i

ARTICLE

Brexit and the GDPR: What is next for data privacy?
Michael van Staveren - Privacy & data protection professional - LL.M CIPP/E

The United Kingdom has left the European Union. There are now only 27 member states remaining. The United Kingdom was a part of the EU when the European Privacy Framework called the ‘GDPR’ came into effect and has therefore also incorporated the GDPR in its own national legislation (this is now called the UK GDPR) alongside the English implementation legislation called the UK Data Protection Act of 2018 (or DPA 2018 for short). The GDPR and UK GDPR both have their origins on the EU mainland. Looking at these facts, one might argue that not much will change since these laws essentially are the same, but is this really the case? If things do change between the two GDPR’s, what will change and how can your organization continue doing business with the United Kingdom, and how can the United Kingdom do business with us? These are questions that we will answer in this article.

Trade Deal

Good news: As part of the new trade deal between the United Kingdom and the European Union, you can continue transferring personal data to and from the United Kingdom for a period up to six months. This means that there will be no restrictions on the flow of personal data up until July 1, 2021. Possibly after this period, the United Kingdom will receive an adequacy decision from the European Commission. Effectively, this means as an organization you have up until this time to make sure that the transfer of personal data will be in compliance, also when an adequacy decision is not given on July 1.

What changed with Brexit?

For the United Kingdom, which is now a third country under the GDPR and possibly later a non-adequate country [1] in the eyes of the European Union, the UK GDPR already took effect on January 31, 2020. At that time the United Kingdom also accepted all the adequacy decisions between the European Union and other countries, and has deemed the European Member States adequate in the eyes of the UK GDPR. This means that in the eyes of the United Kingdom, data transfers from the United Kingdom to Europe stay largely the same.

On January 1, 2021 the UK GDPR and Data Protection Act of 2018 are the de facto Data Protection Legislation for the United Kingdom.[2] It is called the UK GDPR because it is essentially the GDPR with some modifications. For example, the UK GDPR reads differently because notions like ‘European Union’ have been replaced with ‘United Kingdom’ and ‘European Union law’ has been replaced with ‘domestic law’. Also no longer the European Data Protection Board but the Information Commissioners Office (ICO) will be the highest supervisory authority for enforcing data protection regulation in the United Kingdom.

Other changes can be found in the United Kingdom Government’s DPPEC regulation [3]. This includes changes in the field of national security, intelligence services and immigration. Firstly, there is the ending of the co-operation mechanism between European Union supervisory authorities and the ICO. Secondly, there is the removing of the one-stop-shop mechanism regarding data breaches and the establishment of the extra territorial jurisdiction that the United Kingdom will have when companies sell to the United Kingdom or monitor behaviour of United Kingdom citizens. Furthermore, the age of consent for the processing of personal data is lowered to 13 (16 under the GDPR). This being a condensed article, these changes will not be further discussed.

Data Protection Representative (DPR)

Because the UK GDPR has an extraterritorial scope, just like the original GDPR, this means that if you are an organization transferring personal data from the United Kingdom to Europe or vice versa you will have to appoint a data protection representative (DPR) [4]. This position can be fulfilled by a legal or natural person. It is important to know what a DPR does. The DPR has insight and access to the details regarding the processing of personal data that is carried out on individuals in Europe or the United Kingdom by your organization. Meaning that the DPR needs to have access to the organization’s overview of personal data that is being processed. In the GDPR this is called the ‘record of processing activities’. Next to that, the DPR needs to have access to relevant procedures within the organization in order to act in its capacity as the official representative. For example, when an individual informs the DPR that he or she wants to receive a copy of the personal data that is being processed by your organization, the DPR needs to be able to help the data subject with that request. While the responsibility of the processing activity as a whole remains with the organization (also called the controller), the DPR can be held liable for how he or she carries out this role for the organization. This means that the DPR can be subject to enforcement procedures by the ICO or European supervisory authorities.

As part of the new trade deal between the United Kingdom and the European Union, you can continue transferring personal data to and from the United Kingdom for a period up until July 1, 2021.

Transferring personal data from the European Union to the United Kingdom or vice versa

Currently, the United Kingdom is a third country under the GDPR. This means that data transfers to the United Kingdom are restricted unless the United Kingdom receives an adequacy decision from the European Union. Restricted means normal transfer operations are not allowed, and in order to still transfer personal data to the United Kingdom a derogation in the GDPR will need to be used. These can be standard contractual clauses (SCCs), binding corporate rules or a one-off derogation such as informed and explicit consent by the data subject. In practice this means that an existing data processing agreement you might have with, for example, an IT firm in the United Kingdom will no longer be in effect, and one of these other transfer mechanisms needs to be used. [5] It is recommended to gain insight into which data flows there are from the European Union to the United Kingdom and to subsequently update the transfer mechanisms as soon as possible in order to escape liability under the GDPR.

How about the other way round? Transferring personal data from the United Kingdom to the European Union is a little simpler. European Member States are deemed adequate in the eyes of the UK GDPR. This means that controllers can have personal data processed in the European Union under an existing data processing agreement and do not need to use one of the derogations at the moment. Note: the controller needs to be established in the United Kingdom.

The status of the United Kingdom in the eyes of the European Union, will it receive an adequacy decision?

As we have learned, initially England was regarded as  a third country under the GDPR but has since received an adequacy decision. This is  the same  the other way around because England has also  recognized European Member States as adequate.

Before England was granted an adequacy decision, there were factors the European Union had to consider. One such factor was that England has signed an agreement with the United States in October 2019, concerning the flow of certain personal data from England to the United States. Essentially the agreement will reduce certain barriers to data sharing in the fields of crime fighting between the two countries. The EDPB has stated that safeguards in that agreement will possibly be not up to the data protection standards of the European Union. And has called for mandatory prior judicial authorization when sharing metadata and content data. Under the current agreement between England and the United States this is not the case. It is important to note here that while this agreement is in place between England and the United States it would create a loophole in the GDPR, because an adequate country would essentially have a non-GDPR compliant agreement with another non adequate country. The EDPB stated that this will be taken into account by the European Commission when deciding whether or not England will receive an adequacy decision.[6] Ultimately, on 28 June 2021, the European Union granted an adequacy decision to England and thus, England is regarded as an adequate country.

Currently the United Kingdom is focused on attracting substantial foreign economic investments and it might feel the need to relax data protection regulations in light of this aim. Taking into account the above, it is worth noting that the European Commission has introduced a so called sunset clause. This means that the adequacy decision that we talked about in this article is valid until June 2025.

After June 2025 the adequacy decision needs to be explicitly renewed. What will happen in the future is that the European Commission will review the situation in the United Kingdom in anticipation of this date. If the situation occurs that the United Kingdom changes for the worse and the adequacy decision is not renewed, the United Kingdom will become inadequate once again.

Take away points

  • There is a transitional phase, and there will be no restrictions up until July 1, 2021.
  • The United Kingdom is currently a third country under the GDPR.
  • The United Kingdom might receive an adequacy decision, but currently it seems that this will not be the case due to the recent agreement between the United States and the United Kingdom.
  • When operating from the United Kingdom as a controller that processes personal data in the European Union a DPR might need to be appointed and vice versa.
  • The United Kingdom has recognized the European Union as adequate, this means that the transfer of personal data from the United Kingdom to the European Union can continue.
  • Standard Data Processing Agreements between the European Union and the United Kingdom are no longer valid. A derogation must be used. These can be standard contractual clauses (SCCs), binding corporate rules or a one-off derogation.
  • The time to act is now, waiting until July 1 is not recommended.

 

[1] Non-adequate country: A country under the GDPR that has not received an adequacy decision, this means that appropriate measures must be taken to safeguard the transfer of personal data. This can mean (among others) standard contractual clauses and binding corporate rules.
[2] If you have any ‘legacy’ personal data, collected before the 1st of January 2021, the original (non UK) GDPR continues to apply to that personal data as well.
[3] Data Protection, Privacy and Electronic Communication (EU Exit) Regulation.
[4] Unless processing is occasional, does not include large scale processing of special categories of personal (or criminal) data, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context and purpose of the processing activity.
[5] Standard Contractual Clauses (often the easiest option for most organizations) can be downloaded from the website of the European Commission and filled in. Please note: SCCs cannot be altered, only filled in.
[6] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_letter_out_2020-0054-uk-usagreement.pdf

The EU-US Privacy Shield is invalid!
Webinar
Step-by-step plan data breach protocol
Tool
GDPR, what does it mean for non-EU companies?
White paper