The Personal Information Protection and Electronic Documents Act and Brexit

What is Brexit?

Brexit, short for "British exit," is the word used to refer to the United Kingdom's (UK) decision to leave the EU.

On June 23, 2016, the UK held a referendum on whether the UK should leave or remain in the EU. The side voting to leave won 52% of the vote.

On March 29, 2017, the UK invoked the exit clause (Article 50) of the Treaty on European Union. This started a two-year countdown to the UK officially leaving the EU.

The UK may leave the EU with or without a deal that sets out how it leaves the EU (known as a withdrawal agreement).

The UK and the GDPR

If a withdrawal agreement is in place, it is likely to include a transition period, until December 31, 2020. Article 127(1) of the withdrawal agreement provides for European Union law to apply to the UK during the transition period, during which the UK will continue to be bound by virtually all of the rules and regulations of the European Union (EU), including the General Data Protection Regulation (GDPR) while the EU and UK negotiate their future relationship. The direct applicability of the GDPR will allow data to continue to flow freely between the UK and the EU during the transitional period.

If a withdrawal agreement is not in place, (often referred to as a no-deal scenario), then there will be no transition period, and the UK ceases to be treated as an EU member. This would mean the UK is no longer subject to the GDPR, but will be implementing GDPR into UK law. They would be considered a third party state until they are deemed "adequate".

What is the likely outcome?

There is no certainty yet on how the UK will leave the EU or on the future of the UK's adequacy status under the GDPR. The possibilities range from the UK and the EU maintaining a very close relationship to a no-deal outcome where the EU treats the UK as a third country without adequacy status, until such status can be negotiated and obtained.

Cross-border data flows and PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity.
PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. PIPEDA does establish rules governing transfers for such processing and the transferring organization is accountable for the information in the hands of the organization to which it has been transferred. The party receiving the data for processing must use contractual or other means to provide a comparable level of protection while the information is being processed.

The Office of the Privacy Commissioner of Canada (OPC) has published guidance regarding the GDPR and its potential effect on Canadian businesses. They have created a page with useful information for firms who would like to know more about the GDPR and its requirements. Their page may be accessed at this link: