Data Protection and Brexit

At the moment, the General Data Protection Regulation (or GDPR) is an important piece of legislation protecting personal data, but it is European, not UK law. There is therefore a certain amount of concern about what might happen to data protection in the UK in the future, but there also seems to be some confusion about what is happening now.

The government’s original plan was that, at the point of leaving the EU, all existing EU legislation which took effect in the UK directly (such as the General Data Protection Regulation) would become by default UK legislation. That is what section 3 of the European Union (Withdrawal) Act 2018 would have done. As soon as this happened, the pithily named Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 would immediately step in and perform an extensive series of edits to what would then be renamed the “UK GDPR”.

Almost all of these edits are essentially a global replacement of terms like “European Union” with “United Kingdom”. The GDPR is complicated enough that a simple search and replace would not work and so the edits have more heavy lifting to do. But what you have to imagine is something that looks exactly like the GDPR if the EU contained only the UK and nothing else.

One confusion that seems to be spreading around is that these changes have already happened, because they were all timed to occur on “exit day”, but that isn’t correct. Paragraph 1 of Schedule 5 of the European Union (Withdrawal Agreement) Act 2020 postpones all existing “exit day” dates to “implementation day” which is probably the end of the year, though there has been sufficient chaos in recent years that predicting anything is hard. Instead the agreement signed between the UK and EU treats the UK as being (for data protection purposes at least) as being a part of the EU. 

That means that right now, data protection law is almost but not quite unchanged in the UK. But since the UK is not in fact in the EU, there may be some small differences

Then what happens? If nothing else is changed by the government, at the end of the year the UK will transition to the new UK GDPR. Internally everything should remain approximately as it is now, but since the UK will not be in the EU, exporting data from the EU to the UK might become a little more difficult.

At the moment the EU has a short list of “countries” to which it is OK, at least in some circumstances, to export personal data from the EU. It takes a while to be put on that list – there has to be what is known as an “adequacy decision” and so there is some concern that free export of personal data from the EU to the UK will become more difficult. Not impossible – there are other ways of exporting data lawfully, they just require more work. By the way, the UK’s equivalent “short list” of countries in the UK GDPR will include all the EU adequate countries plus the EU, so export from the UK to the EU should not be a problem.

Of course the UK and EU are currently supposed to be preparing an agreement for 2021 and beyond. There is no reason at all this could not include an agreement on personal data, which would allow free export. There would not necessarily have to ever be an “adequacy decision”. If the government sticks to its plan, the UK’s data protection law will be essentially identical to that in the EU, at least for the time being, so this should not be hard to negotiate. It is of course impossible to tell.

Note that many people seem to assume – and have been saying to me – that the only way forward is for the UK to obtain an  adequacy decision from the Commission. The argument is then about how fast that could be done; whether the commission would want to cooperate in fast-tracking and what to do in the interim.

This may be correct politically but it is just not true legally. There is nothing stopping the UK and the EU agreeing in a treaty between the two, that the UK would not be treated as a third country by the EU. Two examples of that already exist: first the existing transitional agreement, which does just this. Second of course in the relationship between the EU and the EEA. No EEA country is “adequate”, but nor are they treated as “third countries”. That is of course implicit in the framework of EU legislation, but there is no reason why that sort of relationship is impossible. Whether the EU and the UK could or would agree to do so is a completely different question.

What’s more, as things stand, it would be very odd if free movement of data did not exist to the UK, because most of those adequate countries have agreed to allow free export of data to the UK if the government’s statement on the point is to be believed. I have only checked the Isle of Man legislative change to be sure, but it seems clearly to allow export of data from the Isle of Man to the UK. What this appears to me is that data may be exported from the EU to one of these other places and then into the UK without any hindrance, so a sufficiently determined data exporter can “get around” the rules anyway.