House of Commons Library

Brexit and data protection

Published Thursday, July 27, 2017

This Library Briefing Paper looks at data protection and what might happen after Brexit.

Jump to full report >>

The basis of EU data protection law is the 1995 Data Protection Directive (95/46/EC), which was implemented into UK law by the Data Protection Act 1998. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive (2002/58/EC) for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).

Since 1995 technological progress and globalisation have profoundly changed the way data is collected, accessed and used. In addition, EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. In January 2012 the European Commission therefore proposed a new legislative framework for data protection. In its now finalised form, this has two elements:

  • The General Data Protection Regulation (GDPR; Reg 2016/679). This came into force on 24 May 2016. There is two-year transition period for implementation, meaning that the UK is not obligated to apply it until 25 May 2018. 
  • The Directive on data transfers for policing and judicial purposes (2016/680/EU). This came into force on 5 May 2016. EU Member States are required to transpose it into their national law by 6 May 2018. The Directive aims to protect citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities and will especially protect the personal data of victims, witnesses and suspects of crime. It will apply to data transfers across borders within the EU as well as, for the first time, setting minimum standards for data processing for policing purposes within each Member State.


This Paper focuses on the GDPR. The Regulation includes new provisions on:

  • Increased territorial scope
  • Penalties
  • Consent
  • "Privacy by design"
  • Data protection officers

It enhances data subjects’ rights with new provisions covering:

  • Breach notification
  • The right to access
  • The right “to be forgotten”

A European Commission factsheet (May 2017) gives an overview of the GDPR and what it will mean for citizens and businesses.

The UK and the GDPR

The Government has said that the GDPR will apply in the UK from 25 May 2018.

In February 2017, Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union that the GDPR was a “good piece of legislation”. He said that parts of the Data Protection Act 1998 would need to be repealed for data processing to be within the scope of the GDPR and that it was “necessary to ensure that we do not end up with the Data Protection Act duplicating or creating inconsistencies with the GDPR, because the GDPR will be directly applicable”. 

Queen’s Speech, June 2017

The Queen’s Speech of 21 June 2017 said that a Bill will be introduced to "ensure that the United Kingdom retains its world-class regime protecting personal data”. Background briefing notes on the Queen’s Speech explain that the Bill would:

  • ensure that our data protection framework is suitable for our new digital age, and cement the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data;
  • strengthen rights and empower individuals to have more control over their personal data including a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it;
  • establish a new data protection regime for non-law enforcement data processing, replacing the Data Protection Act 1998; and
  • modernise and update the regime for data processing by law enforcement agencies

The Bill has not yet been introduced.

What will happen after Brexit?

Under the EU’s data protection framework, any country outside the EU and EEA is classed as a “third country”. Personal data can only be transferred to a third country when an adequate level of protection is guaranteed. One option is for the European Commission to make an “adequacy decision” so that personal data can flow from EU/EEA member states to third countries (or one or more specific sectors in those countries). Other options include binding corporate rules and standard contractual clauses.

The Government has stressed that it is “keen to secure the unhindered flow of data between the UK and the EU post-Brexit”.

Lords Select Committee report (July 2017)

In a July 2017 report, the Lords Select Committee on the European Union said it was “struck by the lack of detail" on how the Government plans to deliver the unhindered flow of data after Brexit. According to the Committee, the most effective way would be through adequacy decisions from the European Commission. However, these can only be made in respect of third countries. There are therefore legal impediments to having decisions in place at the moment of Brexit. In the absence of a transitional arrangement, securing uninterrupted flows of data could be at risk. The Committee therefore recommended that the Government should ensure that any transitional arrangements agreed during withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK.

The Committee also said that, on data protection, there was no prospect of a “clean break”– “the extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data”.



Commons Briefing papers CBP-7838

Author: John Woodhouse

Topics: Data protection, EU law and treaties

Share this page

Stay up to date

  • Subscribe to RSS feed Subscribe to Email alerts Commons Briefing papers

House of Commons Library

The House of Commons Library provides research, analysis and information services for MPs and their staff.