14 August 2020

Although the UK has left the EU, during the Brexit transition period which ends on 31 December 2020, most EU regulations will continue to apply to the UK, including the General Data Protection Regulation (GDPR) and other privacy regulations.

As the end of the Brexit transition period is fast approaching, the Information Commissioner’s Office (ICO) has issued a Q&A, informing businesses of the UK’s data protection and privacy regulation landscape after the end of the transition period.

Application of GDPR and the UK GDPR

The UK government has stated its intention to incorporate GDPR into UK law (UK GDPR). This means that in practice there will be limited changes to the fundamental principles, data subject rights and controllers’ and processors’ obligations in the UK.

However, due to GDPR’s extra-territorial nature, the EU regulation remains applicable to those businesses based in the UK who are within the scope of GDPR. This includes where a UK business operates in the EU, by either offering goods or services to, or by monitoring the behaviour of, individuals in Europe. In these circumstances, unless the European Commission grants an exemption, UK business that are caught by GDPR may need to appoint a European representative once the transition period ends (please see our previous article regarding appointment of representatives here).

Data transfers from the UK after the transition period

Data transfers from the UK to the EEA and other non-EEA countries with adequacy decisions will largely remain unchanged after the transition period, as the UK government has confirmed that, subject to ongoing review, it will permit transfers to the EEA and recognise adequacy decisions already made by the European Commission.

The recent Schrems II decision has meant that the EU-US privacy shield is no longer valid under GDPR. Whilst technically the UK is able to decide independently how to regulate transfers from the UK to the US after the Brexit transition period, the UK is unlikely to diverge from the anticipated guidance from the European Data Protection Board (EDPB) in the short term, since substantive divergence could jeopardise the UK’s application for an adequacy decision from the EU.

Data transfers from EEA to the UK after the transition period

The UK will become a third country upon the expiry of the Brexit transition period. Data transfers from the EEA and from other businesses caught by GDPR, will need to comply with GDPR and ensure that data is only regularly transferred to the UK where an equivalent level of protection is provided, either by way of an adequacy decision or one of the following appropriate safeguards:

  • Binding Corporate Rules and Standard Contractual Clauses – If the UK does not obtain an adequacy decision before the end of the Brexit transition period, both mechanisms will remain valid to facilitate transfers of personal data outside the EEA. However, as we previously discussed, the combined effect of Schrems II and UK-US data sharing agreement for the purpose of countering serious crime makes it questionable whether data transfers to the UK can benefit from these two mechanisms.
  • Codes of conduct and certification – So far no codes or certification schemes have been approved by the Commission to act as safeguards for international transfers. However, the ICO’s has indicated that it is working on developing codes of conduct and certification schemes and will continue to do so after the end of the transition period. 


The ICO has confirmed that it will no longer act as a supervisory authority under GDPR, but will continue to maintain a close relationship with the EU supervisory authorities once the transition period ends.

Application of other privacy regulations

Most of the other EU privacy regulations have been implemented into the UK as follows and will therefore continue to apply:

  • the Privacy and Electronic Communications Regulations 2003 (PECR), which regulates electronic direct marketing, use of cookies and electronic communications. The ICO however has remained silent on whether the UK is likely to implement the EU’s proposed e-Privacy Regulation, which is currently discussed at the EU level and will not come into effect before the end of the transition period.
  • the Network and Information System Security Regulations 2018 (NIS), which regulates how organisations prevent and react to incidents that could have an impact on their information system and service. Again UK businesses caught by the EU’s NIS Directive may need to appoint representatives in the EU and comply with national NIS rules in the relevant member states they offers services to. The NIS Directive is currently being reviewed by the EU and is expected to be replaced after the end of the Brexit transition period.
  • the Freedom of Information Act 2000 (FOIA), which allows members of the public to request certain information from public authorities.
  • the Environmental Information Regulations 2004 (EIR) which serves similar purpose as FOIA in respect of environmental information held by public authorities. Although interestingly the ICO mentioned that the EIR will continue to apply ‘unless repealed or amended’, potentially suggesting that changes to the EIR might be underway.

The eIDAS regulation, which covers electronic ID and trust services, does not form part of UK law and will therefore no longer apply in the UK once the transition period ends. However, as with the GDPR, the UK government intends to incorporate eIDAS rules into UK law. UK trust service providers offering services in the EU may still need to comply with EU eIDAS rules.

If you need assistance in dealing with data protection issues and preparation for the end of the Brexit transition period, please contact David Varney in our Data Protection team.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more