Jarrow
Jarrow
South Shields
0191 420 0550 172-174 Albert Road, Jarrow, NE32 5JA info@kpsimpson.co.uk
0191 455 0518 171 Sunderland Road, South Shields, NE34 6AD info@kpsimpson.co.uk

Amendments to UK data protection law in the event of a no deal Brexit

Following the publication of its technical notice in September 2018 on “Data protection if there’s no Brexit deal”, the government has now published an online summary covering what amendments would be required to UK data protection law in the event of a no deal Brexit.

The European Union (Withdrawal) Act 2018 (EUWA) will retain the GDPR in UK law, but the government will make appropriate changes to that and to the Data Protection Act 2018 using regulation-making powers under the EUWA to ensure the UK data protection framework continues to operate effectively when the UK is no longer in the EU.

In the event of a no deal Brexit, the summary confirms that:

  • The responsibilities of UK data controllers will not change and the same GDPR standards will continue to apply in the UK
  • The UK will transitionally recognise all EEA states, EU and EEA institutions and Gibraltar as providing an “adequate” level of protection for personal data, which means that personal data can continue to flow freely from the UK to these destinations after exit day. However, the UK cannot provide for the free flow of data into the UK from other jurisdictions and therefore alternative mechanisms for such transfers will be required to be put in place by UK organisations, e.g. Standard Contractual Clauses (SCCs)
  • Existing adequacy decisions made by the EU concerning countries outside the EU will be preserved by the UK on a transitional basis
  • Existing SCCs issued by the European Commission will also continue to be an effective basis for international transfers from the UK in the event of no deal (with the Information Commissioner’s Office (ICO) having the power to issue new SCCs after exit day)
  • Existing authorisations of Binding Corporate Rules (BCRs) made by the ICO will continue to be recognised in domestic law
  • The extraterritorial scope of the UK’s data protection framework will continue to apply. However, the UK will require controllers based outside of the UK to appoint a representative in the UK where certain processing conditions are met.

Related Posts