The UK data protection law and Brexit
The UK government’s general election victory on 12 December 2019 means parliament will now pass the European Union (Withdrawal Agreement) Bill.
Brexit will, therefore, finally go ahead on 31 January 2020.
Now that the withdrawal agreement has been passed by parliament, the government will have until 31 December 2020 to negotiate the UK’s future relationship with the EU – although it is still possible for this deadline to be extended.
No trade deal of this size and complexity has ever been agreed between the EU and a third country in such a short time, so the risk of the UK’s trade relationship with the EU defaulting to WTO (World Trade Organization) terms still exists.
During the 11-month transition period, EU law – including the EU GDPR (General Data Protection Regulation) – will continue to apply in the UK.
This post explains what we know so far about how Brexit will affect international transfers of personal data after 31 December 2020.
Speak to a Data Protection expert
If you need guidance or advice on how Brexit will affect your organisation’s data protection obligations, get in touch with one of our experts. Simply call +44 (0) 121 582 0192, or request a call back using the form at the foot of this post.
Data protection law in the UK before Brexit
The EU GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s DPD (Data Protection Directive) 1995 and all member state law that implemented it – including the UK DPA 1998.
Although it applies directly in member states with all the force of a domestic law, the EU GDPR leaves certain areas to individual member states to interpret and implement. In the UK, this is achieved by Part 2, Chapter 2 of the DPA 2018, which should be read alongside the Regulation.
As well as modifying the EU GDPR, the DPA 2018 applies a broadly similar regime of data protection – known as “the applied GDPR” – to certain areas that fall outside the EU GDPR’s scope, including processing by public authorities.
It also sets out data processing regimes for law enforcement purposes and the intelligence services.
Data protection law in the UK after Brexit: the UK General Data Protection Regulation
Although the EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020), UK organisations must still comply with the Regulation’s requirements.
First, the DPA 2018 enacts the EU GDPR’s requirements in UK law.
Second, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.
This new regime will be known as ‘the UK GDPR’.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 also provides that transfers of personal data from the UK to the US that rely on the EU-US Privacy Shield can continue. See Post-Brexit international data transfers: adequacy decisions, below, for more information.
There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR.
The EU GDPR will – like all other EU regulations – continue to apply in the UK until the end of the transition period (31 December 2020).
From this point, the UK GDPR will apply.
The UK will be classified as a third country from the end of the transition period. Until an adequacy decision is reached, UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA to the UK. This is discussed in greater depth below.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.
The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.
Post-Brexit international data transfers: adequacy decisions
In order for international data flows from the EEA to the UK to continue unhindered after Brexit, the European Commission will need to determine that the UK, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the EU GDPR.
The UK hopes that, by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after it leaves the EU.
To date, the Commission has adopted 13 adequacy decisions: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). Talks with South Korea are ongoing.
Both the EU and UK hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years. The UK has only 11 months.
If an adequacy decision is not reached by 31 December 2020, organisations in the UK will have to rely on binding corporate rules or standard contractual clauses to transfer personal data from organisations in the EEA. (The EU GDPR also makes provision for personal data to be transferred to third countries based on approved codes of conduct – such as the EU-US Privacy Shield – but no such code has been agreed for transfers from the EEA to the UK yet.) It is important to note that, as the UK’s ICO will no longer be a supervisory authority under the EU GDPR, it will not be able to approve binding corporate rules for transfers of personal data from the EEA to the UK. Such binding corporate rules will, therefore, need to be approved by a supervisory authority within the EU.
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is higher.
Prudent organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.
Transfers of UK personal data to the US
As to transfers of UK personal data to the US, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 makes provision to preserve the effect of the EU-US Privacy Shield in the UK in the event of a no-deal Brexit.
US organisations that participate in the Privacy Shield will have to update their “public commitment to comply with the Privacy Shield to include the UK”.
The US Department of Commerce has published guidance for US Privacy Shield organisations on how personal data can continue to flow from the UK to the US in a no-deal scenario, including the model language to use in their updated statements >>