Brexit and privacy -- what to expect


Inevitably over the weeks and months ahead the long-term implications and impact of Brexit from a data privacy perspective will begin to take shape.

In the meantime, we will be looking carefully at how the UK government develops its plan so we have visibility of the road ahead. Whilst this heralds a new dawn for the UK we do not expect data protection law and challenges to change in the short-term: we expect that the Data Protection Act will remain in place for the next two years and, for as long as the UK has not formally left the EU, the UK will be deemed an adequate location for the hosting and processing of personal data, so there does not in our view need to be a rush to migrate data processing to continental Europe to ensure compliance with the Directive.

It’s important to note that in the immediate term, there remains a question mark over when the UK will actually leave the EU. To start the formal withdrawal process the UK government will need to serve notice on the European Council. That would set in motion a two year period for a withdrawal agreement to be agreed. Withdrawal itself would take place at the end of the two years (unless agreement were reached with the European Council before then or the UK and European Council agreed to extend the deadline).

It is unclear when notice would be served as this is in the UK government’s control and at time of writing no announcement has been made on timing. This may become clearer in the coming days and weeks as the dust settles around the immediate political consequences.

There remains a question as to what the UK will do as regards the GDPR – the major re-write of EU privacy law which comes into force in the EU in May 2018. It is possible that shortly after that time the UK will have formally left the EU so would not be obliged to adopt the GDPR. Equally there will be a desire to ensure that data can still flow freely between the UK and the EU, which under the data transfer rules preserved by the GDPR, will mean pressure to adopt the GDPR or something close to it in order to be deemed “adequate” and avoid the challenges transatlantic data flows have faced over recent months. That will be a political choice for the UK government at the time.

The UK Information Commissioner’s Office (ICO) made clear on 19th April that “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

Mark Barron co-heads the Silicon Valley office of Taylor Wessing and co-chairs the firm's US group. Mark also leads the firm's market leading inward investment practice, helping around 50 emerging US corporations establish a presence in Europe each year.