Data Protection, Brexit And The Queen’s Speech

Listeners to the Queen’s speech last week could be forgiven for thinking that with Brexit looming we would be leaving all EU law behind.  On data protection it was announced that:‘A new law will ensure that the United Kingdom retains its world-class regime protecting personal data’. The speech notes provide that, amongst other things, the purpose of this ‘new law’ will be to implement the EU General Data Protection Regulation (GDPR). However, for as long as we remain in the EU, the GDPR has direct effect in the UK without need of national implementing legislation: it will come in to force automatically on 25 May 2018.

Of course, on Brexit the GDPR will cease to have direct effect. Its replacement legislation must, therefore, be dealt with as part of the Great Repeal Bill.

After Brexit, organisations based within the EU may only transfer personal data to countries outside the EEA (which is effectively the area covered by the single market, comprising the EU plus Iceland Lichtenstein and Norway) where an adequate level of protection is guaranteed. If the UK is to be designated as ‘adequate’ it will need to demonstrate that its data protection regime provides equivalent protection as the EU regime. Concerns have been raised that if the UK legislation departs in any way from the GDPR we will fail the adequacy test.

The Government has stressed that it is keen to secure the unhindered flow of data between the UK and EU post Brexit. The Information Commissioner (the UK data protection regulator) Elizabeth Denham, actively promotes increasing, rather than diluting, protection of personal data.

In light of the above we expect the post Brexit data protection regime in the UK to mirror the EU regime for some time to come.