With the UK set to leave the EU on 31st January 2020, here’s what you need to know about how Brexit impacts GDPR going forward.
The quick answer
Until the end of 2020 there is no change to GDPR as during the transition period the EU GDPR will continue to apply. PECR (which is a UK law anyway) will continue to apply. From 2021 though, what happens will depend on what is sorted out during the transition period – if that is nothing, worse case scenario is that it will be like a no-deal Brexit:
- EU to UK data flows will be classed as restricted transfers and will require a contract (“model clauses”)
- Loss of the “one stop shop” if you operate across the EU meaning you could be answerable to the ICO and regulators in EU countries where you trade
- You may need to have an EU representative if you target citizens in the EU
What happens to data protection from 1st February 2020, during the transition period?
Even though the UK leaves the EU on the 31st January there is a transition period until the end of 2020. During this transition period GDPR will continue to apply, just as it has since it came into force in May 2018. So, don’t expect any changes to your data protection compliance in 2020.
What happens to data protection from 2021, after the transition period?
This depends on what happens during the transition period. If nothing GDPR related is sorted out between the UK and the EU, then we will start 2021 as though we had left the EU without an agreement (from a GDPR perspective). In reality this would mean:
- UK to EU data flows will be allowed to continue as they do pre-Brexit
- The UK is likely to have a UK GDPR which is basically the same as GDPR, so the GDPR compliance requirements are likely to continue as-is
- Little is likely to change if you operate in the UK only and don’t process and EU citizen data – you’ll still be answerable to the GDPR and the ICO in terms of enfrocmeent
- If you process EU citizen data sent from the EU, then the EEA organisation will not be able to pass the data to you unless you have the EU’s standard contract clauses in place
- If you sell products or services into the EU from the UK, the EU GDPR will apply to you because GDPR has extra-territorial reach, plus you may need to appoint an EU representative (someone who represents you across the EU (but operates in one of the member states where you have customers) for GDPR matters)
- PECR will continue to apply as it does today
There is a possibility that some of this will be sorted out during the transition period and won’t apply from 2021. So, watch this space (or subscribe to our email list for the latest updates) – we’ll post updates on progress with Brexit and GDPR throughout 2020 if/when they happen.
Should I be sorting anything out now – e.g. EU representative?
You don’t need to change anything right now. There may be a point in 2020 when you may need to put things in place in preparation for the end of the transition period. What those things are may depend on the status of GDPR post-Brexit. I’d suggest holding fire for now until we know a little more about what might happen. You may want to consider coming up with a plan of action so you can pinpoint the latest time you need to start making plans for a “no-deal” GDPR transition.
Will the GDPR still apply from 2021?
Sort of. The UK will have a UK GDPR which, all things considered, is expected to be exactly the same as the EU GDPR. We will also have the Data Protection Act 2018 which will probably continue to apply and for marketing consents, cookies, etc. PECR will continue as is.
However, if you operate in the EU, it’s possible you will need to apply EU GDPR to your EU operations and UK GDPR to your operations in the UK. There is always a possibility of course that government will introduce additional data protection controls when the UK GDPR comes into force.
Will the ICO still exist and enforce data protection?
If you operate solely in the UK and process only UK citizens’ data then you will be bound by UK data protection law which will be enforced by the ICO.
If you operate within the EU, then you will be answerable to the ICO in the UK, but maybe answerable to regulators across the EU (which could be multiple regulators, depending on the issue being investigated).
What about ePrivacy?
The PECR rules will still apply as they do now, as they are UK law which whilst based on EU law have been implemented as a UK Act.
There may well be at some point a new EU ePrivacy Regulation, but it’s not looking likely that this happen in the EU before the end of 2020 and even if it is published in 2020 it is not likely to be in force until after the transition period, so it will depend on what the UK government plans on doing in terms of whether they will change PECR (which could happen to bring it in line with EU standards or because the UK want to change the PECR rules).