0370 270 6000

Data protection in a post Brexit world

27 April 2020

Now that the UK is outside the European Union – will that mean less red tape for SMEs when it comes to processing personal data? Here’s why you shouldn’t hold your breath.

What law applies?

You’re probably aware of two pieces of legislation that currently apply to processing of personal data:

  • The General Data Protection Regulation (GDPR), as a regulation, applies directly to all member states of the European Union (EU).
  • The UK Data Protection Act 2018, currently in force also incorporates the GDPR and deals with the derogations specific to the UK.

Since Brexit, the GDPR no longer directly and automatically applies to the UK, although the Data Protection Act 2018 and the Withdrawal Act means that its provisions will continue to have an effect, via UK legislation.

In its guidance the Information Commissioner's Office (ICO) have confirmed that a new UK version of the GDPR (removing references to Europe) will be incorporated into UK law. The UK will therefore have a similar law in place to the GDPR but tailored to the UK (the UK GDPR).

But no more EU legislation though?

Not quite. The EU version of the GDPR will continue to apply to those UK based controllers and processors in the UK who either:

  • offer goods and services to individuals in the EU; or
  • Monitor the behaviour of individuals in the EU.

So will UK businesses supplying goods and services to EU customers have to comply with TWO versions of the GDPR?

Yes, but they’re likely to be very similar – so that’s not the problem. What’s often more important however is how the law is interpreted by the regulator.

Guidance from the regulator

Pre-Brexit the ICO would take into account the guidance of an EU body, the European Data Protection Board, (EDPB) when drafting its own guidance and making decisions. The ICO had a seat on this board and the EDPB would ensure a consistent approach throughout the member states of the European Union, including the UK.

Next year however the ICO will no longer sit on the EDPB. There is a chance therefore that data protection guidance could result in different interpretations of the law in the UK compared to the EU.

Differing Case Law

Alongside guidance from the regulator, case law will often determine how legislation applies to individual businesses. Pre-Brexit cases would take into account as the last court of appeal, decisions from the Court of Justice of the European Union (CJEU) on how legislation should be interpreted – the intention being that the legislation should be applied in a similar fashion across member states.

If, as is currently proposed, the UK Government will not accept the jurisdiction of the CJEU after Brexit, then again there is a good chance that UK data protection law, even though based on the GDPR could be interpreted differently as a result of UK courts taking a different line to the EU.

So what does this mean for UK businesses?

Organisations in the UK that operate in both the UK and the EU will be subject to both the EU and the UK versions of the GDPR and must comply with both laws going forwards. That shouldn’t be too much of a stretch for so long as the laws remain similar, however in the event that guidance and case law leads to different interpretations of those laws, organisations could be in the difficult position of being required to comply with different and possibly conflicting laws when dealing with personal data from EU and UK customers.

Co-authored by Richard Nicholas and Lauren Webb – data protection lawyers at Browne Jacobson LLP

This article was first published by Data Protection Magazine.

Focus on...

Press releases

Browne Jacobson dealmakers advise on Dutch PE firm’s investment into Cooper Parry

Browne Jacobson have successfully advised the partners of leading accountancy firm Cooper Parry on the agreement for Dutch based firm, Waterland Private Equity to invest in the business.

View

Published articles

Zeroing in

Shell shareholders have outlined their intention to bring a claim against Shell directors for failing to properly prepare the company for net zero.

View

Legal updates

Equalities Act-dependent SEN appeal dismissed

On 11 May 2022, the Upper Tribunal returned its decision on an appeal which concerned the interface between special educational needs (SEN) provision under the Children and Families Act 2014 and obligations under the Equality Act 2010.

View

Guides

Developing a whole school approach to flexible working

Timewise recently conducted a Teaching Pioneers Programme in eight secondary schools across three multi-academy trusts which Browne Jacobson was able to support, along with others.

View

Richard Nicholas

Richard Nicholas

Partner and Responsible for In House Lawyers

View profile