UK Issues Regulations on Post-Brexit Data Protection Law
Two sets of regulations aimed at readying UK data protection law for a post-Brexit world have been promulgated in recent weeks. These regulations, which were made pursuant to the EU (Withdrawal) Act 2018 (EUWA), will only come into force in most respects upon the UK’s withdrawal from the EU. Broadly speaking, these regulations are intended to preserve the status quo post-Brexit by (1) amending certain provisions of the GDPR to allow it to be retained as UK domestic law and (2) transitionally adopting certain key decisions of the EU institutions that, collectively, would allow for the continued lawfulness of personal data flows out of the United Kingdom where currently permitted under EU law. In both regards, these regulations are consistent with prior guidance from the UK Information Commissioner’s Office (discussed here).
The bulk of the first set of regulations—The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019—is dedicated to localising the GDPR into UK domestic law. Following the UK’s departure from the EU, certain language in the GDPR—for instance, that requiring consultation of, or affording decisionmaking authority to, the European Commission or European Data Protection Board—will no longer be appropriate in a purely domestic context. These regulations therefore re-assign powers afforded to EU institutions under the GDPR to UK equivalents and substitute EU-specific language in the GDPR with UK-appropriate terms (e.g., replacing “GDPR” with “UK GDPR”).