McDermott Comment | Post-Brexit Implications for Data Protection and Cybersecurity


Ashley Winton, partner at law firm McDermott Will & Emery, said:

Brexit deal includes a surprise extension for personal data transfers
“On January 1, 2020 the UK will have its own version of the General Data Protection Regulation (GDPR), called the UK GDPR. The UK GDPR is pretty much identical to the GDPR and so companies that are currently in good compliance with the GDPR will generally be in good compliance with the UK GDPR.

The GDPR has extra-territorial effect and so where a UK company provides goods or services to individuals in the EU, or where it monitors individuals in the EU, that UK company must comply with both the UK GDPR and the GDPR and submit to the supervision of one or more EU data protection authority in relation to the provision of those goods or services.

Clearly, if there is a breach or other cyber incident this UK company will now find itself needing to report to both the UK Data Protection authority (the ICO) and the relevant EU data protection authorities, and any fines and sanctions can be levied both under UK law and under the GDPR. We have already seen companies consider whether they should consider serving UK customers from European entities. Moving those customers to a UK entity or out of Europe altogether might reduce regulatory burdens.

One of the key features of European data protection law is that it permits the free flow of personal data around the European Union and EEA. The greatest change on 1 January will be with respect to the international transfer of personal data. Although on day one the UK GDPR will be essentially identical to the GDPR, personal data may not be freely transferred from the EU to the UK until the European Commission grants the UK an “adequacy decision”. It has been hoped that this decision would be granted by the end of the transition period. This has not happened, however, it is reported that the UK and the EU have agreed to an extension of the current arrangement for 4-6 months so that the European Commission has time to grant an adequacy decision.

This will be a welcome relief to all businesses that transfer personal data between the EU and the UK who are currently rushing to put in standard contractual clauses or other mechanisms to legitimise the transfer of personal data from the EU to the UK before the end of the year.

However, the interim deal does come with an assumption that an adequacy finding will be made. This is not a safe assumption to make, we know that adequacy determinations are complicated and that UK law, particularly with respect to telecommunications surveillance does differ from EU law. The question of adequacy will now be at the top of the list of data protection areas to keep track of early next year, lest we will are back to implementing additional standard contractual clauses.”