What does the BREXIT Great Repeal Bill mean for data protection?

On 2 October 2016, the UK’s Prime Minister – Theresa May – announced that she will trigger Article 50 of the Lisbon Treaty by March 2017 and set in motion the UK’s departure from the European Union (“EU”). She also announced that a Great Repeal Bill will form part of the next Queen’s Speech which will allow for a reversal of the European Communities Act 1972 – the piece of legislation which effectively allows EU legislation to become law in the UK. Once enacted, the Great Repeal Bill will mean that all existing EU laws will be enacted into UK law save where Parliament decides to amend or cancel any laws. It effectively enables the UK to pick and choose which EU laws the UK has to follow.  

So what does this mean for the General Data Protection Regulation (“GDPR”)?  

If Article 50 is invoked in March 2017, the 2 year grace period for UK to exit the EU will end in March 2019. This means that the GDPR will already have officially entered into force in May 2018 (GDPR is already in force but organisations will not be expected to have complied with it until 25 May 2018) and the UK will have to implement and abide by the GDPR before the UK’s expected exit from the EU in summer 2019.  

Given the vast nature and the years of planning that have gone into updating and finalising EU data protection legislation it seems unlikely that as part of the Great Repeal Bill the UK will choose to amend or cancel the GDPR. Particularly as UK companies will still have to abide by EU regulations if they intend to process the personal data of and/or target goods and services at EU citizens, regardless of whether the UK is part of the EU.

As discussed in our White Paper “Brexit – How will it affect the GDPR in the UK?” published in June 2016 (a copy of our White Paper can be accessed here), retaining the GDPR after the UK exits the EU would be in the UK’s interests, the interests of UK citizens and the interests of UK-based data controllers and data processors. This is not only for economic reasons but also because for businesses to apply different regimes for data protection across a global customer base will be really cumbersome.  

What happens next? 

It remains to be seen whether Theresa May’s government will choose to implement or cancel the GDPR. However, what is clear is that Elizabeth Denham – the newly appointed head of the UK Information Commissioner’s Office (“ICO”) – will be present in those conversations and strongly advocating for the retention of EU data protection legislation in the UK – as was made clear in her first speech last week: “…the fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow…there would [need to] be a legal basis for data to flow between Europe and the UK… when the conversation is about the future of data protection in the UK, the ICO is determined to be part of that conversation”.

Samantha Sayers | Solicitor
  +44 (0) 7841 803 730