The Brexit trade deal has now has been agreed between the EU and UK.
Here we summarise the implications for data protection including the important issue of cross-border data flows, which are critical for businesses to maintain between the EU and UK.
1. Legal Framework
UK data protection law has historically been governed by the General Data Protection Regulation (GDPR), which came into effect across all EU member states (including the UK) on 25 May 2018. The GDPR created a harmonised legal framework regulating the way in which personal data is collected, used and shared throughout the EU.
On 1 January 2021 (exit day), the GDPR will cease to have direct effect in the UK. However, as the UK is committed to maintaining an equivalent data protection regime, a UK version of the GDPR will apply from that date. This UK GDPR will carry across much of the existing EU GDPR legislation, but will apply as an independent law, outside the harmonized regime we have become used to under the GDPR.
- The UK GDPR is established by the European Union (Withdrawal) Act 2018, which incorporates the body of EU law (including the GDPR) as it exists on exit-day, into UK law thereafter (UK GDPR).
- The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (‘EU Exit Regulations’) applies a number of necessary changes to the GDPR to make it relevant to the UK following departure from the EU – for example to remove references to cross-border data transfers with other Member States and participation in EU wide-institutions such as the EDPB.
- The EU Exit Regulations also deals with the arrangements for the UK to adopt its own adequacy decisions and contractual safeguards for data transfers.
- The Data Protection Act 2018 remains in place, effectively subordinate to the UK GDPR. It is also amended by the EU Exit Regulations.
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 will remain in place, but will now refer to the UK GDPR.
Organisations operating in both trading areas will need to be ready to manage privacy compliance under what will become two separate (albeit largely parallel) legal and regulatory enforcement regimes and structure their privacy office and compliance structures accordingly.
2. Data Transfers
The GDPR imposes restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from an adequacy decision.
- The EU Exit Regulations effectively grant interim adequacy decisions in favour of all the EEA member states. Therefore, UK organisations may continue to be able to send personal data to organisations in the EEA.
- The EU Exit Regulations also allow UK organisations to continue to rely on the 13 existing adequacy decisions adopted by the EU, which allow data to be transferred to countries previously deemed as adequate (e.g. New Zealand, Israel, Channel Islands).
- These arrangements are intended to be temporary measures, and in time the UK is expected to conduct its own adequacy assessments (including of all EU member states). However, in the interim they offer welcome continuity and certainty.
Until the trade agreement was published, there was considerable uncertainty about what would happen, with a ‘no deal’ scenario preventing organisations from transferring data from into the UK without adopting SCCs and conducting transfer impact assessments for each data transfer.
- The trade agreement resolves this by making it lawful to transfer personal data from the EU-UK for a period of up to six months from 1 January 2021. This ‘bridging’ period is designed to allow the EU time needed to adopt a formal adequacy decision which will allow the continuing flow of personal data to the UK at least for an interim period (this is subject to the UK holding back from adopting any of its’ own adequacy decisions, or approving any new standard contractual clauses (SCCs), that go beyond those already approved by the EU, without prior EU approval).
- The EU-UK Joint Declaration, published alongside the trade agreement, includes a clear commitment from the EU to secure a favourable adequacy decision for the UK within the near term.
- Although the Joint Declaration is not legally binding, the commitments that have been made, alongside the six month bridging period in the trade agreement, will be welcome news to business and should give sufficient confidence to anticipate adequacy will be resolved shortly.
3. Dual regulatory exposure
If an organisation has processing activities in both the EU and UK, or is targeting customers or monitoring individuals in the EU from the UK (or vice versa), following Brexit it is likely that the organisation will be subject to regulatory responsibilities under both the EU and UK versions of the GDPR. This is due to the extra-territorial scope of the GDPR in Article 3. Depending on the circumstances, this may result in additional compliance requirements to:
- Appoint a separate data protection office (DPO) for both the UK and EU;
- Nominate a new lead supervisory authority in the EU as well as registering with the ICO for processing activities in the UK;
- Appoint a local representative in the EU/UK, where you are processing data from outside the jurisdiction; and
- Manage potential exposure to sanctions/fines under both the EU and UK regulatory enforcement regime, i.e. risk of double jeopardy for any infringement.
4. Other actions to take
As well as managing cross-border data transfers, ensure that all references in governance records, contracts and transparency notices to the EU/EEA are updated to reflect the post-Brexit position of the UK being outside the EU. This may require changes to:
- Records of processing activities, insofar as these are impacted by Brexit;
- Privacy Notices, which should refer to any data transfers to ‘third countries’ as we as include correct details of any DPO, local representative and/or lead supervisory authority;
- Data Protection Impact Assessments (DPIA), which may need to be updated if they refer to a transfer which becomes a transfer to a ‘third country’ on exit-date; and
- Contracts with third parties, if they include specific reference to the GDPR, EEA or anticipate a data transfer between the EU and the UK.
5. Position under the Withdrawal Agreement
Most of the provisions within the Withdrawal Agreement are no longer relevant now that the transition period has finished. The EU GDPR will however continue to apply within the UK as EU law after the transition period, insofar as any EU originating personal data continue to be processed within the UK post-transition, where the relevant data processing commenced before the end of the transition. This protective provision will fall away if the UK secures an EU adequacy decision.