In October 2016, the UK government indicated that it expects, despite Brexit, to "opt in" to the EU's General Data Protection Regulation (GDPR).

An announcement along those lines has been expected by data law practitioners since the result of the 23 June referendum. Any other approach would threaten the lawful transfer of data between the UK and EU member states, massively disrupting business. In any event, GDPR comes into full operation on 25 May 2018 and so will be directly applicable to the UK on that date given that (on the current timetable) the UK is unlikely to leave the EU until 2019. Before Brexit, therefore, GDPR will be law in the UK.

After Brexit, the position is less clear. With a soft Brexit, the UK may become a member of the EEA. GDPR is likely to be incorporated into the EEA Agreement and thus the GDPR would be directly effective in the UK. Alternatively, with a hard Brexit, the UK may become a "third country". As a "third country" the UK would need to secure an "adequacy decision" from the EU Commission to facilitate lawful data transfer with EU member states. Adoption of the EU's own GDPR must surely be the shortest route to establishing such adequacy.

Voluntarily adopting GDPR therefore seems to be the obvious and straightforward solution, allowing the UK to: "opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public."[1]

However, the solution may not be as straightforward as it first appears. A House of Commons Library Briefing Paper, Legislating for Brexit: the Great Repeal Bill was published on 21 November 2016. It highlights the challenges and complexities posed by the UK Government proposal to repeal the European Communities Act 1972 and, from "Brexit Day", to transpose EU laws into domestic law. GDPR is one example of those challenges.

The UK government accepted during the High Court hearing in Miller v Secretary of State [2016] EWHC 2768 (Admin) that some EU laws, such as laws enabling UK courts to refer questions to the Court of Justice, could not be transposed in domestic law. Similarly, where laws depend on cooperation between EU member states or institutions – including those related to mutual recognition and enforcement of judgments - the UK simply cannot legislate to continue or to replicate those existing arrangements. As Kenneth Armstrong, Professor of European Law at the University of Cambridge observed:

Such a legal device could not, of course, create obligations for other EU States towards the UK; that can only be achieved by whatever withdrawal and subsequent agreements might be negotiated.[2]

Institutional cooperation lies at the heart of the GDPR. It establishes the new European Data Protection Board (the Board) to replace the Article 29 Working Party. The Board is a legal entity and has specific responsibility for the GDPR's "consistency mechanism", designed to ensure smooth and effective cooperation and consistency between national data protection regulators within the EU. Membership, understandably, is limited to EU Member States. Under a soft Brexit, the UK might be invited to participate as a non-member observer to the Board. This is the position of current EEA members with the Article 29 Working Party. Following a hard Brexit, the UK would of course be a "third country" and there is no precedent indicating the UK would have any, even informal, presence on the Board.

The Board's other functions include, crucially, advising the EU Commission in relation to the adequacy of data protection laws and measures adopted by "third countries" and "international organisations". Any assessment of adequacy in relation to the UK's data protection regime would have to be carried out objectively and independently, and might encounter difficulty if the UK's "adoption" of the GDPR does not include institutional arrangements involving or replicating the Board – this is likely to be more of an issue with a "hard" Brexit.

Further, it would be entirely a matter for the EU Commission to decide when, or indeed whether, to make an adequacy decision in relation to UK data protection law. Simply "adopting" the GDPR would not in itself guarantee that such a decision would be made or that it would not be withdrawn should the UK subsequently diverge from any guidance or decisions issued by the Board. The UK would not be entitled, as of right, to an adequacy decision.

Replication of the GDPR would also be impossible in relation to the right of any natural or legal person to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 of the Treaty on the Functioning of the EU. A UK-based data subject could not, after Brexit, avail of that right. Consequently, it would be arguable that as a "third country" the UK could not in practice simply "opt in" to the GDPR in a way that would give equivalent protection to data subjects. The UK might seek to square the institutional circle by deciding to adopt and follow Board decisions and guidelines, but that approach would in itself leave UK data subjects with different – and arguably inferior – rights if they were unable to challenge those decisions under the Treaty on the Functioning of the EU.

The objective of the Great Reform Bill is to ensure that Brexit does not leave any legislative or regulatory "black holes", allowing the UK Parliament to decide over time which elements of EU law it wishes to adopt. That process will not be quick or easy. Broad statements about "opting in" are clearly intended to soothe and reduce uncertainty for UK businesses. However, as the House of Commons Briefing paper demonstrates, uncertainty is an integral part of Brexit.