Summary: The EU’s new General Data Protection Regulation (“GDPR”) will come into force in all EU member states on 25 May 2018. The GDPR contains a raft of new rights and obligations, and many UK businesses are already planning and executing their compliance programs. This recent blog post analyses the implications of Brexit for the GDPR.
The EU’s new General Data Protection Regulation (“GDPR”) will come into force in all EU member states on 25 May 2018.
The GDPR contains a raft of new rights and obligations, and many UK businesses are already planning and executing their compliance programs.
So what does the vote to Brexit mean for those getting ready for GDPR?
It is likely to be some time before a clear picture will emerge about the extent to which the UK will adopt GDPR if at all. Even after it has left the EU, the UK government could unilaterally decide to adopt the GDPR through national legislation, or it could cherry pick the GDPR provisions it wishes to implement.
In the meantime, the critical point in our view is this: UK based organisations are still going to need to comply with GDPR and implement it by May 2018 if they are conducting reasonably substantial business involving the processing of personal data of individuals located in the rest of the EU.
This is because of the extra-territorial effect of GDPR where EU data protection laws are being imposed on organisations globally. In a sense, UK based organisations will be treated like American ones where the message from the EU is that if you want to come and trade into our territory or monitor individuals in the EU then you have to play by EU rules.
In addition, once it has left the EU, the UK may find itself in a similar position to the US in relation to personal data transfers from the EU. In order to continue the free flow of data, the UK may require an “adequacy decision” from the EU. Obtaining this may not be straightforward as the EU would need to review the manner in which the UK protects personal data through its laws, including how it accesses data for surveillance and intelligence gathering purposes. In fact, the EU may well require the UK to adopt the GDPR as a pre-requisite to an adequacy decision or similar negotiated settlement.
We will be closely monitoring the UK and EU positions on GDPR over the coming weeks and months, and will be reporting further to our clients once things become clearer.