Enterprise Communications APIGet StartedReference
Get Started
Select ProductPortal

Brexit FAQs

Suggest Edits

Note that this note is provided for informational purposes only. For more information on the consequences for you, please see the Government’s Brexit advice pages or seek your own legal advice.

1. What is a ‘no deal’ Brexit?

A ‘no deal’ scenario is a scenario where the UK leaves the European Union and becomes a ‘third country’ at 11pm GMT on 29 March 2019 without a Withdrawal Agreement and framework for a future relationship in place between the UK and EU.

2. What will the effect be of a ‘no deal’ Brexit?

In the event that the UK fails to secure a deal with the EU27 regarding the UK’s withdrawal from the European Union, the UK will become a ‘third country’. This means all existing EU legislation, agreements and arrangements that the UK has in place with the EU shall cease to be applicable in the UK.

3. What does this mean for the GDPR and the Data Protection Act 2018?

The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side.

As preparation for the UK leaving the EU the European (Withdrawal) Act 2018 has been ratified into law. Two of the main functions of this legislation are repealing the European Communities Act 1972 and transposing all existing EU law into UK national law. As such the GDPR will become UK national law alongside the Data Protection Act 2018 and will continue to be applicable within the UK.

4. If the GDPR will continue to be applicable why will there be a problem?

Although as outlined above the GDPR will be transposed into UK national law by the European Union (Withdrawal) Act 2018, the GDPR still provides that any transfers of data relating to an EU data subject outside of the EEA to ‘third countries’ is prohibited.

As of 29 March 2019, the UK will be a ‘third country’ and therefore transfers to the UK will be prohibited unless certain precautions are put in place prior to any transfer.

5. What is an Adequacy Decision?

You may have read about the UK receiving an ‘adequacy decision’ in relation to ongoing data protection obligations, negating the concerns of the UK being viewed as a ‘third country’.

The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

The European Commission has so far recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States as providing adequate protection.

The EU27 have made it clear that any adequacy decision for the state of the UK’s data protection regime can only take place once the UK has left the EU. The assessments and negotiations have usually taken many months. Although it is the ambition of the UK and the EU to eventually establish an adequacy agreement, it won’t happen immediately following the UK’s departure from the EU. As such, until an adequacy agreement is provided, businesses will have to make use of other legal mechanisms to transfer data outside of the EU.

6. Will transfers from the UK to the EU be affected?

The UK’s Information Commissioners Office has already made it clear that the flow of data to the EEA from the UK will not be affected in the event of a ‘no deal’ Brexit.

Updated almost 6 years ago