Data Protection Changes Taking Effect Under the UK - EU Treaty on Gibraltar
The Data Protection Regulations 2026 came into force at midnight last night on the Implementation Date of the EU–UK Treaty on Gibraltar. They adjust several aspects of the Gibraltar GDPR and the Data Protection Act 2004, principally by replacing references to UK adequacy regulations with references to European Commission adequacy decisions.
The practical day-to-day impact for most Gibraltar businesses will be modest, but the underlying legal framework has now changed, and controllers and processors should be aware of the new position.
The Regulations were made under section 13 of the Treaty on Gibraltar and the European Union Act 2026 and section 184 of the Data Protection Act 2004, implementing Article 14 of the Treaty.
FAQs relating to the Data Protection changes.
- What is the significance of the UK–EU Treaty on Gibraltar for data protection, and what changes are now taking effect?
-
The Data Protection Regulations 2026 came into force at midnight on 15 July 2026, the Implementation Date of the EU–UK Treaty on Gibraltar. They represent a fundamental realignment of Gibraltar’s data protection framework. The Regulations adjust several aspects of the Gibraltar GDPR and the Data Protection Act 2004, principally by replacing references to UK adequacy regulations with references to European Commission adequacy decisions. They were made under section 13 of the Treaty on Gibraltar and the European Union Act 2026 and section 184 of the Data Protection Act 2004, implementing Article 14 of the Treaty.
In addition under the Treaty, Gibraltar is no longer deemed to be a third country for inward transfers of personal data from the EEA, meaning no additional safeguards under Chapter V of the EU GDPR are necessary.
The practical day-to-day impact for most Gibraltar businesses will be modest, but the underlying legal framework has changed significantly, and controllers and processors should be aware of the new position.
In essence, Gibraltar’s data protection regime is pivoting from its post-Brexit alignment with the UK framework towards closer alignment with the EU’s own adequacy architecture
- How has the legal basis for outward transfers of personal data from Gibraltar changed?
-
Previously, Article 45(1) of the Gibraltar GDPR permitted a transfer of personal data to a third country if it would, had it been made from the UK, have been based on UK “adequacy regulations” under the UK GDPR. A transfer to the UK itself was permitted without any further condition.
Under the new Article 45(1), the legal basis changes. A transfer may now take place if it is: (a) to a third country that has an adequacy decision from the European Commission under the EU GDPR; (b) to the United Kingdom; or (c) to a Member State of the European Union. The former reference to UK adequacy regulations, and the definition in paragraph 1A tying that concept to the UK GDPR and UK DPA 2018, are deleted.
Importantly, the “Gibraltar–UK data bridge” is preserved, meaning that transfers of personal data from Gibraltar to the UK (and vice versa) continue as before without the need for additional safeguards.
- In practice, how significant is this change to the adequacy framework for most Gibraltar businesses?
-
In practice, these changes are unlikely to alter the day-to-day position for most Gibraltar controllers or processors. The UK’s adequacy regulations list was carried over from the EU’s own adequacy findings at the end of the Brexit transition period, and the two lists have remained substantially aligned since.
One notable difference, however, is that the EU–US Data Privacy Framework can now be relied on directly without needing to ensure the UK–US extension is in place. That is a welcome simplification for Gibraltar businesses transferring personal data to the United States.
- What practical steps should Gibraltar controllers and processors take to check adequacy going forward?
-
The practical step is straightforward: going forward, verify adequacy by checking the European Commission’s list of adequacy decisions rather than the UK’s list. Controllers and processors should be aware that in the event of future divergence between the two lists, a country adequate under UK regulations but not under an EU Commission decision would no longer be an adequate destination for Gibraltar transfers—and vice versa.
Gibraltar controllers and processors should also take this opportunity to review existing data sharing agreements and, where necessary, amend them to reflect the provisions of the Data Protection Regulations 2026, and for inward transfers disapply any existing EU Standard Contractual Clauses which might be in place.
- What happens if a transfer destination is not covered by an adequacy decision, the UK, or an EU Member State?
-
Where no adequacy decision, UK destination, or EU Member State destination applies, the existing fallback mechanisms continue to operate as before. These include Article 46 safeguards—such as the Gibraltar International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the Gibraltar Addendum coupled with a Transfer Risk Assessment—or any of the other available Article 49 derogations. The architecture of these fallback mechanisms has not changed; it is only the primary adequacy gateway that has been recalibrated.
- Have law enforcement data transfers been affected by the Regulations?
-
Yes. To bring law enforcement transfers into line with the broader changes, section 83A of the Data Protection Act 2004 now references EU Commission adequacy decisions under the Law Enforcement Directive rather than UK adequacy regulations. This ensures consistency across the civilian and law enforcement data transfer regimes.
- What does it mean for Gibraltar to cease being a “third country” under EU data protection law, and how does this differ from an adequacy decision?
-
Under Article 14(7) of the Treaty, references to third countries and their competent authorities in the EU data protection instruments listed in Annex 3—including the EU GDPR—are to be understood as not including the United Kingdom, in respect of Gibraltar and its competent authorities, provided Gibraltar continues to comply with Annex 3.
This is a different and more direct mechanism than an EU adequacy decision. Rather than the European Commission making a finding about Gibraltar’s data protection adequacy status as a third country, Gibraltar is removed from the third-country category altogether. The practical result is the same as if an adequacy finding were in place: EEA-based controllers or processors subject to the EU GDPR will no longer need EU GDPR Chapter V safeguards—typically Standard Contractual Clauses, binding corporate rules, or other transfer mechanisms—when sending personal data to Gibraltar.
- What does this mean for Gibraltar businesses receiving personal data from the EU and EEA?
-
For Gibraltar businesses receiving personal data from third parties, group companies, or partners in the EU and EEA, this removes the need to enter into Standard Contractual Clauses or to have in place additional Chapter V safeguards. It is a welcome change that reduces administrative burden and simplifies the contractual framework for inward data flows from the European Economic Area.
- What is the new interpretive alignment duty imposed on the Gibraltar Regulatory Authority (GRA) in relation to the European Data Protection Board (EDPB)?
-
A new paragraph 5 is inserted into Article 57 of the Gibraltar GDPR. It provides that, whenever the Commissioner decides a case raising similar questions of interpretation to those arising under the EU GDPR, the Commissioner must take “utmost account” of decisions taken by: (a) a foreign designated [data protection supervisory] authority under Article 60 of the EU GDPR, the lead supervisory authority cooperation mechanism underpinning the EU’s one-stop-shop; and (b) the European Data Protection Board under Article 65 of the EU GDPR.
No such obligation existed before. Since Brexit, the GRA’s interpretive frame of reference had in practical terms been closer to the UK Information Commissioner’s Office and the UK GDPR. Going forward, the Commissioner is required to look to EDPB and EU supervisory authority decisions and take such decisions into account where the Gibraltar GDPR mirrors the EU GDPR.
The standard “utmost account” is not absolute, but it sets a high threshold; departure would need clear justification.
- Do the changes extend the EU’s one-stop-shop mechanism to Gibraltar?
-
No. The Gibraltar GDPR already omits the EU provisions on lead supervisory authority competence and cooperation between supervisory authorities. Moreover, Article 14(2) of the Treaty expressly excludes the EU GDPR provisions governing the lead supervisory authority and the [EU] supervisory authority concerned.
The GRA therefore continues to operate as Gibraltar’s sole supervisory authority, handling complaints against Gibraltar-established controllers directly. EU data subjects and controllers subject to the EU GDPR continue to use their own national lead authority under the ordinary one-stop-shop rules. The GRA’s connection to the EU system is limited to participating in EDPB meetings as an expert or guest on relevant agenda items, alongside the new interpretive duty.
- What should Gibraltar businesses do next in light of these changes?
-
There are several practical steps Gibraltar businesses should consider:
First, update your adequacy reference point. Going forward, check the European Commission’s list of adequacy decisions, not the UK’s, to determine whether a transfer destination is adequate.
Second, review existing data sharing agreements and transfer risk assessments to ensure they reflect the Data Protection Regulations 2026. Where agreements reference UK adequacy regulations as the legal basis for transfer, these should be amended.
Third, for businesses receiving data from the EU and EEA, take note that Standard Contractual Clauses and other Chapter V safeguards are no longer required for inward transfers. Existing contractual arrangements referencing those mechanisms should be disapplied, although ensure that the rest of the contractual arrangements e.g. controller to controller data sharing agreements or mandatory Art 28(3) (controller processor) clauses remain in force.
Fourth, be mindful that the GRA’s interpretive alignment with the EDPB may, over time, influence how certain provisions of the Gibraltar GDPR are applied. Businesses should monitor EDPB guidance and decisions as part of their compliance activities.
Finally, organisations with complex data flows should seek tailored professional advice to ensure their arrangements are fully compliant with the new framework.