Brexit and data protection: What’s next?

On 12 December 2019 in the UK general election, Boris Johnson secured his position as UK Prime Minister, with his Conservative party winning its first substantial majority in decades. The results of the election have set the way for the UK to exit the European Union by its scheduled exit date of 31 January 2020. 

The results of the election provide Johnson with the political force to negotiate the future relationship between the EU and the UK and to definitively make Brexit happen. It therefore appears as though Johnson will be able to deliver Brexit legislation and get the Withdrawal Agreement through the House which has not been possible until now.

On 13 December 2019, the European Council President Charles Michel expressed the EU’s willingness to move forward with negotiations. EU countries, however, before engaging in trade negotiations, will need to agree on a negotiation mandate.

Critics have expressed doubts about how realistic it is to agree on a comprehensive deal governing the future relationship of the EU and UK by December 2020. 

Next Steps

  • The House of Commons should vote on the deal again before Christmas.
  • The House of Lords will then consider the Brexit plan.
  • This process within the UK is expected to pass smoothly, enabling Johnson to stick to the current scheduled exit date of 31 January 2020.
  • Once the plan has been ratified by the UK Parliament, the European Parliament is to vote on it.
  • During the transition phase Johnson will determine the nature of the post-Brexit relationship with the EU, including with respect to data protection, free trade, and customs.

Transition phase

  • The Withdrawal Agreement  includes a transition phase.
  • The transition phase allows the UK to continue to trade with the EU on existing terms until December 2020 and the GDPR will therefore continue to apply.
  • A UK-EU committee will oversee implementation of the Brexit deal.  
  • Should Johnson fail to make a deal during the transition phase, the UK will leave the EU with no deal and will trade on the basis of the World Trade Organization terms.

What this means for Data Protection

  • The transition phase foresees that the GDPR continues to apply until 31 December 2020 and therefore data transfers can continue regularly as they do now until the end of next year.
  • The UK government will likely seek an adequacy agreement from the European Commission. It is not clear how long it will take and may exceed the December 2020 deadline. If the European Commission, however, determines that the UK offers an adequate level of data protection, a legally binding adequacy decision could become a reality even before the end of the transition period.
  • The ICO and the European Data Protection Board will need to confirm agreements on the lead authority mechanism for the GDPR and Binding Corporate Rules (BCRs). It is possible that a new lead authority will be needed, but that the ICO will remain the competent authority in the UK. This means that companies using BCRs should ensure that their lead data protection authority is based in an EU Member State.
  • In the case that a deal is not reached during transition phase, it would be necessary to use GDPR transfer mechanisms such as BCRs or Standard or ad hoc Data Protection Clauses, Codes of Conduct and Certification Mechanisms, Derogations (to the applicable extent), to lawfully transfer data to the UK. 

Comments are closed.