Extra-territoriality post-Brexit: Does the UK or EU regime apply?

Rebecca Cousin, Lucie van Gils and Cindy Knott of Slaughter and May consider the implications of the decision of the High Court in the Soriano case and discuss what questions it leaves unresolved.

We are a few months into the post-Brexit world, with the EU and the UK now operating broadly separate legal systems. The UK has its own privacy regime comprised of the “UK GDPR”, which is essentially the European General Data Protection Regulation (or “EU GDPR”) as implemented in national UK legislation, and the Data Protection Act 2018. Both have been modified slightly to make them work in a UK only context and together they are now the primary sources of data protection compliance for UK businesses.

However, the EU GDPR will continue to be relevant for any UK business that remains active in the European Economic Area as a result of its potential extra-territorial application. Similarly, European companies that are active in the UK will have to consider the application of the UK GDPR. As a result, we have seen an increasing number of questions from businesses, both in the EU and UK, seeking to understand exactly when they are subject to either of the two regimes, and what this means for them in practice.

Continue reading

UK Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.