Post-Brexit data protection in the UK – leaving the EU but not EU data protection law behind

Research output: Chapter in Book/Report/Conference proceedingChapter (peer-reviewed)peer-review

37 Downloads (Pure)

Abstract

On 31 January 2020 the United Kingdom (UK) formally left the European Union (EU) after 47 years of membership, following the outcome of the historic ‘Brexit’ referendum on 23 June 2016 in which a majority of eligible voters in the UK voted to ‘Leave’ the EU. As the decision to leave the EU (the world’s largest trading bloc and the UK’s largest trading partner) was momentous one might have expected the UK government to have engaged in contingency planning and to have decided on the nature and degree of future trading relationship it would seek with the EU and other countries prior to the referendum but the UK government did not take these actions because it did not expect the ‘leave’ vote to win the referendum.
Consequently, it was unprepared for the outcome and a great deal of political turmoil ensued – including the resignation of two prime ministers, and the UK requesting postponement of its departure from the EU on three occasions in the next three years because of disagreements amongst UK government ministers over the scope and terms of the withdrawal agreement, – before the EU and UK eventually agreed the terms of a Trade and Cooperation Agreement on 24 December 2020, a mere seven days before the UK would have ‘crashed out’ of the EU on a ‘no deal’ basis.
The government’s failure to plan for Brexit included a failure to give any thought to data protection arrangements, that is, whether it would continue to comply with EU data protection law as it had since Directive 95/46/EC came into force, or whether it would seek to diverge either in the immediate or longer term. Accordingly, the objective of this chapter is to trace how the UK data protection framework evolved from the time of the Brexit referendum to the adoption by the Commission of an EU-UK adequacy decision, and to explain why the UK has, for the time being, decided not to diverge from EU data protection law.
The chapter begins by explaining why the UK decided to comply with the GDPR before becoming a third country for EU data protection purposes and then illustrates that the Brussels effect, that is, ‘multinational companies voluntarily extend[ing] the EU rule to govern their global operations’, influenced the UK’s decision to continue to comply with EU data protection standards after it became a third country. It also discusses why the UK initially sought to pursue an exceptionalism strategy – seeking a bespoke data agreement outside the scope of the GDPR adequacy framework before eventually conceding that it would need to seek an adequacy decision from the European Commission (the Commission) to facilitate EEA-UK personal data transfers. Thereafter, it demonstrates that although the UK has secured an adequacy decision it may prove unstable. Finally, it considers whether longer-term divergence is likely or not and concludes that whilst a degree of friction and divergence is likely, multi-national data controllers are unlikely to call for the UK government to completely diverge from the GDPR if it continues to meet their needs because divergence would result in further compliance burdens which would be an unwelcome business cost. Therefore, EU data protection advocates have rightly framed the UK’s continued compliance with the GDPR as early evidence of the EU’s ability, through its trade and regulatory power, to ‘export’ its laws and standards to third countries by offering unrestricted access to its large and valuable marketplace of personal data in return for confirmation of legal compliance, via an adequacy assessment. However, for the EU to be assured that the GDPR standards become and remain the global norm, it must ensure that it remains fit for purpose, which is why it is trite to say that the UK has left the EU but not EU data protection law behind, for now, at least.

Original languageEnglish
Title of host publicationResearch Handbook on Privacy and Data Protection Law
Subtitle of host publicationValues, Norms and Global Politics
EditorsGloria González Fuster, Rosamunde Van Brakel, Paul de Hert
PublisherEdward Elgar Publishing
Chapter2
Pages35-58
Number of pages14
ISBN (Electronic)9781786438515
ISBN (Print)9781786438508
Publication statusPublished - 2022

Keywords

  • GDPR
  • data protection
  • Brexit
  • Data Protection Act 2018

Cite this