We work worldwide

We have over 2,500 lawyers worldwide who work wherever our clients need us. We can put together tailored, multi-skilled, international teams at very short notice. Our relationships with leading local firms enables us to deliver a truly seamless service. This means you get an unbeatable combination of international experience and understanding, tailored advice, and reliable local knowledge and contacts – whenever and wherever you need it. Find out more about our global network by choosing a country or region

Contact us

To find out more about our global network please contact us

Offices

  • Brexit banner2
    •  

      Your data

       

      The current state of play

      Regulatory framework

      The data protection framework in the EU is based on the Data Protection Directive. Although member state regulation is based on this directive, domestic laws and, in particular, respective enforcement practice differ to some extent from one state to another.

      A higher degree of harmonisation in EU data protection standards will be achieved by the upcoming General Data Protection Regulation (GDPR), which will most likely come into force in 2018. The GDPR will be directly applicable in all member states, and will introduce fines at a level similar to antitrust regulations in the EU. It will have a broad scope of application as it will also cover data processing outside the EU if such processing is related to the offering of goods or services to data subjects in the EU.

      Collection, processing and transfer of personal data

      EU data protection regulation is based on the principle that any collection, transfer or processing of personal data requires a legal justification (eg the data subject’s consent, overriding legitimate interests of the data controller or regulatory requirements).

      Transfer of data outside the EU

      The transfer of personal data outside the EU is subject to additional requirements. In most cases, this is only allowed if the country where the recipient of the data is located is regarded as a 'safe third country' by the European Commission.

      Commissioned data processing

      Under certain circumstances, transfers of personal data to so-called data processors (eg server hosts or certain providers of software or cloud computing) do not require a legal justification. However, this exemption only applies for commissioned data processing within the EU. If a data processor is located outside the EU, transfers to it of personal data still require a legal justification, even if the parties sign up to a data processing agreement and agree to ensure compliance with EU data protection regulation.


      What should I be thinking about now?

      Data processing outside the EU

      An important question is whether, after a Brexit, the UK would be classified as a 'safe third country' by the Commission, so as to permit EU personal data to be transmitted to the UK. If it were not, UK companies doing business in the EU would need to re-think their data protection compliance strategy.

      Commissioned data processing

      Cross-border data flows to data processors in the UK that do not currently require a legal justification might require a particular justification in case of a Brexit. Without such justification, changes to data flows may become necessary. This would be especially burdensome if the data processor plays a role as a data processing hub within a group structure with headquarters or subsidiaries in the EU.

      Applicability of EU data protection regulation

      What would the UK data protection regime look like following a Brexit? To what extent would the UK want to retain the regime based on the Data Protection Directive or the GDPR changes? Would a negotiated post-Brexit UK/EU relationship involve the UK keeping in step with the EU in this area?


      What could the position be following a Brexit?

      The answers to many of the above questions would depend on the nature of a post-Brexit UK/EU relationship.

      To give an idea of the range of possible outcomes, we have considered what the position would be under the ‘Norwegian option’ and the ‘World Trade Organisation (WTO option)’– on the basis that these are at opposite ends of the spectrum of existing models for an alternative relationship with the EU.

      What if the UK leaves the EU but joins the European Free Trade Association and remains part of the European Economic Area (EEA)? (the Norwegian option)

      The four freedoms as laid down in the Treaty on the Functioning of the European Union (ie the free movement of goods, services, persons and capital, as well as competition and state aid rules) are incorporated in the EEA Agreement. This means that:

      • the Data Protection Directive applies throughout the EEA. Hence, nothing would change since the UK would still have to comply with this directive; and
      • the upcoming GDPR would have an immediate effect on UK-based companies.

      What if the UK left the EU without any form of free trade agreement? (the WTO option)

      • The UK would be free to revise its data protection framework and deviate from EU standards.
      • The upcoming GDPR would have no direct effect on the UK. 
      • Depending on future revisions to UK data protection law, the Commission would have to designate the UK as a 'safe third country'. If it didn’t, data transfers to the UK would be subject to stricter requirements, like data transfers to the USA, for example.