Does GDPR include UK customers, or not anymore?

Question

Now that Brexit happened, does GDPR include UK customers, or not anymore?

Answer 1

GDPR will continue to apply to UK customers directly until the end of the transition period (31 December 2020):

So, while the UK will no longer have any voting rights, it will need to follow EU rules. The European Court of Justice will also continue to have the final say over any legal disputes.

Thereafter, the Data Protection Act 2018 will continue to apply (which itself applies "GDPR standards"). Six of one, half a dozen of the other.

Answer 2

While @Greendrake is generally correct that GDPR-like standards (via the Data Protection Act (2018)) will continue to apply to personal data of UK citizens/residents that are controlled or processed in the UK, there is a substantial question about whether the UK will be considered a "safe" jurisdiction for the purposes of the GDPR.

This means that after the Brexit transition period, to control or process in the UK personal data of people "in the Union"* one or more of the following would need to happen:

1. The UK would need to obtain a formal "adequacy decision" confirming that the UK offers an adequate level of protection for personal data;
2. the entity controlling or processing EU personal data in the UK would need to establish GDPR-compliant "binding corporate rules"; and/or
3. the entity controlling or processing EU personal data in the UK would, if it is "established in the Union"** need to enter into appropriate Standard Contractual Clauses*** with the data controller also "established in the Union."

*There is no clear definition of what it means for a person to be "in the Union," but I can't help picturing that scene from Zoolander (look it up if you are too young) where they are trying to get files from "in the computer". That said, the consensus seems to be that this means citizens or permanent residents of the EU.

**The GDPR preamble hints at what it means to be "established in the Union". It certainly does not require being organized under EU law or having a headquarters there, and may not necessarily require having a physical location in the EU; it may be as little as something similar to the US test for nexus to be subject to personal jurisdiction, e.g., purposeful and repeated course of business directed into the EU.

***Recently upheld (generally) by the ECJ: http://curia.europa.eu/juris/document/document.jsf?text=&docid=221826&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=4444395

PS: I am a lawyer, but not your lawyer. Opinions and interpretations are my own and should not be applied to your factual situation without consulting with a qualified attorney who has agreed to advise you on those matters. Phrases in quotes are meant to facilitate your search; I do not have time to pull citations for you.

Answer 3

My understanding from multiple Law firm hosted webinars on GDPR is that it applies to all EU citizens and residents, regardless of where they are in the world. This scope also includes web-sites in other countries that EU citizens and residents visit, even if just browsing and never logging in or any other transactional purchase, because the IP address is considered PII.

So in answer to the question - EU citizens living in the UK are covered. Web-sites that EU citizens (from anywhere in the world) or EU residents (in EU countries) are also required to comply with GDPR. Basically assume that GDPR's overreach will hit you, regardless of where you are.

Answer 4

!Wrong: as pointed in the comment

GDPR is a directive, not a law itself. It is up to member countries to implement the directive requirements in their own laws using their own legislative process. UK pretty much did that.

The only way for the UK to get rid of GDPR-related stuff in their laws is to complete Brexit and then proceed (if they really want to) to ammend their laws in a way that is incompatible with GDPR.