At 11pm on 31 December 2020 the Transition Period came to an end and the EU data protection legislation was formally incorporated in UK domestic law. At the same time, the UK entered into a trade deal with the EU (the EU-UK Trade & Co-operation Agreement) under which the UK and EU committed to upholding high standards of data protection legislation. With all of these significant changes, we have set out a summary of the key implications for data protection including the important issue of cross-border data flows, which are critical for businesses to maintain between the EU and UK.
- Legal Framework
UK data protection law for the last two and a half years been governed by the General Data Protection Regulation (GDPR) which came into effect across all EU member states (including the UK) on 25 May 2018. The GDPR created a harmonised legal framework regulating the way in which personal data was collected, used and shared throughout the EU.
On 1 January 2021, the GDPR ceased to have direct effect in the UK. However, as the UK is committed to maintaining an equivalent data protection regime, a UK version of the GDPR will apply from that date. The new “UK GDPR” carries across much of the existing EU GDPR legislation, but will apply as an independent law, outside the harmonised regime we have become used to under the GDPR. Below is a summary of the key changes:
- The UK GDPR is established by the European Union Act 2018, which incorporated the body of EU law (including the GDPR) as it exists on exit day, into UK law thereafter;
- The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (EU Exit Regulations) applied a number of necessary changes to the GDPR to make it relevant to the UK following departure from the EU- for example to remove references to cross-border data transfers with other Member States and participation in EU wide-institutions such as the EDPB.
- The EU Exit Regulations also deal with the arrangements for the UK to adopt its own adequacy decisions and contractual safeguards for data transfers.
- The Data Protection Act 2018 remains in place, effectively subordinate to the UK GDPR. It is also amended by the EU Exit Regulations.
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 will remain in place, but will now refer to the UK GDPR.
- Data Transfers
The UK GDPR imposes restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from an adequacy decision. The EU Exit Regulations effectively grant interim adequacy decisions in favour of all the EEA member states. Therefore, UK organisations may continue to be able to send personal data to organisations in the EEA, and will allow organisations to continue to rely on the 13 existing adequacy decisions adopted by the EU.
- Dual Regulatory exposure
If an organisation has processing activities in both the EU and UK, or is targeting customers or monitoring individuals in the EU from the UK (or vice versa), following Brexit it is likely the organisation will be subject to regulatory responsibilities under both the EU and UK versions of the GDPR due to their extra-territorial scope in Article 3. Depending on the circumstances, this may result in additional compliance requirements to:
- Appoint a separate data protection officer (DPO) for both the UK and EU;
- Nominate a new lead supervisory authority in the EU as well as registering with the ICO for processing activities in the UK;
- Appoint a local representative in the EU/UK, where you are processing data from outside the jurisdiction; and
- Manage potential exposure to sanctions/fines under both the EU and UK regulatory enforcement regime, i.e. risk of double jeopardy for any infringement.
- Other actions to take
As well as managing cross-border data transfers, ensure that all references in governance records, contracts and transparency notices to the EU/EEA are updated to reflect the post-Brexit position of the UK being outside the EU. This may require changes to:
- Records of processing activities, insofar as these are impacted by Brexit;
- Privacy Notices, which should refer to any data transfers to ‘third countries’ as we include correct details of any DPO, local representative and/or lead supervisory authority;
- Data Protection Impact Assessments (DPIA), which may need to be updated if they refer to a transfer which becomes a transfer to a ‘third country’ on exit-date; and
- Contracts with third parties, if they include specific reference to the GDPR, EEA or anticipate a data transfer between the EU and the UK.
- Updating your contracts
As referred to above, contracts will need to be updated in light of the new UK data protection legislation. Whilst the key principles, rights and obligations will remain the same, it is important to ensure that contracts between UK-based organisations with data transfers in the UK make reference to the UK GDPR, the amended Data Protection Act 2018, and the amended Privacy and Electronic Communications Regulations 2003 (SI 2003/2426). However, it is important to note that the EU GDPR has not gone away and may still apply directly to a UK-based organisation if it operates in Europe, offers goods or services to individuals in Europe, or monitors the behaviour of individuals in Europe. The EU GDPR will also continue to apply to any organisations in Europe that send data to the UK. As such, it is possible that both the UK and EU legal regimes will apply to one contract and this should be considered, and accounted for in drafting, on a case-by-case basis.
The ICO’s guidance recommends that any contracts that require updates in light of international data transfers (i.e. any transfer of data outside of the UK) should be updated accordingly, and it is important that such contracts are reviewed and updated to reflect this now that the Transition Period has ended. The UK is in the process of rolling out its own adequacy regulations (previously known as “adequacy decisions”) and these should be checked.
Finally, the ICO has confirmed that the EU Commission’s standard contractual clauses (SCCs) will continue to apply to restricted data transfers from the UK; however, it is now possible to make changes to the SCCs such that they make sense in a UK context provided the legal meaning of the SCCs is not changed. That being said, the EU Commission is in the process of finalising an updated set of SCCs which are intended to be published in early 2021 and the ICO is also intending to consult on and publish UK SCCs in 2021. It may be that at some point the European SCCs will cease to be valid for new and/or existing restricted transfers from the UK but the ICO will provide plenty of notice should this situation arise.
- What happens to GDPR after Brexit in the UK?
An interim data agreement will secure unrestricted personal data flow between UK and the EU for six months (until June 2021) with the hopes that the adequacy decision will be reached before. The GDPR in the UK data law has been changed to accommodate the disappearance of the EU GDPR’s domestic applicability, including new domestic data privacy laws such as the new UK-GDPR and an updated Data Protection Act. In addition, after 1 January 2021, the EU’s GDPR will still apply inside the EU for UK websites and companies that process personal data from inside the EU.
This article was co-written by Rachel Bacon, Paralegal.
For more information, please get in touch with one of our information law experts: