Skip to main content

Where is data protection law in the UK heading after Brexit?

Eleonor Duhs


United Kingdom

The transition period
Tonight at 11pm the UK will leave the EU.
The UK will then enter the transition period under the EU-UK withdrawal agreement.
The transition period means that EU data protection law will still apply to the UK in the same way as it did when the UK was an EU member state.  The main difference (which will be irrelevant for companies) is that the UK will no longer be represented in the EU's institutions and will have no right to sit at the table or vote.
The transition period will last until 31st December 2020.  It could be extended, but that is not current UK Government policy and the Government has legislated against extending the transition period.
What happens after the end of the transition period? 
There are significant uncertainties ahead.
The biggest questions are:
1.  Will the UK get an EU adequacy decision by the end of the transition period?
If not, UK companies will have to make arrangements to identify the data which came from the EU before 31st December 2020.  Different legal obligations are likely to apply to that data compared with UK data (see my previous blog on this issue).  Transfer mechanisms such as standard contractual clauses will need to be put in place to transfer data from the EU to the UK.
2.  Will the UK diverge from EU rules? 
The UK is intending to develop its own international transfers regime, which will come into force at the end of this period (see paragraph 9 of the political declaration on the future relationship, which sets out the future policy in terms of the UK-EU relationship).  So far it is not clear what that regime will look like. 
Although the UK still intends to turn the GDPR into UK national law at the end of the transition period (the "UK GDPR"), the EU version of the law and the UK version could be heading in different directions quite quickly.  The UK courts will no longer be bound by judgments of the Court of Justice of the European Union ("CJEU") handed down after the transition period when they are interpreting the UK GDPR.  Further, section 26 of the European Union (Withdrawal Agreement) Act 2020 enables the Government to legislate to allow UK courts (potentially all UK courts) to diverge from the past case law of the CJEU.   That could cause significant uncertainty about the meaning of data protection law in the UK (uncertainty which would be replicated in all areas of the economy previously regulated by EU law). 
Top tip:  the top tip for this year is to keep a close eye on developments.  The closing months of the year may be incredibly busy.  You need to have the potential to draw on resources to be able to:
  • map your data to distinguish "EU data" from "UK data"
  • prepare to put in place transfer mechanisms for transfers from the EU to the UK
  • put in place new mechanisms for transfers from the UK to the EU and other countries. 

Sign up to our email digest

Click to subscribe or manage your email preferences.