Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Brexit and the GDPR: “Deal” or ‘No Deal’

October 17, 2019By Preiskel & Co

As currently being announced in the press, an amended draft text for a Brexit Withdrawal Agreement has been agreed between the UK and the European Union. Next is the vote by Parliament this weekend, where it is far from certain that the proposed bill will receive the majority support necessary to progress through the legislature.

What happens if there is a successful Withdrawal Agreement?

There is an increasing chance that the amended Withdrawal Agreement as published 17 October 2019 (with amendments to replace the backstop) may be approved by Parliament and there could be enough time for the legislation to pass prior to the 31 October 2019. If this is the case and the Withdrawal Agreement is brought into law, there is likely to be a transition period. During that time the GDPR will continue to apply in the UK. However, at the end of the transition period, the default position is the same as a no-deal Brexit, though there may be further adjustments depending on what agreements are made during the transition period.

What happens in the event of Brexit and no deal?

If there is a ‘no deal’ Brexit, under the European Union (Withdrawal) Act 2018, the General Data Protection Regulation (GDPR) will be retained as domestic UK law (UKGDPR).

Currently, GDPR regulates the transfer of personal data outside the European Economic Area (EEA) known as ‘restricted transfers’, and companies should already have arrangements in place covering such data transfers.

Post-Brexit there will be a further two considerations. First, since the GDPR will become domestic UK law, how to remain compliant if a data transfer from the UK outwards now becomes a restricted transfer. Secondly, how can a company continue to receive personal data from outside the UK, even if it is from an EEA country.

  1. UK outwards transfer post Brexit

As the UKGDPR will apply, it will be similar to the requirements that currently apply to restricted transfers outside the EEA. The main options to remain compliant are having an adequacy decision, or inserting an appropriate safeguard (i.e. the standard contractual clauses into the data transfer agreement).

The UK government has announced that they intend to recognise the EU adequacy decisions made by the European Commission prior to the exit date. The UK government has also stated that with Brexit, transfers of data from the UK to the EEA will be permitted and will be kept under review.

Companies should identify where it is necessary to put in place appropriate safeguards, or where they will be covered by the current EU, and prospective UK adequacy decisions.

  1. Receiving transfers into the UK

The established EU GDPR will continue to apply to current EEA senders of personal data, and a UK entity may be considered in receipt of a restrictive transfer of personal data if they act as a data controller or a processor located in the UK.

The European Commission has not confirmed that an adequacy decision will be extended to the UK post-Brexit. This means that an EEA sender should put into place appropriate safeguards, which are the standard contractual clauses.

Transfers from countries with EU Commission adequacy decisions will have individual national legislative restrictions on transferring personal data outside the EEA. These national restrictions will need to be complied with after the UK leaves the EU.

Summary

Though there may yet be a deal agreed between the UK and the EU, the UK Government’s ‘no deal’ technical note regarding data protection will remain relevant for any possible transition period.

To prepare, it is recommended to have a thorough understanding of where personal data is transferred during the course of business. Companies should identify where it is necessary to put in place appropriate safeguards in the form of the standard contractual clauses. Should the personal data be received from a country currently covered by an EU Commission adequacy decision, this should be kept under review with the understanding that each country may require differing safeguards.

Please contact Jose Saras and Joanna Coombs-Huang if you have any questions relating to data transfers post Brexit.

Latest Preiskel & Co blog posts
  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed
    April 28, 2022
  • TikTok Class action for the Misuse of Child Personal Data
    April 28, 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018
    April 20, 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK
    April 19, 2022
  • Meta hit by 17 million euro fine by Irish regulator
    April 19, 2022
  • Ofcom has mandated that telecoms providers ensure British Sign Language (BSL) for 999
    March 18, 2022
  • Ofcom publishes statement on the future of telephone numbers
    March 15, 2022
  • German court sends biometric data questions to the ECJ
    February 23, 2022
  • Meta fined £1.5m by CMA
    February 7, 2022
  • International data transfer agreement and addendum laid before Parliament
    February 4, 2022
  • CMA publishes statement of scope in music and streaming market study
    February 1, 2022
  • Google Privacy Sandbox faces European Commission complaint from German publishers
    January 24, 2022

The Preiskel Blog

  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed 28 Apr 2022
  • TikTok Class action for the Misuse of Child Personal Data 28 Apr 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018 20 Apr 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK 19 Apr 2022

Preiskel news

  • Daniel Preiskel and Xavier Prida lecturing to Academia Mexicana del Derecho Informático and Abogado Digital
  • Preiskel & Co advises Mexico-based premium content production company Dopamine
  • Danny Preiskel was ranked as a Global Elite Thought Leader in Telecoms & Media by WhosWhoLegal Data 2022
  • Danny Preiskel featured in GCCM (Global Carrier Community Magazine)
Preiskel tweets
  • @jwrosewell @m4aow @w3c @IABTechLab Our pleasure!60 days ago
  • RT @jwrosewell: Great work from @Preiskel and the whole @m4aow team. Thank you. Much for @w3c, @IABTechLab, and others to consider in this…60 days ago
  • RT @TC_4KBW: Google’s battle with publishers shows that at every turn it seeks to block others from competing. it blocked header bidding, b…60 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2022 | Site map | Legal notices | Privacy | Cookie Policy | Privacy | Fraud Notice