Data protection and Brexit

24th January 2019

After the historic defeat on 15 January of the draft withdrawal agreement (defeated deal), we consider below what the implications of a no-deal Brexit would be for data protection, and the extent to which the defeated deal would have dealt with any of those issues.

We also provide a checklist of actions that businesses can take to help prepare for the outcome in default – a “no deal” Brexit.

Background legal framework

Given the complexity of the issues raised by Brexit, we consider it helpful to set out some bare minimum details on the background law as it relates to data protection.

The European Union (Withdrawal) Act 2018 (EUWA) repeals the European Communities Act 1972 and empowers the government to legislate in order to deal with inadequacies in UK law arising from Brexit. It is also the instrument which will transpose the GDPR into the UK legal framework, so that the data privacy principles, obligations and rights that UK organisations and individuals have become familiar with will remain applicable post-Brexit. The EUWA is effective from exit day, which is defined as 29 March 2019 at 11 pm ( N.B if the defeated deal had been agreed, this definition would have been amended via the European (Withdrawal Agreement) Bill to give effect to the defeated deal’s transition period, i.e. until 31 December 2020).

The draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (DPPECR) were laid before Parliament by the government on 19 December 2018 in exercise of its powers under the EUWA, to ensure that the UK data protection legal framework continues to operate smoothly after exit day. The majority of the DPPECR will come into force on exit day. However, certain provisions (Regulations 7 and 8 and Schedule 4) which align the definition of consent under Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) with the GDPR, and make consequential amendments under the Data Protection Act 2018 (DPA 2018) will definitely come into force on 29 March 2019.

The DPPECR create a single UK GDPR by merging and amending two pre-existing data processing regimes: (1) the GDPR as supplemented by Chapter 2 of Part 2 of the DPA 2018; and (2) the “applied GDPR” (Chapter 3 of Part 2 of the DPA 2018), which extended GDPR standards to processing activities outside of the GDPR’s scope.

Click here to view the checklist of actions and how you can prepare if there is a "no deal" Brexit.


For more information about the data protection implications of Brexit please contact Paula Barrett, Gayle McFarlane or Liz Fitzsimons.

Uncertainty remains as to how data protection law will apply after the UK leaves the EU, depending on whether or not a deal is agreed.

Keep up to date on stories,
briefings and event information

  Social spotlight

Follow us

Our partners