Brexit and data protection in the UK

Brexit is now underway. Under the terms of the European Union (Withdrawal Agreement) Act 2020, the UK is now in a transition period until 31 December 2020 to allow it to negotiate its future relationship with the European Union – although it is still possible for this deadline to be extended.

 

No trade deal of this size and complexity has ever been agreed between the EU and a third country in such a short time, so the risk of the UK’s trade relationship with the EU defaulting to WTO (World Trade Organization) terms – effectively a no-deal Brexit – still exists.

 

During the transition period, EU laws, including the EU GDPR (General Data Protection Regulation), will continue to apply in the UK.

 

This page explains how Brexit will affect data protection in the UK, including international transfers of personal data after the transition period.

 

It will be updated as and when new information becomes available.

 

For comprehensive guidance and practical advice on complying with the GDPR, read our bestselling EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide, Third edition.

Data protection law in the UK before 31 December 2020

UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018.

 

Both laws continue to apply until the end of the transition period.

 

Data protection law after 31 December 2020: will the GDPR apply in the UK after Brexit?

The EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020). However, UK organisations must still comply with its requirements after this point.

 

First, the DPA 2018 enacts the EU GDPR’s requirements in UK law. Second, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit.

 

This new regime will be known as ‘the UK GDPR’.

 

There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the requirements of the EU GDPR.

 

The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.

 

How does Brexit affect international data transfers?

Now that it is no longer an EU member state, the UK has been reclassified as a ‘third country’. This shouldn’t make any difference to UK organisations until the end of the transition period.

 

Under the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:

 

If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.

If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).

Based on approved codes of conduct. No such code has been agreed for transfers from the EEA to the UK yet.

Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.

 

Adequacy decisions

To date, the Commission has adopted 12 adequacy decisions:

 

  • Andorra
  • Argentina
  • Canada
  • The Faroe Islands
  • Guernsey
  • Israel
  • The Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay
  • Talks with South Korea are ongoing.

 

The EU-US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by the ECJ (European Court of Justice) on 16 July 2020 following legal action by the Austrian privacy campaigner Max Schrems.

 

EU data controllers that use US data processors, and US processors that process the personal data of EU residents, are advised to rely on SCCs or BCRs (as appropriate) until a new code of conduct is approved or an adequacy decision is reached between the EU and US.

 

However, the ECJ noted in its decision that SCCs are only valid if the law in the receiving country ensures adequate protection. If the law in that country makes it impossible to meet the obligations (if the personal data is likely to be interfered with by state surveillance, for instance), they are not valid and there must be additional safeguards to provide the necessary protection. If such safeguards cannot be put in place, the processing must be suspended.

 

Both the UK and EU hope to complete the adequacy decision process within the Brexit transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years.

 

Binding corporate rules and standard contractual clauses

If the EU and UK do not reach an adequacy decision by 31 December 2020, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards, such as BCRs or SCCs.

 

It is important to note that, after the UK leaves the EU, the ICO (Information Commissioner’s Office) will no longer be a supervisory authority under the EU GDPR, and will not be able to approve BCRs for transfers of personal data from the EEA to the UK.

 

Such BCRs will, therefore, need to be approved by a supervisory authority within the EU 27.

 

Potential penalties for non-compliance

Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.

 

Prudent organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.

 

External resources

 The ICO has published guidance and resources for organisations after Brexit

 The EDPB (European Data Protection Board) has published an information note on data transfers under the GDPR in the event of a no-deal Brexit

Transfers of UK personal data to the US

As to transfers of UK personal data to the US, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 makes provision to preserve the effect of the EU-US Privacy Shield in the UK.

 

US organisations that participate in the Privacy Shield will have to update their “public commitment to comply with the Privacy Shield to include the UK”.

 

However, the Privacy Shield, like its predecessor the Safe Harbor agreement, has been ruled invalid by the ECJ because the US does not afford personal data adequate protection as defined by the GDPR.

 

It is not yet known how this will affect transfers of UK personal data to the US after the transition period.

Share