The United Kingdom leaves the European Union at 11pm (UK time) on 31 January 2020.

What is the legal impact of Brexit for data protection?

Under the withdrawal agreement between the European Union and the United Kingdom, an implementation period (at least until December 31, 2020) has been agreed.

Nothing changes for data subjects, data controllers and processors during this implementation period.

In particular, there is no requirement to organize the data flows to the United Kingdom by means of appropriate guarantees provided by the GDPR for transfers to third countries.

Until December 31, 2020 also, controllers and processors established only in the United Kingdom are not required to appoint a representative in the European Union when targeting data subjects within the territory of the European Union.

During the implementation period, the European Union and the United Kingdom will negotiate a new partnership to set the future relationship between the European Union and the United Kingdom, including on data flows.

In particular, the European Commission will have to determine whether the United Kingdom, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the GDPR.

Both the European Union and the United Kingdom hope to complete the adequacy decision process within the implementation period, although it is worth noting that there is significant time pressure.

If the European Commission does not issue an adequacy decision by December 31, 2020, the transfer of personal data to the United Kingdom will have to be governed by the tools provided by the GDPR (e.g., binding corporate rules, standard data protection clauses).

Thus, data controllers and processors must stay tuned and be ready to implement those tools, if necessary. In the meantime, they may need to amend their Privacy Policies to reflect the fact that the United Kingdom is no longer in the European Union.