Brexit And GDPR: What To Expect In 2018

In a referendum held Thursday, June 23, 2016, the citizens of the United Kingdom (the "UK") voted to leave the European Union ("EU") in the so-called "Brexit". Although the European Union Referendum Act, which authorized holding the referendum, is silent as to further steps, last year the European Union (Notification of Withdrawal) Act 2017 authorized the Prime Minister to notify the EU of the UK's intent to withdraw. The Prime Minister made this notification on March 29, 2017 under Article 50 of the Treaty on European Union, which provides two years for the parties to negotiate a withdrawal agreement, unless the UK and the European Council unanimously decide to extend this period.1 Further Acts and proposals in the UK have also sought to give effect to the results of the referendum and prepare for the separation of the UK and EU.

One area of concern in the context of Brexit is the UK's legal framework for privacy and data protection. The UK government has recognized that it will still be part of the EU when the General Data Protection Regulation (the "GDPR") comes into effect on May 25, 2018.2 The UK has stated that it will comply with the GDPR, and that its compliance will not be affected by Brexit.3 To this end, on August 7, 2017, the UK Department of Digital, Culture, Media and Sport (the "DCMS") published a Statement of Intent, in which it outlined the policy and objectives behind a proposed Data Protection Bill (the "Bill"), which was introduced in Parliament on September 13, 2017 and is currently making its way through both houses.4

In the discussion below, we provide the key takeaways from the Bill, the differences between the Bill and the GDPR, the differences between the GDPR and the EU Directive (defined below), and then consider in greater detail the proposals contained in the Bill and how those proposals may affect companies in the UK, EU, United States and elsewhere post-Brexit.

Key Takeaways from the Bill

The suite of proposals contained in the Bill will:

Broaden the definition of "personal data" contained in the UK Data Protection Act 1998 Require unambiguous consent for processing personal data, and explicit consent with respect to processing an individual's sensitive data Require parents and guardians to consent on behalf of children under the age of 13 Require simpler methods for individuals to withdraw consent for the use of personal data Provide simpler methods for individuals to access their personal data held by organisations Allow individuals to request, and in some cases require, companies to delete their personal data Facilitate customers' wishes to migrate personal data when changing service providers Increase available monetary sanctions up to £17 million ($22.1 million) or 4% of a company's global turnover (whichever is higher) The Current Legal Framework

Since the early 1990's, data privacy has been a significant concern of EU institutions. Personal privacy and data protection are enshrined in human rights treaties to which the EU adheres,5 and the EU first adopted the European Data Privacy Directive in 1995 (the "1995 Directive"),6 which was transposed into local law by Member States, including by the Data Protection Act 1998 ("1998 Act") in the UK.7

Migration to and Retention of the GDPR

In April 2016, the EU adopted the GDPR, which will supersede the 1995 Directive and have direct effect in the 28 Member States on May 25, 2018, without the need for national transposition. Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law. Under the proposed European Union (Withdrawal) Bill (also referred to as the "Great Repeal Bill"), the GDPR would remain UK law after Brexit, but it could be amended in the UK thereafter.8 Additionally, regarding the processing of personal data for criminal law enforcement purposes, the EU developed the Data Protection Law Enforcement Directive ("DPLED"), which is also scheduled to come into effect in Member States in May 2018.9 However, given that this latter instrument is an EU Directive, Member States will have leeway in how they transpose the DPLED into national law.

Proposed Measures of the Bill

Rather than completely overhauling the 1998 Act, the Bill, as proposed by the DCMS, subjects most processing of personal data to the GDPR and seeks to enhance and bolster the laws already in place to reflect the changing nature and scope of the digital economy.10 Some of the differences between the Bill and the GDPR are due to the derogations that exist under the GDPR. Part 2 of the Bill supplements the GDPR and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. Some salient aspects of the Bill are discussed below as well as some key differences between the GDPR and its predecessor, the 1995 Directive.


Arguably the most notable development comparing the GDPR to the 1995 Directive is the extended jurisdiction of the GDPR. Unlike the 1995 Directive, which required the company to be established in the EU or use equipment situated in the EU to process data, the GDPR will apply to the processing of personal data of data subjects in the EU by a controller or processor not based in the EU, where the activities relate to (i) offering goods or services to EU citizens and (ii) the monitoring of behaviour that takes place within the EU. Under the GDPR, non-EU businesses processing the data of EU citizens must also appoint an EU-based representative.

Also, unlike the 1995 Directive, which required implementation through national legislation, such as the UK's Data Protection Act, GDPR is a binding piece of legislation that will be legally enforceable as soon as it comes into effect on May 25 and will apply to all EU nations and every company holding data on EU citizens.

Since the UK is leaving the EU, the UK Bill proposes to apply the new standards to all general data, not just areas which previously came under EU competence.11

Definition of Personal Data

Similar to the approach taken by the GDPR,12 the Bill expands the definition of "personal data" to reflect the growth and development of technology since the passage of the 1998 Act.13 Personal data is defined to encompass, for example, IP addresses, internet cookies and DNA.

Privacy by Design

One of the key changes under the GDPR is the concept of "Privacy by Design" or "Privacy by Default." The current data protection rules in the EU do not have this concept and no EU law ensures that these measures have to be taken into account. Companies are in essence required to implement appropriate technical and organisational measures regarding the protection of data from the onset of the design of a system and must hold and process only the data absolutely necessary for the completion of the duties involved (i.e., data minimization), as well as limiting access to the data only to those involved in the processing.


Compared to the 1995 Directive, the conditions for consent have been tightened under GDPR. Specifically, the request for consent must be given in an intelligible and easily accessible form attaching the purpose for data processing to that consent. Consent must also be clear and distinguishable from other matters and provided in an intelligible and easily accessible form. It must also be easy for an individual to withdraw their consent.

Aligning with the GDPR,14 an individual's consent to the use of his or her personal data under the UK bill must not be ambiguous, and not based on the use of default opt-out or pre-checked tick boxes.15 Consent must also be explicit in order to process sensitive personal data. In respect of children under the age of 13, parents or guardians will be required to give their consent to information society services16 (defined as "any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data and at the individual request of a recipient of a service").17 Under the GDPR, this age is 16 years.18

Additionally, the Bill, contrary to the GDPR, excludes "preventive or counselling services" from the definition of "information society services."19

The Bill, similar to the GDPR,20 also anticipates an easier withdrawal of consent for all individuals.21


In harmony with the GDPR,22 pursuant to the Bill, it will become easier for data subjects to require an organisation to disclose personal data it holds.23 This will be required at no cost, provided the request is not manifestly unfounded or excessive.24 Organisations will also be required to clearly state how individuals may access their information.25

Data Portability

Similar to the measures contemplated by the GDPR,26 the Bill sets out new rules enabling customers to move their data from one service provider to another, which gives more choice to customers and encourages competition and innovation in many industries.27 Moreover, if an individual switches internet service providers, the Bill will facilitate the transfer of personal data contained in file storage services, such as personal photographs, to the new internet service provider.28

Data Subject Rights

The GDPR has also introduced a number of data subject rights, which include:

The right to be notified by the processor or...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT