour to adopt a decision relating to the UK’s adequacy by the end of 2020 but only if ‘the applicable conditions are met’.
It should also be noted that the UK’s use of mass surveillance has led to some EU member states raising concerns about data protection regulation in the UK meeting the EU’s requirements.
An Adequacy Decision in favour of the UK would simplify the position on cross border data transfers post Brexit, but it is not a foregone conclusion.
Leaving the EU without an adequacy decision
For businesses operating in the UK, outbound international transfers of personal data will be subject to the GDPR as UK domestic law.
The guidance offered in the event of a No Deal proposes that the UK Government would implement regulations to transitionally recognise all European Economic Area countries as ‘adequate’, thereby permitting data transfers to continue.
For businesses operating in an EU member state, the UK’s status as a ‘third country’ would mean that under the GDPR adequate safeguards would need to be implemented for any inbound transfers of personal data from the EU to the UK.