The Impact of Brexit on Data Protection Laws in the EU and UK

With the United Kingdom's departure from the European Union (EU) approaching, significant changes are on the horizon for data protection laws. This article explores how GDPR-based regulations will change post-Brexit and what businesses should anticipate.

Current Data Protection Laws

Until June 2025, the UK will still operate under the General Data Protection Regulation (GDPR), which is the EU's data protection law. However, after that date, the UK will have its own, loosely based version of GDPR. The Data Protection Act 1998, which is outdated, will no longer suffice. The GDPR, which came into effect on May 25, 2018, sets more comprehensive standards for data protection.

The Role of the GDPR

The GDPR governs the management, storage, and use of data across the EU and associated EEA countries. It provides citizens with rights such as the right to access their data, right to privacy, and the right to be forgotten. These rights are essential for maintaining personal privacy, as over 75% of UK data is exported to the rest of the EU. Data is crucial for the movement of services, contracts, and records.

Adequacy Agreements and the GDPR

Data transferred outside the EU must meet certain adequacy agreements. These agreements ensure that the data protection standards of third countries are equivalent to those of the EU. Currently, there are 157 days before Brexit, and there is no guarantee that an adequacy agreement will be reached by the UK. This is a significant concern, as it jeopardizes 75% of UK services exports that depend on the free flow of data.

The Impact of No-Deal Brexit

A no-deal Brexit would mean that the UK would no longer have an adequacy agreement, and businesses would face significant legal and operational challenges. The UK would need to rely on either transferring data under GDPR provisions or implementing data protection laws similar to GDPR. This would be a substantial shift, as it would need to align with EU regulations to maintain data flows.

The Future of Data Protection in the UK

Currently, the ICO (Information Commissioner's Office) predicts that if the UK is not part of the EU, the GDPR will not directly apply. However, the UK would need to prove adequacy with the EU's GDPR framework to trade with the Single Market on equal terms. This would require careful scrutiny and alignment of UK data protection standards.

Key Challenges and Alternatives

The free movement of data is crucial for modern international tech companies, as it facilitates the rapid sharing of personal information. The lack of an adequacy agreement with the US, highlighted by the Schrems decision, makes it difficult to find an alternative. Bilateral 'Model Contract Clauses' might be impractical and prone to legal challenges.

Businesses should prepare for either sitting tight with old provisions or adopting the GDPR. Given the size of the overhaul and the need for substantial work to implement GDPR, it is recommended to start preparations now. Either way, post-Brexit, the UK's data protection regime will closely resemble that of the EU.

In conclusion, Brexit will have minimal direct impact on the UK’s data laws. However, the UK will need to adopt legislation that aligns with GDPR to maintain data flows and ensure compliance. Considering the complexity of the situation, adopting the GDPR would be the most sensible option, ensuring parity with the EU and maintaining technological parity globally.