Lawyer says UK likely to maintain data rights, despite fears

Recent cases have sparked concern over the UK's post-Brexit data protections.

There has been no shortage of debate over UK data protection recently in the light of the historic vote to leave the EU and, just this week, a Reuters story about data from UK GMail users being moved to the US. To catch up for his take on this seemingly breathless and legalistically complex period, I caught up with Jonathan Armstrong of law firm Cordery Compliance for his expert views.

What happens to UK data protection law after Brexit?

Before GDPR came in there was data protection law in the UK. After the UK leaves the EU GDPR won't directly apply (since it's an EU Regulation) but there will still be data protection law in the UK.  It's important to remember that the UK has had data protection law in place since 1984. This is earlier than the EU Directive which GDPR replaced. Data protection law was part of UK domestic law before it became part of EU law. 

The UK Data Protection Act 2018 (DPA 2018) has a Brexit plan built in. When the UK leaves the EU, so long as DPA 2018 hasn't been amended, effectively GDPR is copied and pasted into UK law. There's an alert on post-Brexit data protection here and a long webinar here.

In fact, in some respects, DPA 2018 is tougher than GDPR has it has criminal sanctions there too.

What about Google?

It's important to remember that it seems that Google only changed their data protection arrangements for people in the UK last year.  After the €50m fine in France, they changed their structure to have Ireland as the lead DPA. That case may be subject to an appeal, but it seems Google decided then to put more of their data in Ireland. So, this isn't a long-standing arrangement which has been torn up because of Brexit. Brexit was already a reality in 2019.

To continue reading this article register now