Search results for ''...

Sorry, there were no results

Get in touch

Get in touch

  • Overview

    Now that the UK has voted to leave the EU, what is the future for the UK’s data protection regime?

    Data protection framework

    All businesses handle personal data, whether relating to their employees, customers or suppliers.  Data protection rules cover what organisations can do with such data and how it must be kept secure.

    The current UK data protection regime is in the Data Protection Act 1998, which implements the EU Data Protection Directive 1995.  These will continue to apply while the UK is in the EU. 

    Whether the UK‘s data protection regime would be impacted by Brexit depends on the terms and timing of the UK and EU’s divorce. Companies with cross border data flows should already be preparing for the EU’s forthcoming General Data Protection Regulation, which will have effect from 2018 and apply to the UK if it is still in the EU at this time.

    See our article for further information on the upcoming regulations.

    After leaving the EU, if the UK opts to remain in the European Economic Area (the EEA), the Norway approach, then the Directive will continue to apply to the UK as a member of the EEA.

    If the UK leaves the EEA it could, theoretically, choose to change its data protection laws and diverge from the rest of the EU, it this was deemed desirable by the then government. 

    Implications for data sharing if UK leaves EEA

    Both the current and forthcoming EU data protection regimes permit the transfer of personal data within the EEA but very tightly regulate transfers outside of the EEA.  If the UK were to end up outside of the EEA, there would be significant challenges to businesses’ ability to share data across Europe.

    EU rules prevent the transfer of data to countries outside the EEA unless it can be shown that such countries have adequate data protection laws. The EU Commission is tasked with identifying whether a country has adequate data protection safeguards. So post Brexit, only if UK is deemed to have adequate safeguards it will be able to continue sharing data with EEA countries with the same ease at it does now.

    If the EU decides that the UK does not have adequate safeguards (which might occur if the UK were to water down its data protection measures) this could cause many problems. For example if a German based multinational company needed to supply details relating to EU clients to a UK data centre, it would not be able to do so unless certain EU criteria were met. Such hurdles could force companies to move their EU data centres to more attractive locations within the EU.

    In 2015 the US lost its adequacy status, requiring individual US companies to undergo lengthier compliance processes.  Therefore the availability of adequacy status for the UK is not guaranteed.

    If the UK were to ease its data protection laws, it could make it easier to exchange data with non-EU countries and so a more attractive as a destination for business.  But increasingly non-EU countries, such as Singapore, are adopting data protection laws that follow the EU model (in order to gain access to EU data). As a condition of being granted access, such countries have had to introduce export controls to prevent EU data reaching jurisdictions considered unsafe, which could include the UK in this scenario.

    The risks of the UK watering down its data protection regime post Brexit are wide ranging, whereas maintaining the current levels of protection based on EU standards would be the best way to ensure that businesses can still easily transfer data outside the UK.  But how does this sit with the fact that the UK just voted leave to ‘free’ itself from having to comply with EU laws?   

    If you have any further questions regarding the impact of Brexit on the data law, please do not hesitate to contact Senior Associate, Ben Stepney or Trainee Solicitor Naadim-Khan Samji of at Thomson Snell & Passmore LLP on 01892 701359 or at or  

  • Related Services

    Data protection

    Data protection and privacy law is a complex and fast-changing area with international differences adding an extra layer of complexity. We help businesses of all sizes and across many sectors use and exploit data while remaining compliant with data protection legislation.

Get in touch

Jargon Buster