Brexit and UK data protection - CIPP/E Study Guide

After Brexit, withdrawal legislation repealed the European Communities Act 1972, converted the GDPR into the UK GDPR (retained EU law, amended by the 2019 Exit Regulations) and consolidated it with the Data Protection Act 2018 so the position stayed substantively unchanged. As a third country, the UK needed an adequacy decision; the Commission adopted two adequacy decisions on 28 June 2021 (under the GDPR and the LED), uniquely subject to a four-year 'sunset clause'.

While the UK was in the EU, the GDPR applied via the European Communities Act 1972, supplemented by the Data Protection Act 2018. On Brexit, withdrawal legislation repealed the ECA, implemented the GDPR mutatis mutandis as a UK statute, and consolidated it with the DPA so the position remained substantively unchanged.

The UK GDPR - the GDPR as retained EU law, amended by the 2019 Exit Regulations (e.g. 'EU/member states' → 'UK'; 'supervisory authority' → ICO)
The Data Protection Act 2018, also as amended by the Exit Regulations
Secondary legislation by the Secretary of State (e.g. the data protection fee)
ICO codes of practice and guidance
International instruments the UK adheres to: the ECHR and Convention 108

Adequacy is fragile

The Commission emphasises the UK's adherence to international instruments. Any UK move to deviate from the ECHR or Convention 108, or from the ECtHR's jurisdiction, may compromise the adequacy decision and the free flow of data.

As a third country, EU-to-UK data flows must comply with GDPR Chapter V - restricted unless the UK is adequate. On 28 June 2021 the Commission adopted two adequacy decisions for the UK (one under the GDPR, one under the LED), so the free flow of data continues. Uniquely, these include a 'sunset clause' that makes them automatically expire after four years, requiring review.

UK adequacy - what's distinctive
Aspect	Detail
Date adopted	28 June 2021
Number of decisions	Two - one under the GDPR, one under the LED
Legal basis	Article 46(2) GDPR criteria (rule of law, enforceable rights, independent SAs, international commitments)
Unique feature	A four-year 'sunset clause' (automatic expiry, then review)

UK adequacy - what's distinctive

Aspect

Detail

Date adopted

28 June 2021

Number of decisions

Two - one under the GDPR, one under the LED

Legal basis

Article 46(2) GDPR criteria (rule of law, enforceable rights, independent SAs, international commitments)

Unique feature

A four-year 'sunset clause' (automatic expiry, then review)

Key terms - quick answers

What is “UK GDPR”?

The GDPR as retained EU law in the UK, amended by the 2019 Exit Regulations (e.g. references to the EU/SAs replaced with the UK/ICO).

What is “Exit Regulations”?

The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, which adapted the GDPR and DPA for Brexit.

What is “Data Protection Act 2018”?

UK statute (DPA) that supplemented the GDPR and, post-Brexit, sits alongside the UK GDPR (as amended).

What is “Adequacy decision”?

A European Commission decision that a third country offers adequate protection, allowing free data flows; the UK received two on 28 June 2021.