What the Brexit Withdrawal Agreement Bill means for data protection and the GDPR

Boris Johnson's Withdrawal Agreement Bill (WAB) largely leaves existing data protection regulation in place, but changes are still possible.

After years of turmoil, it seems the UK finally has a deal that sets out how it will leave the European Union (EU). Prime Minister Boris Johnson’s Withdrawal Agreement Bill shares many similarities with the withdrawal agreement put forward by his predecessor, Theresa May, especially when it comes to data protection requirements.

While this deal is merely the starting point, it lays out how UK organisations should approach issues such as data protection, data privacy and data flows between the UK and EU — for at least the next 11 months.

What happens once the UK leaves the EU?

Under the agreement, a transition period will run to December 31, 2020, during which time current EU rules will continue to apply the UK and negotiations around what happens next can begin (the option of extending the transition period has been removed from the latest version).

During that transition period, the requirements around the current General Data Protection Regulation (GDPR) legislation, the UK Data Protection Act (DPA) 2019, and the need to comply with them both remain unchanged. Data can flow freely between the UK and EU, and companies will be required to continue any and all efforts to comply with those regulations but should look to keep up to date with negotiations and plan accordingly.

Organisations regulated under the EU Network and Information Security directive should equally continue their compliance efforts.

What happens after the transition phase?

During this transition period, the UK government and the EU will ideally negotiate for a data protection arrangement that suits both parties, whether that’s an adequacy decision, a Privacy Shield-type agreement, or another agreement that allows data to move freely between the UK and EU. The UK and EU have said they are “committed to ensuring a high level of personal data protection to facilitate such flows between them” and hope to have made agreements by the end of the transition period.

An adequacy decision is likely the most desired and possible outcome, but it is not guaranteed and may take many months or even years to happen.

After that transition phase, if no arrangements, deals or trade agreements are made between the UK and EU, the UK will leave under a “no-deal” scenario and become a “third country”. As CSO has previously reported, in such a scenario, UK organisations and organisations with UK operations that receive personal data from the EU will need to ensure they have additional legal controls, such as standard contractual clauses or binding corporate rules in place to ensure compliance with the GDPR. Countries outside the EU will still be subject to GDPR and fines from the EU if they handle personal data of EU citizens.

For UK companies sending data to the U.S. under the Privacy Shield agreement (and U.S. organisations receiving data from the UK under Privacy Shield), that mechanism will still be valid, but the wording of the Privacy Shield privacy policy will need to be updated.

Companies should also be aware that the UK Government has said it plans to keep the GDPR regulation as is after it has left the Union, and so companies should continue to maintain compliance with both the GDPR and the UK DPA 2019 even if they aren’t processing EU citizen data after the transition phase.

Show Comments