Brexit: will the EU General Data Protection Regulation (GDPR) apply to the UK on Brexit?

With the country voting to leave the EU last week, will the EU General Data Protection Regulation (“GDPR”) apply to the UK on Brexit?  Well, the answer will in part depend upon the model of Brexit adopted by the UK Government – still a work in progress. As a Regulation (directly implemented into UK law from the EU without requiring legislation from the UK Parliament) the GDPR may fall away, depending upon the repeal or level of amendment of the European Communities Act 1972 (“ECA”), which provides for the supremacy of EU law in the event of conflict with UK law.

Practically however, it is more than likely the UK will adopt legislation to impose all or most GDPR obligations domestically in the UK despite Brexit. A failure to do so could leave UK businesses in a very difficult position. For example, by failing to adopt the higher EU personal data protection standards imposed by the GDPR, the UK will struggle to meet the ‘adequate safeguard’ standards for personal data transfers from the EU to the UK (assuming it is outside the EEA) as required by the EU to be lawful.

Further, UK businesses targeting or monitoring sales activity from the UK towards EU citizens will be directly subject to GDPR with its new extra-territorial reach, whether or not the UK retains GDPR-like legislation.

It is of note that the UK’s Information Commissioner is encouraging businesses and organisations to prepare for GDPR regardless of Brexit.