GDPR and Brexit: How will one affect the other?
What leaving the EU means for UK data laws and other regulations
The General Data Protection Regulation (GDPR) was introduced on 25 May 2018, designed to primarily standardise data protection rules across the European Union (EU) but also to improve data subject rights and make business data collection more transparent.
However, the UK has now exited the EU and is, therefore, no longer subject to EU laws introduced after this withdrawal date. Yet, there's the small matter of historic legislation, which raises the question: is a post-Brexit UK still bound to GDPR?
The short answer is yes. The UK has long been committed to the creation of robust data protection laws and was, in fact, one of the principal architects of GDPR. As such, the UK government had long maintained that GDPR would be absorbed into UK domestic law, which was eventually done as part of the European (Withdrawal) Agreement. This agreement means that GDPR and the UK's existing Data Protection Act 2018 work in tandem to rule on data cases.
However, the UK government has since announced that it wishes to move away from the GDPR regime, and towards regulations that are free of "red tape" and that "promote innovation". What form this new regime will take remains to be seen, and untangling the current data protection landscape will be a complex process.
Data Protection Act 2018 and GDPR
Although the UK has left the EU, that doesn’t mean that GDPR no longer applies. This would certainly have been true if the UK government tried to untangle itself from the regime altogether during the withdrawal process, however, the exact opposite was on the agenda. The government was keen to ensure that data transfers between the EU and the UK remained as they are now, which was only possible by ensuring the UK data protection landscape mirrored that in EU nations.
In order to convince the EU that its data laws were adequate, the UK needed to pass both the Data Protection Act 2018 and pass the UK GDPR as part of the European Union (Withdrawl) Act 2018. This was so that once the UK was relegated to ‘third country’ status, it wouldn’t have been difficult or too long-winded for EU officials to recognise the country’s data laws as being in harmony with its own. Without this crucial agreement, data could continue to flow from the UK to the EU, but not the other way around, which would pose many problems for businesses that keep data stored abroad. It would effectively lead to the UK being blacklisted, and data flows prohibited.
However, the UK had managed to prove that its data protection laws were equivalent to the EU’s, and so it qualified for 'adequacy status'. The agreement - only recently struck - signalled to businesses that they could continue to move data between the EU and the UK without interruption.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Although it now wants to distance itself from these laws, the UK government passed the Data Protection Act 2018 to show it was committed to maintaining the status quo, while going further and introducing some mechanisms that were unique to British law.
After the UK left the EU on 31 January 2020, it entered a transitionary period that lasted until 31 December 2020. The UK was then relegated to a ‘third country’ on 1 January 2021, at which point it sought to finalise the adequacy agreement. On 19 February 2021, the EU issued a draft decision that recognised the UK's data protection laws as adequate, with this agreement officially ratified several months later.
GDPR and Brexit: Dealing with EU citizens
However, that's not quite the full picture, as businesses will need to keep in mind a number of quirks of law and potential headaches as a result of Brexit.
Given the UK is now outside of the EU, and therefore beyond the scope of the European Court of Justice, data regulation will largely fall on the Information Commissioner's Office, unless the case deals with EU residents.
Regardless of UK domestic law, those UK companies who have dealings with European residents still need to adhere to GDPR in full, and so many will have been forced to overhaul their practices irrespective of any agreements made after Brexit. Equally, UK companies may be required to liaise with an EU data protection authority in the event of a data incident, so it's best to keep up to date with enforcement across the bloc.
GDPR and Brexit: Dodging 'No Deal'
The good news is that the UK has already avoided the worst case scenario - a 'no deal Brexit'.
The UK government had said that in the event of a 'No Deal', it would have allowed data to flow from the UK to countries in the European Economic Area (EEA), however, the EU would have almost certainly banned data transfers to the UK as soon as it left the union.
The Information Commissioner's Office (ICO), the UK regulator responsible for data protection enforcement, warned at the time that those organisations which rely on EEA data transfers would need to move to alternative mechanisms in the event of a no deal Brexit.
Perhaps the only viable alternative at the time was standard contractual clauses (SCCs), a mechanism that still exists that provide a means for organisations to bake in GDPR-style data protections into contractual arrangements, acting as terms and conditions that require both parties to sign up to. These are particularly useful for sending data to countries in which data protection laws are not deemed adequate enough by the EU to protect European citizen data.
However, to complicate things further, the legitimacy of SCCs was called into question as part of a landmark case brought before the European Court of Justice. Ultimately, he ECJ ruled in December 2020 that these were indeed valid methods of transfer, provided that the companies using them take steps to ensure data is protected.
Which other data regulations have been affected?
PECR
The Privacy and Electronic Communications Regulations (PECR) rules, which cover marketing, cookies and electronic communications, are EU laws established within the UK legal framework, and so continue to apply despite the UK leaving the EU.
However, the EU will soon be updating PECR with its upcoming ePrivacy regulation, which is expected to come into force within the year, and will therefore not apply to the UK automatically. There is currently no indication that UK laws will be updated to align with this.
NIS
The Security of Networks & Information Systems (NIS) directive is also derived from the EU but is another that has already been set out in UK law. As such, the current rules continue to exit despite Brexit.
eIDAS
The electronic Identification, Authentication and Trust Services regulation is also an EU law that has since been transposed into UK law. Both the EU version and a UK version have been effectively blended together to form an ammended version known as the UK eIDAS Regulations.
Like the NIS directive, businesses will also need to adhere to eIDAS laws in EU Member States, which will be outside the enforcement of the UK.
FOIA
The Freedom of Information Act 2000 is now UK law and continues to apply despite Brexit.
EIR
Environmental Information Regulations are set out in UK law and so continue to apply unless repealed.
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.