Published on Jan 27, 2021
On Christmas Eve 2020, Prime Minister Boris Johnson gave businesses the Christmas present they longed for – an end to the risk of a no-deal Brexit when the transition period concluded. The trade and co-operation agreement and the subsequent EU (Future Relationship) Act 2020 which transports the agreement’s provisions into UK law may only be the beginning of EU/UK negotiations, but in a pandemic ridden economic environment, it is a welcome start.
At 11 pm on 31 December 2020, the EU general data protection regulations (GDPR) ceased to apply to UK personal data (but not to UK organisations). However, the EU GDPR’s provisions had already been transposed into UK law with the UK GDPR being established by the European Union (Withdrawal) Act 2018, which incorporates the body of EU law (including the GDPR) as it existed on exit-day aided by amendments made by:
Confused about data protection legislation? Welcome to the post-Brexit UK. Given that 47 years of integration as an EU member state in almost every area of trade, security, regulations, and movement of people has ended (albeit with many areas already transposed into UK law) it will take some time for organisations to fully grasp the changes brought about by leaving the Union.
Regarding data protection laws, below are the post-Brexit trade deal key developments that organisations processing personal data must be aware of.
The UK GDPR stands separate from the EU GDPR although it is essentially the same. The text has been revised so it reads United Kingdom instead of Union and domestic law rather than EU law. However, terms such as ‘personal data’, the ‘rights of data subjects’, ‘controller’ and ‘processor’, the need for ‘legitimate conditions’ and ‘consent’ for collected and processed personal data remain.
A further change is that at 11 pm on 31 December 2020, the European Data Protection Board lost its authority over UK data protection matters. The Information Commissioner's Office (ICO) is now the first and final supervising authority.
The Government announced on 28th December 2020 “that the treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA – the European Economic Area consisting of the EU states along with Norway, Iceland, and Liechtenstein) to the UK until an adequacy decision has have been adopted”. This extension is for four months with the option to extend to six months to allow for an adequacy decision.
Regarding the ‘bridging period’, the Information Commissioner, Elizabeth Denham stated:
“…this means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”
However, the ICO has recommended that organisations continue to prepare contingencies and “alternative transfer mechanisms” in case an adequacy agreement is not reached, as a “sensible precaution”, and suggests this should be in place by the end of April.
The UK GDPR automatically recognised all EU countries as adequate and declared all existing EU adequacy decisions as UK adequate.
Within the EU, if a third country is recognised as being ‘adequate’ it means the European Commission has ruled that the third country has an adequate level of data protection and additional safeguards when sending personal data from an EU State are not required.
Although there is no guarantee that the UK will be granted adequacy, the commitment between the UK Government and the EU to create a favourable adequacy decision on both sides is clear from the ‘bridging period’ and allows the continuation of data transfers whilst the adequacy decision is being made.
If at the end of the bridging period there is no adequacy agreement achieved, data transfers will require alternative safeguarding mechanisms to be in place such as:
These are clauses approved by the European Commission and in the UK by the ICO to ensure adequate safeguards are in place for personal data transfers when data is being moved from the EU (or the UK) to third countries.
Binding corporate rules are approved in the EU by a Competent Supervisory Authority cooperating with the other Supervisory Authorities through what is called the consistency mechanism to allow multinational corporations to transfer personal data internally throughout their group of enterprises. They are legally binding, apply to, and are enforced by every member of the group worldwide, and must have enforceable rights conferred on data subjects.
If your UK company trades goods or services or monitors data subjects within the EEA but there is no office, outlet, or another form of establishment in the EEA, you will be required to appoint a representative (in writing setting out the terms of the agreement) in one of the EEA countries where the processing occurs. This representative will be authorised to legally act on your behalf regarding EU GDPR compliance; however, it does not affect your responsibilities and liabilities.
If your UK company has an outlet, office, or other establishment in the EEA, you will be required to register with a Supervisory Authority in an EU/EEA country. You are still required to register in the UK with the ICO to continue your processing activities in the UK.
Where you are processing data from outside the jurisdiction, you will also need to appoint a representative in the EU/UK. Because you will have dual compliance requirements, one in the UK and one in the EU, you could potentially face dual sanctions for breaches, one set of sanctions from the ICO, and a second from the EU Supervisory Authority.
There is still a great deal of uncertainty regarding the effect of Brexit on data protection and privacy. Some of the uncertainty will be resolved once we know whether the UK will be granted adequacy.
In the meantime, organisations processing personal data from EEA data subjects may want to put contingency plans in place. These include familiarising yourself with extra safeguards such as SCCs or BRCs. Furthermore, organisations processing the personal data of EEA nationals who do not have an office, branch, or another establishment in the EEA need to understand how a representative can be appointed.
We will update you as soon as a decision has been made on a UK/EU adequacy agreement.
Explore the GDPR & FOI certified training from BCS, the Chartered Institute for IT, as well IAPP accredited GDPR and privacy management training courses we offer. To learn the essential aspects of data protection and privacy law training, book a flexible, certified online course.
[1] A Keeling Schedule is usually included as an appendix to the proposed amendment. The schedule is named for E.H. Keeling, a member of Parliament who began promoting the use of schedules in 1938 as a way to avoid amending legislation by reference.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.