Brexit and data protection

Author (Corporate)
Series Title
Series Details No.7838 (10.10.17)
Publication Date 10/10/2017
Content Type

This House of Commons Library briefing paper issued in December 2016 (and subsequently periodically updated) discussed the ongoing reform of EU data protection law, the interaction with UK law, and the potential consequences of Brexit in this area.

The basis of EU data protection law is the 1995 Data Protection Directive (95/46/EC), which was implemented into UK law by the Data Protection Act 1998. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).

Since 1995 technological progress and globalisation have profoundly changed the way data is collected, accessed and used. In addition, EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. In January 2012 the European Commission therefore proposed a new legislative framework for data protection. In its now finalised form, this has two elements:

+ The General Data Protection Regulation (GDPR; Reg 2016/679). This is now in force, but there is a two-year transition period for implementation, meaning that the UK is not obligated to apply it until 25 May 2018.

+ The Directive on data transfers for policing and judicial purposes (2016/680/EU). This is now in force and EU Member States are required to transpose it into their national law by May 2018.

The Regulation has attracted far more attention than the Directive. The Regulation includes new provisions covering

+ Increased territorial scope (extra-territorial applicability)
+ Penalties
+ Consent
+ 'Privacy by design'
+ Data protection officers

It enhances data subjects’ rights with new provisions covering

+ Breach notification
+ The right to access
+ The right 'to be forgotten'

On present estimates it is unlikely that the UK will have left the European Union by May 2018. The GDPR will therefore apply from that date until “Brexit” occurs and UK businesses are being advised to prepare accordingly. There is a dedicated EU GDPR portal and general guidance is available on the Information Commissioner’s website.

Concerns have been expressed as to what will happen after 'Brexit', particularly whether the UK’s domestic data protection regime will be considered 'adequate' by the EU and whether recent UK legislation is compatible with the GDPR. The Government has said that it is working 'to make sure that we achieve a coherent data protection regime and that data flows with the EU are not interrupted after we leave'.

Source Link Link to Main Source http://researchbriefings.files.parliament.uk/documents/CBP-7838/CBP-7838.pdf
Related Links
ESO: Background information: The way forward: UK digital policies and Brexit (European Council on Foreign Relations, 2016) http://www.europeansources.info/record/the-way-forward-uk-digital-policies-and-brexit-part-i/
ESO: In Focus: Brexit - The United Kingdom and the European Union http://www.europeansources.info/record/brexit-the-united-kingdom-and-the-european-union/
Website: GDPR Portal http://www.eugdpr.org/eugdpr.org.html
UK: Information Commissioner's Office: Data protection reform: Overview of the General Data Protection Regulation (GDPR) https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
UK: GOV.UK: Department for Digital, Culture, Media & Sport / Home Office: Guidance, May 2018: Data Protection Act 2018 Overview https://www.gov.uk/government/publications/data-protection-act-2018-overview

Countries / Regions