The global data protection implications of ‘Brexit’
Date of this Version
On 23 June 2016, the UK voted by referendum to leave the European Union (EU). This vote may have significant implications for data protection law both in the UK and globally. There is now particular uncertainty regarding the fate of the EU’s General Data Protection Regulation (GDPR) in the UK, while, beyond the UK, Brexit will again put the spotlight on the EU’s criterion of ‘adequacy’ for data transfers to third countries. These implications will be briefly sketched here.
The decision to leave the EU is likely to have data protection consequences within the UK. The Data Protection Act (DPA) 1998, which transposed the European Data Protection Directive (Directive 95/46 EC), was due to be replaced by the GDPR on 25 May 2018. While the UK’s Minister for Data Protection has not ruled out the possibility that the GDPR will still take effect in the UK on that date, this is not certain. The UK has yet to trigger the exit mechanism to leave the EU (Article 50 of the Treaty on the Functioning of the EU). However, if it does, it will ordinarily have two years to renegotiate its legal relationship with the EU. There will therefore be a time period between the entry into force of the GDPR in May 2018 and the conclusion of the re-negotiation agreement when the UK will find itself in a legal limbo.
This document has been peer reviewed.