Since this article was written, the European Commission has released a draft data adequacy decision in favour of the UK which once formally approved will govern personal data transfers from the EEA to the UK, for more information please click here.
This briefing was updated in January 2021, to take account of the UK-EU Brexit trade deal, in particular, the temporary 'data bridge' provisions of that agreement.
Organisations have had to take a number of measures to ensure that they are prepared to deal with the fallout from Brexit. One of these has been reviewing the impact that Brexit will have on the processing of personal data and the steps which an organisation will need to put in place to address that impact.
This briefing is one of two in which we explore the implications of Brexit for UK businesses and their use of personal data. In this briefing we look at how transfers of personal data between the UK and the EU are regulated, now that the transition period has come to an end, and taking into account the temporary 'data bridge' which formed part of the UK-EU Brexit trade deal.
Our second briefing looks at how:
- UK businesses operating within the EU will need to adjust to having a new regulator; and
- UK businesses dealing with EU citizens and their personal data will need to have appointed a representative in the EU.
At the time of writing, the UK has formally left the EU (on 31 January 2020), and the transition period came to an end on 31 December 2020.
Has the UK's data protection standard changed?
The UK's data protection standard did not change during the transition period. The European Union (Withdrawal) Act 2018 transposed the General Data Protection Regulation 2016/679 (GDPR) onto the UK statute book so that it could continue to apply in the UK during the transition period. Additional legislation came into effect at the end of the transition period, which 'anglocised' certain aspects of GDPR (and the Data Protection Act 2018) so that it would make sense when applied as part of UK domestic law, effectively creating a 'UK GDPR' which now applies, essentially, to the processing of personal data by UK based controllers and processors (in the context of activities related to their UK bases), and to the processing of personal data about UK data subjects as a result of the offering of goods and services to them, or the monitoring of their behaviour.
Although the standard is largely the same, difficulties arise when considering the implications of the status change of the UK now that it is a "third country", in particular in relation to data flows. The issue has not been helped by last summer's ruling of the Court of Justice of the European Union (CJEU) in Schrems II.