© Crown copyright 2019
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/data-protection-law-eu-exit/amendments-to-uk-data-protection-law-in-the-event-the-uk-leaves-the-eu-without-a-deal-on-29-march-2019
This notice provides more detail about how our data protection law will work in the event the UK leaves the EU without a deal.
The EU (Withdrawal) Act 2018 (EUWA) retains the GDPR in UK law. The fundamental principles, obligations and rights that organisations and data subjects have become familiar with will stay the same.
To ensure the UK data protection framework continues to operate effectively when the UK is no longer an EU Member State the Government will make appropriate changes to the GDPR and the Data Protection Act 2018 using regulation-making powers under the EUWA.
The regulations and more detailed guidance will be published in the next few weeks. These regulations would:
- Preserve EU GDPR standards in domestic law
- Transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue
- Preserve the effect of existing EU adequacy decisions on a transitional basis
- Recognise EU Standard Contractual Clauses (SCCs) in UK law and give the ICO the power to issue new clauses
- Recognise Binding Corporate Rules (BCRs) authorised before Exit day
- Maintain the extraterritorial scope of the UK data protection framework
- Oblige non-UK controllers who are subject to the UK data protection framework to appoint representatives in the UK if they are processing UK data on a large scale
On 13 September the Government published its technical notice on data protection (Data protection if there’s no Brexit deal), which set out plans for maintaining UK data protection legislation in the event the UK leaves the EU without an agreement (a ‘No Deal’ scenario).
The free flow of personal data between the UK and the EU is critical in underpinning an ambitious economic relationship and ongoing security cooperation, and both sides are committed to high data protection standards. The political declaration reflects this, and the EU will assess the UK’s regime with a view to adopting Adequacy Decisions by the end of the implementation period to ensure continuity of data flows. Likewise, the UK will take steps to facilitate the flow of personal data to the EU. Moreover, the UK and the EU have agreement to make arrangements for cooperation between the UK’s Information Commissioner’s Office (ICO) and the EU Data Protection Authorities.
As a member of the EU, the UK has worked closely with other Member States and the EU institutions to develop robust protections for personal data, ensuring businesses and law enforcement agencies can share data safely and smoothly. In May 2018 the EU’s General Data Protection Regulation (GDPR) came into force and the UK Data Protection Act 2018 was passed.
The EU Withdrawal Act retains the GDPR in UK law and gives the government the power to make appropriate amendments to ensure that it works effectively in a UK context. The Government intends to use these powers to make the necessary amendments to the GDPR and other data protection legislation prior to Exit Day. The vast majority of the changes will involve removing references to EU institutions and procedures that will not be directly relevant when the UK is outside the EU. They will be replaced with terms that make sense in a UK context. For example, in general, references to “Union or Member State law” will instead be read as “domestic law”, references to some decisions made by the EU Commission will be replaced with references to decisions made by the UK Government and so on.
2. Key components of the ‘No Deal’ framework
2.1 Data controllers and data subjects
In a ‘No Deal’ scenario, responsibilities of data controllers across the UK will not change. Data subjects will continue to benefit from the same high levels of data protection as they do now. The same GDPR standards will continue to apply in the UK and the Information Commissioner will remain the UK’s independent regulator for data protection.
2.2 Transfers to EEA countries (including EU Member States) and Gibraltar
The UK will transitionally recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data. This means that personal data can continue to flow freely from the UK to these destinations following the UK’s exit from the EU. The UK would keep all of these decisions under review.
The UK cannot provide for free flow of data into the UK; jurisdictions outside of the UK will provide their own rules on the transfer of data internationally. For those that rely on data transfers from the EU, alternative mechanisms for such transfers are available. UK organisations will need to work with their EU counterparts to make sure an alternative mechanism for transfer (such as standard contractual clauses) is in place. More details on standard contractual clauses and other alternative mechanisms can be viewed on the ICO website.
2.3 Existing EU adequacy decisions
Where the EU has made an adequacy decision in respect of a country or territory outside of the EU prior to Exit day, the UK government will preserve the effect of these decisions on a transitional basis. This will mean that transfers from UK organisations to those adequate countries can continue uninterrupted. As set out on the European Commission’s website, the Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).
A number of these data adequate third-countries have also informed us they will maintain unrestricted personal data flows to the UK.
The following guidance, or published legislation, confirms the continued free flow of personal data with the UK after EU-Exit:
- Argentina [Spanish]
- Faroe Islands Ministerial Order (English statement at the bottom)
- Guernsey legislation change
- Isle of Man legislation change
- Israel current privacy law
- Japan [Japanese]
- Jersey legislation change
- New Zealand
- Switzerland EU Exit technical notice
- US Privacy Shield guidance
- Uruguay [Spanish]
Where an adequate country has not yet publicly indicated that personal data flows to the UK will remain unrestricted, organisations should work with their counterparts in those countries to understand whether alternative legal arrangements may be required. They should also seek guidance from the relevant Data Protection Authority. Additionally, the UK will remain in discussion with adequate countries that have not confirmed the free flow of personal data to the UK - and will update this guidance accordingly. The ICO website also provides further details.
2.4 Recognising EU Standard Contractual Clauses
Provision will be made so that the use of Standard Contractual Clauses (SCCs) that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK in a ‘No Deal’ scenario. In practice this means that organisations that transfer personal data to organisations overseas on the basis of SCCs can continue to rely on them. Under the proposed regulations, the Information Commissioner will have the power to issue new SCCs after Exit day.
Existing authorisations of Binding Corporate Rules (BCRs) made by the Information Commissioner will continue to be recognised in domestic law. After Exit day the Information Commissioner will continue to be able to authorise new BCRs under domestic law.
2.6 Maintaining extraterritorial scope
The EU GDPR applies to controllers or processors who are based outside of the EEA where they are processing personal data about individuals in the EEA in connection with offering them goods and services, or monitoring their behaviour.
The Government intends to retain the extraterritoriality of the UK’s data protection framework. This will mean that that the UK framework will apply to controllers or processors who are based outside of the UK where they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour. This includes controllers and processors based in the EU.
2.7 UK representation for controllers
Where article 3(2) of the EU GDPR applies, article 27 of the EU GDPR requires a controller or processor not established in the EEA to designate a representative within the EEA. The requirement does not apply to public authorities or if the controller/processor’s processing is only occasional, low risk, and does not involve special category or criminal offence data on a large scale.
The Government intends to replicate this provision to require controllers based outside of the UK to appoint a representative in the UK.