The Draft Brexit Withdrawal Agreement was published on the 14th November. This much-discussed 500+ page legal text describes how an orderly departure by the UK from the European Union might occur.
A question we are often asked is "How will Brexit change GDPR?".
The short answer is if (and it's a big if) the Draft Withdrawal Agreement is enacted then, in practise, very little will change in regard to data protection practise through the period of withdrawal; with the UK agreeing to continue the protection for data subjects in the European Union as before - and data subjects within the UK will remain subject to the protections given by the Data Protection Act 2018.
The draft seems to indicate a clear intention for an adequacy agreement for cross-border transfers to be adopted between the UK and the EU. The Draft offers a solution for the interim before such an agreement might be formed. Should this draft not be approved then the obligation to process the data of data subjects in the Union may fall away after Brexit - but so will the reciprocal terms of adequacy. This will leave business and data subjects in limbo in regard to their obligations and rights. A situation no-one should want.
Excerpt from the Draft Withdrawal Agreement:
TITLE VII - DATA AND INFORMATION PROCESSED OR OBTAINED BEFORE THE END OF THE TRANSITION PERIOD, OR ON THE BASIS OF THIS AGREEMENT
ARTICLE 70 - Definition
For the purposes of this Title, "Union law on the protection of personal data" means:
(a) Regulation (EU) 2016/679, with the exception of Chapter VII thereof;
(b) Directive (EU) 2016/680 of the European Parliament and of the Council(1);
(c) Directive 2002/58/EC of the European Parliament and of the Council(2);
(d) any other provisions of Union law governing the protection of personal data.
ARTICLE 71 - Protection of personal data
1. Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data:
(a) were processed under Union law in the United Kingdom before the end of the transition period; or
(b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.
2. Paragraph 1 shall not apply to the extent the processing of the personal data referred to therein is subject to an adequate level of protection as established in applicable decisions under Article 45(3) of Regulation (EU) 2016/679 or Article 36(3) of Directive (EU) 2016/680.
3. To the extent that a decision referred to in paragraph 2 has ceased to be applicable, the United Kingdom shall ensure a level of protection of personal data essentially equivalent to that under Union law on the protection of personal data in respect of the processing of personal data of data subjects referred to in paragraph 1.
(1)Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201,31.7.2002 p. 37).
(2)Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).