Brexit and GDPR: Implications for Data Protection in the UK and EU
The decision of the United Kingdom (UK) to leave the European Union (EU) following the 2016 referendum, commonly referred to as Brexit, has had widespread political, economic, and social implications. Among the many areas affected, data protection and privacy have been key concerns, given the significance of digital data in modern economies and the importance of the General Data Protection Regulation (GDPR) in ensuring data privacy across the EU. The UK’s departure from the EU has raised complex questions regarding the future of data protection standards, the movement of data between the UK and the EU, and the potential for regulatory divergence.
This article aims to explore the impact of Brexit on GDPR and the broader data protection landscape in the UK and EU. We will examine the legal frameworks that have evolved in the post-Brexit era, assess the challenges and opportunities faced by businesses, and analyse the potential long-term consequences for data protection on both sides of the Channel.
Background: GDPR and Its Importance
The GDPR came into effect on 25 May 2018 and marked a significant shift in data protection laws across Europe. As an EU regulation, it was designed to harmonise data protection laws across all EU member states, providing individuals with greater control over their personal data and imposing stricter requirements on organisations that collect, process, and store such data.
The GDPR’s importance cannot be overstated. It introduced the principle of accountability, ensuring that organisations demonstrate compliance with data protection principles such as lawfulness, fairness, transparency, and data minimisation. One of its most notable provisions is the potential for hefty fines—up to €20 million or 4% of global turnover, whichever is higher—for non-compliance.
For the UK, the GDPR became directly applicable during its EU membership. In fact, the UK played a significant role in shaping the regulation. However, with the formalisation of Brexit, questions immediately arose about the future of GDPR in the UK and the extent to which British businesses would need to adhere to EU data protection rules.
The UK GDPR and the Data Protection Act 2018
Although the UK left the EU on 31 January 2020, it initially continued to follow the GDPR during the transition period, which ended on 31 December 2020. During this time, EU law, including the GDPR, remained applicable in the UK. However, from 1 January 2021, the UK became a “third country” in relation to the EU’s data protection regime.
In preparation for Brexit, the UK government passed the Data Protection Act 2018 (DPA 2018), which supplements the GDPR and incorporates its provisions into UK law. Following the end of the transition period, the UK created its own version of the GDPR, known as the UK GDPR. This legislation mirrors the EU GDPR in many respects, with the key difference being that it is now under the control of the UK’s Information Commissioner’s Office (ICO) rather than EU institutions.
Under the UK GDPR, the same data protection principles apply as those under the EU GDPR. These include requirements related to data processing, individuals’ rights over their personal data, and the obligations of data controllers and processors. However, there are some key differences that have emerged since Brexit, as we will explore in this article.
Data Transfers Between the UK and the EU
One of the most pressing concerns following Brexit was how data transfers between the UK and the EU would be handled. Prior to Brexit, personal data could flow freely between the UK and EU member states under the provisions of the GDPR. With the UK now classified as a third country, these transfers are subject to restrictions unless certain conditions are met.
For third countries, the EU uses “adequacy decisions” to determine whether a non-EU country offers an adequate level of data protection equivalent to that provided within the EU. On 28 June 2021, the European Commission adopted an adequacy decision in favour of the UK, allowing the free flow of personal data between the EU and UK to continue without the need for additional safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
This adequacy decision was seen as a positive outcome for businesses, as it avoided disruption to data flows that are critical for trade, collaboration, and operational efficiency. However, the decision came with an important caveat: it is subject to review and can be revoked if the UK diverges too far from EU data protection standards in the future. The adequacy decision has a sunset clause and will be reviewed every four years, meaning the UK’s data protection regime will remain under scrutiny.
Regulatory Divergence: Will the UK and EU GDPR Remain Aligned?
While the UK GDPR is currently similar to the EU GDPR, there is potential for regulatory divergence in the future. The UK government has signalled its desire to explore more flexible approaches to data protection that better suit its national interests, especially in light of post-Brexit economic ambitions. In 2021, the UK launched a consultation on proposed reforms to its data protection regime, aimed at creating a “pro-growth and innovation-friendly” framework.
One of the key areas of potential divergence is in the UK’s approach to data transfers with non-EU countries. The UK has expressed interest in adopting more streamlined mechanisms for transferring data to third countries, particularly in relation to trade agreements with countries such as the United States and Australia. The UK’s approach to international data flows may therefore become less stringent than the EU’s, potentially affecting the EU’s adequacy decision in the future.
Furthermore, the UK government has explored the possibility of reducing some of the administrative burdens imposed by the GDPR, such as the requirement for certain organisations to appoint a Data Protection Officer (DPO) and the need to conduct Data Protection Impact Assessments (DPIAs) in certain circumstances. These proposals have been met with both support and criticism. Some argue that reducing these obligations will stimulate innovation and reduce compliance costs for businesses, while others warn that such changes could undermine the rights of individuals and lead to weaker data protection standards.
The Impact on Businesses
For businesses, the implications of Brexit and the evolving data protection landscape are significant. Organisations that operate across both the UK and the EU now face the challenge of complying with two distinct but closely related regulatory frameworks—the UK GDPR and the EU GDPR. This dual compliance requirement increases the complexity of data protection compliance, especially for businesses that transfer data between the UK and EU.
Businesses must be particularly mindful of the legal bases for data transfers. While the UK currently benefits from an adequacy decision, companies still need to ensure that they have appropriate safeguards in place when transferring data outside of the UK or EU. This is especially important for global organisations that operate in multiple jurisdictions, as they must navigate a patchwork of data protection regulations.
For businesses operating solely in the UK, the immediate impact of Brexit on data protection compliance has been relatively limited, given the close alignment between the UK GDPR and the EU GDPR. However, organisations must remain vigilant to potential changes in the UK’s data protection regime, particularly if the government proceeds with its plans for reform.
Data Protection and Privacy Rights
Another important consideration is the impact of Brexit on individual data protection rights. The GDPR has empowered individuals by giving them more control over their personal data, including the right to access their data, request its deletion, and object to its processing. These rights have been preserved under the UK GDPR, meaning that individuals in the UK continue to enjoy many of the same protections as their EU counterparts.
However, the possibility of future regulatory divergence raises questions about whether individuals in the UK will continue to benefit from the same level of protection as those in the EU. If the UK adopts a more lenient approach to data protection in the future, there is a risk that individuals’ privacy rights could be eroded, particularly in relation to data transfers to third countries and the use of personal data for commercial purposes.
Additionally, Brexit has complicated the issue of cross-border enforcement of data protection rights. Under the EU GDPR, individuals could lodge complaints with their national data protection authority, which could then cooperate with other EU data protection authorities to resolve cross-border issues. With the UK now outside the EU, this system no longer applies, meaning individuals in the UK may face more challenges when seeking to enforce their data protection rights in cases involving EU organisations.
The Role of the Information Commissioner’s Office (ICO)
The UK’s Information Commissioner’s Office (ICO) remains the primary regulator for data protection in the UK. Following Brexit, the ICO has had to adapt to its new role as a regulator outside the EU’s framework. While it continues to oversee compliance with the UK GDPR and DPA 2018, it no longer plays a role in the EU’s data protection ecosystem.
The ICO has expressed its commitment to maintaining high standards of data protection in the UK and has worked closely with the UK government to ensure a smooth transition post-Brexit. However, its ability to influence EU data protection policy has been diminished, as it no longer participates in the European Data Protection Board (EDPB), the body responsible for ensuring consistent application of the GDPR across the EU.
For businesses, the ICO remains the primary point of contact for data protection issues in the UK, but organisations that operate in both the UK and the EU may also need to engage with EU data protection authorities in order to comply with the EU GDPR.
The Future of Data Protection in the UK and EU
Looking ahead, the future of data protection in the UK and EU remains uncertain. While the UK GDPR currently mirrors the EU GDPR, the potential for regulatory divergence could lead to a fragmented data protection landscape in the coming years. The UK’s desire to pursue a more flexible and innovation-friendly approach to data protection could result in significant changes to its data protection regime, with implications for businesses, individuals, and international data flows.
The adequacy decision between the UK and EU is another area of uncertainty. Although the current decision allows for the continued free flow of data, it is subject to periodic review and could be revoked if the UK is deemed to no longer offer adequate protection. This would have serious consequences for businesses that rely on data transfers between the UK and EU, as they would need to implement additional safeguards, such as SCCs, to ensure compliance with EU data protection laws.
In conclusion, Brexit has ushered in a new era for data protection in the UK and EU. While the immediate impact on businesses and individuals has been relatively limited due to the alignment of the UK GDPR with the EU GDPR, the long-term implications remain uncertain. Businesses must stay informed about potential regulatory changes and be prepared to adapt to an evolving data protection landscape as the UK seeks to define its post-Brexit identity. The challenge will be to strike a balance between fostering innovation and maintaining the high standards of data protection that individuals have come to expect in the digital age.