The EU Data Protection Framework

The EU Data Protection Framework


On 23rd June 2016, the UK voted for exit from the European Union (EU). Consequently, the General Justice and Consumers Directorate (GJCD) of the European Commission published a notice on 9 January 2018 detailing the implications of Britain’s exit (Brexit) from the EU1.  The announcement confirmed that after March 30, 2019, the date the UK is to leave the EU officially, the UK would become a third country2 and the EU rules regarding the transfer of personal data to third countries would henceforth apply. However, before the planned departure date, the EU data protection laws will continue to apply in addition to existing domestic laws. The laws protect personal data and set regulations for the collection and use of such data by organizations. The requirements include the UK Data Protection Act 2018 (DPA)3, the Police and Criminal Justice Directive4, the Network and Information Security Directive (NISD)5, and the Privacy and Electronic Communications Regulations 2003 (PECR)6.

The DPA is the major source of legislation in Britain. The DPA implements the Data Protection Directive (Directive 95/46/EC) and establishes regulations for the definitions of personal data, data processing, sensitive personal data, consent and rights of data subjects, notification and registration requirements, collection and marketing of data, and sanctions for non-compliance. The transfer of personal data outside the boundaries of the EU and the data processing by data controllers outside the European Economic Area (EEA)7 but using equipment based in the UK are also governed by the Data Protection Directive (DP Directive). On 4 May 2016, the EU approved changes to the DP Directive and passed a new law referred to as the General Data Protection Regulation (GDPR)8. The new law seeks to strengthen the rights of data subjects as well streamline the rules with a view to harmonize data protection standards across the EU and make it easier to do business across EU markets. The GDPR directly applies to member states without the need for member states to pass additional implementation regulation. Once the UK leaves the EU, the UK will become a third country and the GDPR will no longer apply.

The exit of Britain from the EU will have many implications on data protection laws, particularly for multinational organizations and companies that rely on the transfers of personal data between the EU and the UK. The UK’s Prime Minister, Theresa May, negotiated a withdrawal deal from the EU but the UK parliament rejected the agreement. Therefore, no withdrawal agreement has been reached to date. Although negotiations are still ongoing, it remains uncertain when and how the UK will exit the EU. Upon Brexit, the GDPR will no longer have direct applicability to the UK, but the GJCD has confirmed that the GDPR will continue to have an impact on UK organizations that receive data from the EU member states. Article 3 of the GDPR9 states that organizations in third countries that process personal data of subjects within the boundaries of the EU are required to comply with its provisions. Therefore, despite the intended purpose of Brexit, businesses in the UK will not be completely free from the EU data protection laws. Thus, it is essential that companies that operate on a cross-border basis evaluate the risks Brexit poses to the current international data transfer rules and implement safeguards that will ensure the uninterrupted flow of data between the UK and EU after Brexit. This paper seeks to evaluate the implications of Brexit on data protection laws and its impact on organizations in the UK and EU. It also evaluates the GDPR obligations that will apply after the UK’s departure from the EU and what the British government could do to relieve some of those obligations.

The EU Data Protection Framework

Data in the EU, including the UK, is ubiquitous. Unlike in the United States (US) where industry-specific rules apply to different sectors, the EU data protection law applies consistent rules across all types of personal data. The law is primarily based on the 1995 Data Protection Directive (the Directive). The Directive was implemented into UK national legislation by the Data Protection Act 1998. The Directive establishes the legal framework for data protection in the UK. It establishes vital protections for the processing of personal data10 with the aim of protecting the interests of data subjects within the boundaries of the EU.  The protections include the requirements that; (a) Legal basis be established before the processing of personal data. Whether data is being processed for the performance of a contract with a subject or for the processor’s legitimate interests, the data subjects must consent to the processing of such personal data. (b) Personal data must be collected for legal purposes and processed fairly. (c) The data must be accurate, and subjects have the right to access the data for correction purposes, and (d) Personal data of EU subjects can only leave the EU boundaries if the EU is satisfied that the receiving country has adequate legal protections for the data. The Directive also subjects sensitive personal data to greater protection under the rules. Sensitive personal data includes information about the ethnic or racial origin of the subject, their political affiliations or opinions, sexual life, religious beliefs, and union memberships.

Central to the EU data protection law is the EU’s Charter of Fundamental Rights and Freedoms. Article 8 of the Charter grants individuals the right to protection of their personal data. It also states that personal data must be fairly processed for the purposes specified and the subjects must give consent for the processing of their data unless the law provides another legitimate basis. It also established an independent authority to control compliance with the laid down rules. The 2008 Council Framework Decision11 further protects data processing in criminal cases, particularly those relating to police and judicial proceedings. The Framework Decision was incorporated into UK law by the 2014 Criminal Justice and Data Protection (Protocol No. 36) Regulations.

Since the 1995 Directive was implemented before the commercialization of the internet and many technological developments in existence today, the way data is collected, stored, accessed and used has significantly changed. To align the data protection law with the technological changes, the EU proposed a new legislative data protection framework in January 2012. The Commission a new law, the General Data Protection Regulation12 that would come into force in May 2018. It also issued the Police and Criminal Justice Directive or the Law Enforcement Directive13 “to protect the fundamental rights and freedoms of people whose personal data is processed to prevent, investigate, detect or prosecute a criminal offense”.

The General Data Protection Regulation (GDPR)

The GDPR 2016/679 was adopted by the EU in May 2016 and would become effective across all EU member states from 25 May 2018. The GDPR is a regulation that governs the processing of personal data by organizations, and the movement of personal data within and outside the EU. It had direct applicability, and EU member states would not need to enact enabling legislation. The Regulation establishes the responsibilities of data controllers14 and data processors.15It also outlines the rights of individuals whose personal data is being processed or data subjects.

Among the fundamental changes that were introduced by the GDPR was the broadening of the scope for compliance by more organizations, to include data processors that were previously not governed by the DP Directive. It applies to data processors and data controllers not established in the EU but who process personal data for subjects within the EU if such processing activities are related to (a) the provision of goods and services or (b) behavior monitoring so long as the behavior takes place within the boundaries of the EU. It also introduced data protection by design and default by requiring that safeguards for data protection be incorporated into systems during development. The GDPR established the European Data Protection Board mandated to resolve disputes between supervisory authorities and ensure consistent compliance with the Regulation. The EDPB will replace the current Committee established by Article 29 Working Party16 and will be constituted by 28 representatives of each independent supervisory authority. It stipulates more significant penalties for non-compliance18 and requires that data processors and public authorities appoint a Data Protection Officer. The Regulation strengthened data subjects’ rights by setting out the conditions for consent, right of access to personal data by subjects, transfer, and erasure of data.

Although the UK voted to exit the EU, the GDPR will continue to apply until Britain formally exits the EU. In line with this, the UK government introduced the Data Protection Bill in Parliament on 13 September 2017 to implement the GDPR. If Article 50 withdrawal agreement and the proposed transitional arrangements are ratified before the departure date of 29 March 2019, the GDPR will continue to apply. If the agreement is not ratified (hard Brexit17), the UK will become a third country after March 29, 2019, for the purposes of GDPR. However, in June 2018, the EU Withdrawal Act 2018 was assented to by the Queen. This ensures that if the UK exits the EU without the transitional period (hard Brexit), the GDPR will be converted into UK domestic law in its current form.


The European Union has its roots from the Second World War when European countries felt that the way to avoiding conflict in the future would be economic integration. In 1952, the European Coal and Steel Community (ECSC) was created through the Schuman Declaration of 1950. Through the ECSC, European countries formed a common market for steel and coal. In 1958, the Treaty of Rome established the European Economic Community (EEC) that was constituted by West Germany, France, Italy, Belgium, and Luxemburg. In the 1960s, the EEC was expanded to include a common agricultural trade policy. Ireland and the UK joined the EEC in 1973. The 1980s saw the expansion of EEC to include health, justice, and the environment. This culminated into the signing of the Treaty of Maastricht that established the European Union (EU), with its headquarters in Brussels, Belgium.

The EU considerably opened borders among the member states for the free flow of goods, services, and citizens. To strengthen trade in the region, a common currency, the Euro, was created and currently, nineteen member states of the existing twenty-eight have rescinded their currencies and adopted the Euro.

However, over the years politicians, policymakers and citizens in the UK expressed concerns over the loss of political and economic sovereignty to the EU. They felt that the EU was exercising too much control over domestic affairs and that it had failed to address the economic challenges facing member states since 2008. These concerns, coupled with the immigration crisis, saw the start of a nationwide campaign geared towards Britain’s exit from the EU. A referendum vote was taken on 23 June 2016, for the UK population to decide whether they wanted to remain or leave the EU. 51.9% of the voters voted to leave the EU. The 2009 Treaty of Lisbon20, however, stipulates that a country’s own decision to leave the EU through a referendum is not adequate on its own. Consequently, the UK Prime Minister, Theresa May triggered Article 50 on 29 March 2017, initiating the process of withdrawal from the EU. The decision and process of Britain’s exit from the European Union are referred to as ‘Brexit.’

The UK Prime Minister spent months negotiating the terms for the UK’s withdrawal from the EU and the framework for future relations between the UK and the EU after Brexit. However, her deal was rejected by parliament and as the 29 March 2019 deadline approaches, no deal has been reached yet. If the EU and UK do not reach a withdrawal deal, Britain may experience a hard Brexit18 – the sudden cessation of EU membership and applicability of associated legislation, policies and support. UK’s Members of Parliament are also set to debate the option of extending Article 50 to allow more time for the UK to reach an agreement with the EU. Although it is mostly uncertain how and when the UK will exit the EU, what remains clear is that Brexit will far-reaching implications for the economic, social, and governance aspects of Britain’s citizens, including an impact on GDPR and other applicable data protection laws.

The terms of the UK membership to the EU are comprised in the European Communities Act 1972 (ECA) which is part of the UK’s domestic legislation. The ECA establishes the legal relationship between the EU and the UK and asserts the supremacy of the EU laws. The ECA states that “EU Treaties and Regulations apply in the UK without further domestic implementation of those provision into UK law”18. Therefore, article 7 and 8 of the EU Charter of Fundamental Rights on the right to privacy and protection of personal data, and the GDPR are part of the laws of Britain. The UK only requires to transpose the Directives of the EU by through transposing them into UK domestic law (for example, the EU Data Protection Directive was transposed into UK law through the implementation of the Data Protection Act of 1998.). Moreover, international agreements reached by the EU are binding to all EU member states. As such, the EU-U.S Privacy Shield, the EU-Canada Passenger Name Records Agreement, and the EU-U.S “Umbrella” Agreement apply to the UK.

In light of the UK’s departure from the EU, the UK will have to repeal the ECA, so that all EU provisions that apply directly to her, and legislation based on the ECA cease to apply. Since the EU has in the last four decades developed a significant volume of legislation and international agreements, the UK would have to implement a vast amount of legislation to fill the gap after Brexit. The UK government is aware of this fact and has proposed to concurrently repeal the ECA and transpose the ECA into UK domestic law, in a wholesale fashion. This means that the regulations will remain the same, but they will henceforth derive the basis for their application from the UK rather than from the EU. The UK government has announced the Great Repeal Bill to implement the “save” and “convert” proposition19.

Third Countries

The data protection framework of the EU classifies any country that is not a member of the EU and European Economic Area (EEA) as a “third country.” The regulations prohibit the transfer of personal data to third countries unless the European Commission (The Commission) is satisfied that the third country will provide an adequate degree of protection for such personal data.

Currently, it is not clear whether the UK will become a member of the EEA after it leaves the EU. In the event that Britain decides not to join the EEA, it will have to be approved as having an adequate level of data protection by the Commission. This poses critical issues for companies operating both in Britain possessing personal data of EU subjects and data processors in the EU processing personal data of UK subjects. Organizations operating in the EU will have to conduct revisions to the methods they use in transferring data to the UK. Some EU member states, for example, Spain will be required to obtain authorization before transferring personal data. However, a different scenario will result if Britain chooses to join the EEA as a non-EU member (in the same way as Norway, Iceland, and Liechtenstein). Members of the EEA are allowed access to the internal market of the EU and are, therefore, required to comply with most EU laws. These include the DP Directive. Britain would have to adopt the GDPR.

Impact of Brexit on GDPR

The GDPR became effective on 25 May 2018, and since the UK was still part of the EU then, British organizations controlling and processing data were required to comply with the new regulations. The Information Commissioner’s Office (ICO) is Britain’s supervisory authority, and its representatives are members of the EDPB. The EDPB replaced the Working Party under Article 29 of the DP Directive and is tasked with the ensuring appropriate application of the GDPR, monitoring, and conflict resolution between supervisory authorities.

However, the UK is set to leave the EU on 29 March 2019, and will henceforth cease to be a member state of the EU. The UK will, therefore, no longer be subject to EU rules, including the GDPR. If no transitional arrangements are made by that date (hard Brexit), then the UK will be deemed a third country in the eyes of the EU and will be subject to the restrictions governing the transfer of data between the EU and third countries. Data transfers between the UK and the EU will fall under sharp scrutiny and will be prohibited to the extent that the EU is satisfied that the UK has in place adequate data protection measures. This will significantly affect businesses in the UK negatively and will have an impact on UK organizations which provide goods and service providers to EU citizens.

Also, the ICO will no longer sit on the EDBP and its authority to guide the interpretation and application of the GDPR will cease. It is uncertain what effect the ICO’s exit will have on the EDPB, but what seems inevitable is that the UK will be distanced from the decision making processes of the EDPB. Moreover, given the extra-territorial nature of the Article 3 of the GDPR, UK organizations targeting subjects in the EU with goods and services those monitoring the behavior or individuals in the EU will still have to comply with the bulk of the GDPR. Compliance with both the UK and EU data protection law could prove burdensome.

Impact of Brexit on PECR and NIS Regulations

The PECR was updated in 2011 (Cookie Law 2011) to implement the revised the EU ePrivacy Directive into UK legislation20. The ePrivacy Regulation was to be valid from 25 May 2018 but has not yet taken effect. The UK government has confirmed that the EC Directive or PECR regulations will continue to apply in the UK. The UK will, however, not implement the ePrivacy Directive. Therefore, if the ePrivacy Regulation significantly differs from PECR, organizations in the UK will have to comply with both regulatory regimes as far as direct email marketing to individuals is concerned. The Network and Information System (NIS) Regulations will, however, remain unaffected and will continue to apply. Digital service providers in the UK will have to appoint representatives in the EU so that they can maintain access to markets in the EU.

Impact of Brexit on the Privacy Shield

The EU-US Privacy Shield replaced the EU-US Safe Harbor Scheme in October 2015. The EU and US also reached an agreement on 24 June 2016 that would improve the new Privacy Shield to provide enough protection against indiscriminate surveillance and strengthen data protection rights and transparency.

The U.S. Department of Commerce issued new compliance standards on 20 December 2018 for members of the Privacy Shield to continue receiving personal data from the UK post-Brexit. The new standards require all U.S. organizations that participate in the Privacy Shield to; (a) Maintain and rectify annually a Privacy Shield certification; (b) Update their privacy policy to include reference to the UK. Privacy Shield participants must also update their Human Resource (HR) privacy policies if they plan to continue receiving HR data from the UK after Brexit.

The deadline for implementing the measures will be dependent on the date of the UK’s formal withdrawal from the EU. In case of a no deal scenario, there will be no transition period, and Privacy Shield participants will, therefore, have to update their privacy policies by the 29 March 2019 deadline. However, if the UK finalizes a deal with the EU, then there will be a transition period ending 31 December 2020, and companies will have more time to update their privacy policies. During the transition period, the EU’s adequacy decision will continue to apply. If participants fail to implement the new measures, they will not be able to continue receiving personal data from the UK after each applicable date.

Impact of Brexit on the EU Charter of Fundamental Rights and Freedoms

The EU Charter of Fundamental Rights and Freedoms is an integral part of the EU data protection regulations. The Charter protects personal data by imposing the requirement for fair collection and use of personal data by data processors and controllers and strengthening the supervisory role of regulatory bodies. The UK government has, in the European Union Withdrawal Bill, proposed to exclude the EU Charter of Fundamental Rights and Freedoms from the law that should be retained after Brexit. The position is based on the fact that the government does not consider the Charter as relevant after Brexit, as it applies within the scope of the EU law. Therefore, by not retaining the Charter, no loss of substantive rights will be experienced. This raises questions, whether the seamless flow of personal data between the UK and EU will continue, as non-compliance with the Charter would require similar regulatory mechanisms. There is also the issue of whether any data protection rights will be lost if none of the aspects of the Charter are included in the EU retained law. The Data Protection Act29 which received Royal Assent on 23 May 2018 has mostly dealt with these issues. However, while it ensures protection for the personal data of UK’s data subjects, it does not substantially include the principles contained in the EU Charter of Fundamental Rights and Freedoms and does therefore not guarantee the free flow of data between the EU and UK after Brexit. The UK will need to implement additional legislation that is similar or equivalent to the EU Charter to ensure the uninterrupted flow of data between the UK and EU after Brexit.

Data Protection Law after Brexit

The UK government has maintained that it wants to ensure an interrupted flow of data between the EU and the UK after Brexit. In July 2017, the Lords Select Committee issued a report on the EU which recommended that the government seeks the most comprehensive and least burdensome data sharing platform after Brexit. The committee warned that the failure of the UK government to make transitional arrangements that would allow the free flow of data would result in a cliff-edge20.

The government, in an August 2017 future partnership paper, stated that it was exploring a UK-EU data protection and transfer model built upon the existing adequacy model. It introduced the Data Protection Bill (HL) 2017-19 that would transpose the GDPR into UK law. However, the government proposed to exclude the EU Charter of Fundamental Rights in the transposed law. The EU issued a position paper in September 2017 outlining its principles on the protection and use of data of EU subjects before Brexit. The UK has several options to pursue before the EU exit deadline, to ensure that to ensure that there is a smooth flow of data between her and the EU after 29 March 2019.

Options for the UK Government

There is much speculation on the position the UK will achieve after formal exit from the EU. To ensure the uninterrupted flow of flow of personal data with the EU, the UK has several options it could pursue.

Membership of the European Economic Area

The DP Directive being an EU directive is not automatically legally binding on the Member States in the same way as the GDPR, and Member States are required to develop domestic legislation to implement the principles of the DP Directive. Britain implemented the Data Protection Act 1998 (DPA) to meet the goals of the DP Directive. The DP Directive under Article 25 states that personal data is not transferrable to a third country unless the third country has an adequate level of protection. However, the eighth principle of the DPA makes reference to the EEA rather than the EU. It states, inter alia, “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects concerning the processing of personal data”21. The reference to the EEA offers the UK an option for transitional data transfer arrangements with the EU on Brexit.

The EEA was created by a partnership agreement between the EU and the European Free Trade Association (EFTA)22. It, therefore, comprises all the 28 EU Member States and three of the four members of the EFTA namely Norway, Iceland, and Liechtenstein. Although the EFTA was formed to strengthen trading ties between the EU and its member states, the EFTA still lies outside the EU and is affected by the decisions of the EU, including those relating to data transfer outside the boundaries of the EU. However, to boost the trading partnership, three EFTA members (Iceland, Norway, and Liechtenstein) joined the EU on 1 January 1994 to form the Internal Market or the EEA. The Internal Market agreement23 extends the application of the EU directives and rules to the three non-EU member states if the EEA Joint Committee24 approves such extension of EU legislation. Therefore, the DP Directive also applies to all members of the EEA. After Brexit, the UK will find itself in a similar position with Norway, Iceland, and Liechtenstein. UK’s membership to the EEA would ensure that personal data continues to flow freely within the jurisdictions of the EAA. However, EEA membership would mean that the UK would first have to join the EFTA, but this is not without its challenges.

The UK government has maintained that it has no intention to join the EFTA. On 2 February 2017, the government published a White Paper titled “The United Kingdom’s exit from and new partnership with the European Union.” The White Paper in Chapter 825 states that “the government will prioritize securing the freest and most frictionless trade possible in goods and services between the UK and the EU.” It states further that “We will not be seeking membership of the Single Market, but will pursue a new strategic partnership with the EU, including an ambitious and comprehensive Free Trade Agreement and a new Customs Agreement instead.” The government also expressly outlines that it will not be seeking to adopt a model that is enjoyed by other countries. This indicates that the UK may not join the EEA and different solutions are necessary to maintain the free flow of personal data between the EU and UK after Brexit.


Adequacy is an integral part of the DP Directive. The Adequacy decision allows third countries to apply to the European Commission so that the EU can recognize them as having sufficient data protection regimes that are almost similar to that of the EU. The European Commission considers the nature of the data, purpose, and duration of the proposed processing operations, countries of origin and destination, security measures, and national and sectoral laws of the third country26. Once approved by the EU commission as having adequate data protection systems, third countries become eligible to transfer personal data between them and the EU without the need for implementing additional safeguards. The EU-Canada Passenger Name Records Agreement and the EU-US Privacy Shield are examples of the Adequacy decisions.

Adequacy is another option that the UK could pursue to maintain the free flow of personal data after Brexit. Whether it will be after 29 March 2019 or after the date of the transition period of 31st March 2020, the UK will be considered a third country and may apply for consideration based on the adequacy decision. The UK Prime Minister, Theresa May emphasized that the adequacy process should not be delayed as the free flow of personal data between the UK and the EU would be critical after Brexit.

Given that the DPA 1998 is rooted in the DP Directive, one might expect that the European Commission will effortlessly approve the UK as having an adequate level of protection for personal data. However, in the current era, international data transfers are a politically sensitive issue. Additionally, the European Commission has in the past expressed concerns that the UK government has not fully implemented the DP Directive. The activities of the Government Communications Headquarters (GCHQ)27 relating to mass surveillance and intrusion have also raised eyebrows in the past. The European Commission might, therefore, require that the UK institutes additional safeguards to protect the rights of data subjects in both the UK and the EU before an adequacy decision for Britain can be reached.

Customized Arrangements

The UK could also enter into “adequacy plus” arrangements with the EU post-Brexit. PM Theresa May expressed Britain’s desire to be included in the “one-stop shop”29 regime that is designed to standardize data protection law across the EU. The “one-stop shop” system allows multinational companies to be subject to the supervisory body in the jurisdiction where they are either headquartered, or their data protection team is located. The aim of the system to ease the burden of multiple compliance for organizations that operate in more than one Member State.

The “one-stop shop” mechanism does not apply to non-EU members. This means that upon the UK’s withdrawal from the EU, it will not be able to take advantage of the system, posing a greater regulatory burden for organizations based in the UK. To maintain the UK’s attractiveness as a business hub for multinational companies, the UK government is pushing for the continued role of the Information Commissioners Office EDPB. The UK’s push for such an arrangement is ambitious, and it remains to be seen what the final withdrawal agreement if reached, will articulate.

Organizational Solutions for Data Processors and Controllers

After Brexit, data processors and controllers in and outside the UK could pursue several options in the face of Brexit. First, they could exploit the Standard Data Protection Clauses or Model Clauses. The clauses place the responsibility of protecting personal data on the sending and receiving organization. There are two sets of clauses the 2001 Clause30 and the 2004 Clause31. The 2001 clause outlines that data subjects can only enforce direct rights against the organization responsible any for breach.

On the other hand, the 2004 clause extends the right of action to include both the sending and receiving party as being severally and jointly liable in case of any breach. The European Commission also approved a new set of clauses in February 2010, and it provides for data subjects to take action against the party responsible for the breach. An organization can decide what set of clauses suits its requirements and apply it.


For years, certifications have provided an opportunity for companies to demonstrate good practice by adherence to a specific set of principles in their different areas of operation. In the area of data protection, commercial entities in the UK can obtain certifications to ensure that they have appropriate data protection safeguards so that consumers in both the UK and EU can trust them with their data. The certification procedure requires that the organization seeking approval provides access to all information and processing activities necessary to conduct an assessment of whether the organization meets the certification requirements. The certification is renewable after every three years if the awarding body is satisfied that it is maintaining the required standards. Therefore, after Brexit, UK organizations can obtain certifications to ensure that they continue receiving personal data from EU subjects.

Binding Corporate Rules

The Binding Corporate Rules (BCRs) allow multinational entities to transfer personal data within the same group where the subsidiaries or branches are located outside the boundaries of the EU. BCRs provide a framework for the efficient intra-group transfer of personal data. Article 26(2)32 states that a national supervisory authority should assess the BCRs submitted by an organization. The UK government has said that no BCRs will be canceled after Brexit and that it will ensure the ICO continues to closely work with other supervisory authorities in the EU so that BCRs can continue to be used by multinational data processors and controllers. BCRs are in line with the accountability requirements of GDPR UK organizations could, therefore, pursue this avenue so that they continue receiving personal data from the EU after Brexit. However, BCRs limit the transfer of data within the same corporate group, meaning that data processors will have to look for alternative mechanisms for data transfers outside the group.

Codes of Conduct

The DP Directive makes reference to codes of conduct by stating that they play a significant role in the proper implementation of the legislation of Member States. The DPA also include codes of practice, and they could therefore as well apply to the GDPR in relation to the transfer of data to third countries. Article 462 (2) (e) of the GDPR provides for the use of codes of conduct in personal data transfers if the data controller or processor in a third country if they give and adhere to “binding and enforceable commitments”32. If the organization breaches the code of conduct, then the supervisory authority will take appropriate action. Post-Brexit, therefore, UK organizations could establish codes of conduct and submit them for approval by the European Commission to be allowed to transfer personal data between them and the EU.


The UK’s withdrawal from the EU has presented many implications for the EU data protection law and organizations that control and process personal data within the EU. The data protection law has been at the center of the UK’s withdrawal negotiations, as both parties explore the best agreeable way to ensure that data continues to flow uninterrupted after Brexit. This paper has laid an insight into the current EU data law, and the implications Brexit will have on the data law. It has also evaluated the various options that the government and organizations in the UK could pursue to ensure that data transfers and business operations are not destabilized after the UK leaves the EU.

IWhether the UK will formally leave the EU on 29 March 2019 or on 31 December 2020 after the end of the transition period remains unclear. After a series of negotiations with the EU Member States, the UK Prime Minister, Theresa May presented a Withdrawal Agreement to the UK parliament in November 2018, but it was rejected in January 2019. The EU has maintained that it will not re-negotiate another withdrawal deal with Britain, and it’s, therefore, currently uncertain how and when Britain will leave the EU. While the UK government has stated in the past that the body of EU DP Directive including the GDPR will be transposed into UK national legislation, the extent and substantiveness of the adopted legislation will become certain after 29 March 2019. Hitherto, UK citizens and organizations will have to continue monitoring the relevant developments pertaining to personal data transfers between the UK and the EU after Brexit.

In closing remarks, the UK has been a key player in driving the data protection agenda across and outside the EU for the past four decades. Although Brexit gives the UK the ability to establish its data protection legislation, there will be a need to develop regulations that are much aligned to the EU DP Directive. For some companies in the UK, the GDPR will continue to apply regardless of the UK’s relationship with the EU after Brexit. It is hoped that the UK will establish an appropriate data transfer mechanism between herself and the EU before formally withdrawing from the EU to ensure the continuity of free flow of data between herself and the EU after Brexit.




European Commission, ‘Draft Agreement On The Withdrawal Of The United Kingdom Of Great Britain And Northern Ireland From The European Union And The European Atomic Energy Community’ (, 2018) <> accessed 11 February 2019

European Union Committee, ‘Brexit: The Withdrawal Agreement And Political Declaration’ (, 2018) <> accessed 11 February 2019

HM Government, ‘Future Customs Arrangements A FUTURE PARTNERSHIP PAPER’ (, 2017) <> accessed 11 February 2019

European Union Agency for Fundamental Rights & Council of Europe, ‘Handbook On European Data Protection Law2018 Edition’ (, 2018) <> accessed 11 February 2019

AddleshawGoddard, ‘BREXIT AND DATA PROTECTION’ (, 2019) <> accessed 11 February 2019

‘Data Protection Act 2018’ (, 2019) <> accessed 11 February 2019

Stevens & Bolton LLP, ‘BREXIT AND DATA PROTECTION IN THE UK’ (, 2017) <> accessed 11 February 2019

Wimmer KJ Jones, ‘Brexit And Implications For Privacy’ (, 2019) <> accessed 11 February 2019

School of Law, The University of Manchester, ‘DATA PROTECTION, INTELLIGENCE-SHARING, AND BREXIT: THE PATH AHEAD?’ (, 2017) <> accessed 11 February 2019

Woodhouse J & A Lang, ‘Brexit And Data Protection’ (House of Commons Library, 2017) <http://file:///C:/Users/Getty/Downloads/CBP-7838.pdf> accessed 11 February 2019

FitzGerald M, ‘Brexit: Data Protection And EU-UK Data Flows’ (, 2017) <> accessed 11 February 2019

JonesDay, ‘Brexit: Implications For Data Protection And The General Data Protection Regulation In The UK’ (2019) <> accessed 11 February 2019

Kirkland & Ellis International LLP, ‘Brexit Briefing: Impact On Data Protection’ (, 2017) <> accessed 11 February 2019

Allen & Overy LLP, ‘Data Protection Legislation – Back To The Drawing Board?’ (, 2017) <> accessed 11 February 2019

Loyens & Loef, ‘Brexit: What Might Change Data Protection’ (, 2017) <> accessed 11 February 2019


MacShane D, Brexit: How Britain Left Europe (IB Tauris 2016)

European Union Committee 3rd Report. Brexit: the EU Data Protection Package (Dandy Booksellers Ltd 2017)

Kelleher D and Murray K, EU Data Protection Law (Murray, Karen 2018)

Tse H, Doing Business Post-Brexit: a Practical Guide to the Legal Changes (Bloomsbury Professional 2017)


United Kingdom

Data Protection Act 1998

Data Protection Act 2018

Privacy and Electronic Communications Regulations 2003

Investigatory Powers Act 2016


European Union Including the European Commission


Do you need high quality Custom Essay Writing Services?

Custom Essay writing Service