Updated April 21, 2021.
The United Kingdom has left the European Union.
After Brexit, “GDPR” means several things in the UK, as new domestic data laws are in effect.
In this blogpost, we give you an overview of what has changed and what will remain the same with the GDPR after Brexit in 2021.
On January 1, 2021, the United Kingdom formally and effectively left the European Union.
Although the UK is now “a third country” under the EU’s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs.
This GDPR/Brexit interim data transfer agreement means that – even though the UK is no longer part of the EU and therefore not under the EU’s GDPR – personal data is allowed to be transferred between the UK and EU unrestricted as before.
The EU Commission has released a draft adequacy decision that, if approved, would grant the UK the status of providing adequate data protection and thus ensure the free and uninterrupted flow of data between the two blocs.
The draft adequacy decision is unique in that it is time-limited to four years and only renewed if the UK proves in 2025 to still have adequate data protection.
Subsequently, the European Data Protection Board (EDPB) released an opinion on the draft adequacy decision, noting that there are “key areas of strong alignment between the EU and the UK data protection frameworks” and welcoming the EU Commission’s decision to offer the UK a time-limit adequacy decision that is only renewed after close monitoring of how the UK’s data protection laws will develop in the coming years, now independent of any EU-wide regulatory framework such as the GDPR.
GDPR/Brexit: Upon independence from the EU, the UK has adopted the same data regulations as before its exit.
What happens to GDPR after Brexit in the UK?
We will look at the changes made to the legal landscape of UK data law, but first let’s recap the European General Data Protection Regulation (GDPR).
Cookiebot consent management platform (CMP) is a world-leading solution for achieving full data privacy compliance on your website.
With a powerful scanner that detects all cookies, trackers and trojan horses on your domain and maps exactly where in the world you send data to, Cookiebot CMP takes the hard and difficult part out of privacy protection and compliance.
The European regulation known as GDPR (General Data Protection Regulation) is a law in all EU member states that govern the protection of personal data and the ways it is allowed to be collected and processed by websites, companies, organizations and more.
GDPR has extraterritorial scope, which means that no matter where in the world your company and website is located, it has to comply with the GDPR if it has visitors from inside the European Union.
GDPR sets up a data protection regime in the EU that requires companies and websites (known as “controllers” and “processors” in the law) to have a legal basis in order to process the personal data of individuals (“data subjects”) inside the EU.
The most common legal basis for processing is prior consent – this means that in order to collect and process personal data of an individual in the EU, websites must obtain their consent to do so before any collection or processing can take place.
The European Withdrawal Agreement signed by the UK and EU includes specific provisions on the processing of personal data and the flow of information between the UK and EU.
In particular, Articles 70-73 of the Agreement state that the UK “shall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.”
Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed adequate by the EU and thus ensure the free, uninhibited flow of data between the two countries.
Article 45 of the GDPR rules that “a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country (…) ensures an adequate level of protection.”
In December 2020, a provision for an interim six month-period of free personal data flow between UK and EU was agreed to, which means that for websites, businesses and organisations in the UK, all remains the same as it was before Brexit when it comes to the processing of personal data from inside the EU.
GDPR after Brexit is fortified in UK law upon Exit Day.
This adequacy decision must be achieved before the end of the interim period in June 2021, or the UK risks being classified by the GPDR as a third country by the EU.
This would mean that personal data transfers are only allowed if the controller or processors has provided safeguards and enforceable data subject rights (GDPR Article 46).
As mentioned earlier in the article, an adequacy agreement between the EU and UK seems to be moving closer with a draft by the EU Commission backed up an opinion from the European Data Protection Board (EDPB).
The GDPR/Brexit changes made to UK data privacy law are all contained in the government’s Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, also known as the DPPEC regulations.
They took effect on January 31, 2020 in accordance with the now-passed EU Withdrawal Agreement.
The DPPEC regulations do two major things:
In order to keep the promise in the Withdrawal Agreement’s Articles 70-73, the UK has decided to create a whole “new” domestic law known as the UK-GDPR (United Kingdom General Data Protection Regulation).
The new UK-GDPR is essentially the same as the European GDPR.
It is literally made from the same law text as the EU GDPR but amended so as to substitute the parts of text that read EU and Union law with UK and domestic law.
The UK-GDPR merge the two pre-existing regimes for personal data protection – namely that established by the European GDPR and that established by the Data Protection Act 2018 (specifically the parts of that law known as the “applied GDPR”).
The DPA2018’s “applied GDPR” section is the one that extended the GDPR’s standards to areas that were out of scope of EU law and the GDPR, namely that of law enforcement, intelligence services and immigration (among others).
Brexit means GDPR-like regulation will become domestic law in the UK after January 1, 2021.
But let’s be clear: there are more things that don’t change than do change after Brexit with GDPR.
The core provisions of the GDPR for which it has become known all over the world all remain the same under the new domestic UK-GDPR, including:
The changes made to the GDPR after Brexit in order to create the new domestic version are visible in the following Keeling Schedule, which is a document comprising all the changes of the DPPEC regulations made to the GDPR.
The new and amended Data Protection Act 2018 also took effect on January 31, 2020.
UK citizens will now be protected by a comprehensive data protection regime that is made up of the UK-GDPR on the one hand that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018 on the other hand, supplementing the domestic GDPR and extending beyond it as well.
Here’s a short recap of what happened on January 1, 2021:
According the UK government, “no, or no significant, impact on the private, voluntary or public sector is foreseen” as a consequence of the changes made to UK data protection law.
GDPR after Brexit means both old and new, as same things become different.
Now, with regards to the GDPR after Brexit in the EU – there are no changes.
If a website based in the UK has visitors from the EU, it still has to comply with the European GDPR after Brexit just as it did before.
That’s because the EU GDPR has extraterritorial scope and applies to any website, company or organization in the world that collects or processes data from inside Europe.
The biggest change here will be who is the supervisor and enforcer.
Since the EU GDPR won’t apply domestically to the UK after the transition period of Brexit, data law in the UK will not be supervised or enforced by the European Data Protection Board (EDPB), the main power of supervision and enforcement today.
Rather, it will be the Information Commissioner (ICO) that will supervise and enforce the domestic UK-GDPR and Data Protection Act 2018 on UK soil.
It means that until June 2021, the interim provision allows unrestricted personal data flow between UK and EU.
Your website will need to comply with the GDPR (both UK and EU versions) just as before, but no additional measures need to be taken when processing personal data from the EU:
You still need the prior consent of your end-users before you are allowed to collect or process their personal data, e.g. with a cookie banner.
Cookiebot CMP scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary, and therefore compliant, until the user has given their consent as to which they want to activate.
This way, your website can be sure to be in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.
Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.
Keep calm and try Cookiebot CMP free for 30 days... or forever if you have a small website.
If your website processes personal data from users inside the EU, you are required to comply with the EU’s GDPR, even if your website is located and operated from inside the UK after Brexit. The UK-GDPR applies domestically in the UK and requires the same data protection and consent from your users as the EU’s.
The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s domestic data privacy law that replaces the EU’s GDPR after Brexit. The UK-GDPR is essentially the same law as the EU’s GDPR only changed to accommodate domestic areas of law. The UK-GDPR will regulate personal data and require the same legal bases for processing of personal data.
The Data Protection Act 2018 (DPA2018) is a domestic law governing the use of personal data and flow of information in the UK. Together with the UK-GDPR it forms the legal regime of data privacy in the United Kingdom. The DPA also governs data processing for law enforcement authorities and intelligence services.
Your website is required to obtain the prior consent from users before processing any of their personal data. To ensure compliance on your website, a consent management platform scans and detects all cookies and trackers in operation, then keeps them deactivated until your users have given their consent.