On 31 January 2020, the United Kingdom (UK) formally left the European Union (EU). The political, economic and social impact of this event are still to be determined, however, for those entities and individuals concerned with data protection and privacy, the exit of the UK from the EU could potentially open a flood gate of legal issues that will require appropriate and comprehensive consideration.
The prevailing data protection and privacy legal framework in place in the EU is the General Data Protection Regulation (GPDR). This Regulation has been considered by many to be a seminal legal instrument which has developed and put into practice many positive data protection and data privacy principles. This is not to say that the GDPR is beyond criticism, however a critique of the GDPR is beyond the scope of this article.
An important aspect of the GDPR is that it is not limited by geography or territoriality. The GDPR governs the processing of personal data of EU citizens regardless of where that data processing takes place where such processing involves the targeting (offering of goods or services) towards EU citizens, or the monitoring of the behaviour of EU citizens while in the EU.
Taking the above into consideration, it is clear that since the UK and its citizens are no longer part of the EU they no longer fall under the protection and purview of the GDPR.
This now begs the question, what about companies that have been doing business in the EU and the UK, or perhaps only the UK, what effect does the exit of the UK from the EU have on compliance with the GDPR? Which law will apply then? We unpack some of these questions below:
How does Brexit affect the GDPR? Does it still apply?
The UK has a withdrawal agreement with the EU which allows for a transition period until the end