Brexit And Data Protection: The UK Government's New Data Protection Bill

Author:Mr Frédéric Louis, Dr. Martin Braun, John Ratliff and Itsiq Benizri

The UK government has taken an additional step in its attempts to find a way to ensure uninterrupted data flows between the UK and the EU after Brexit. On 13 September 2017, the UK government introduced a draft Data Protection Bill (the Bill, text available here) to the UK Parliament, accompanied by explanatory notes (text available here). The UK Information Commissioner's Office (ICO) welcomed the Bill and published its comments on 9 October 2017 (text available here). The UK Parliament started debating the Bill on 10 October 2017 (recordings of the debate are available here). The Bill is designed to enter into force on 25 May 2018, i.e., when the new EU General Data Protection Regulation (GDPR, text available here) becomes effective. The Bill is a very complex piece of legislation because of its structure, which includes 18 schedules and a substantial number of cross-references to the GDPR. The progress of the legislative process can be monitored here. Here is what we think you should know at this stage.

What Is the UK's Strategy?

The UK will remain an EU Member State where EU law applies until it effectively leaves the EU. Brexit is currently expected to happen on 30 March 2019. Although Brexit could happen before or after this date, the GDPR will apply in the UK before Brexit. Therefore, until the UK leaves the EU, the GDPR will operate in tandem with the Bill. After Brexit, the GDPR will be incorporated into the UK's domestic law under the EU (Withdrawal) Bill, currently before the UK Parliament (Art. 3 of the EU (Withdrawal) Bill, text available here).

As anticipated in our previous alert on Brexit and data protection (text available here), the UK's strategy is to ensure that its data protection law framework is aligned with the GDPR at the date of withdrawal (see the UK government's paper on the exchange and protection of personal data between the UK and the European Economic Area, dated 24 August 2017, text available here). Because the GDPR allows transfers of personal data only to non-EU Member States that ensure an "adequate level of protection" of such data, the UK, by aligning with the GDPR, is working toward ensuring uninterrupted data flows between the EU and the UK. This would still require that the European Commission grant the UK an "adequacy decision" to recognize the adequacy of the UK framework and to allow transfers from the EU to the UK.

What Are the Scope and Structure of the Bill?

The Bill consists of seven parts and has a much broader scope than the GDPR as it also applies to UK law enforcement authorities and intelligence services. We focus...

To continue reading