Since 2018 UK data protection law has been governed by the General Data Protection Regulation (GDPR). This created a harmonised legal framework regulating the collection, use and sharing of personal data throughout the EU.
As of 1 January 2021, the GDPR ceased to have effect in the UK and instead (under the European Union (Withdrawal) Act 2018) a UK version of the GDPR now applies (UK GDPR). This carries across much of the existing EU GDPR legislation, but applies as an independent law.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“Exit Regulations”) applies a number of necessary changes to the GDPR to make it relevant to the UK following departure from the EU.
The Data Protection Act 2018 remains in place, effectively subordinate to the UK GDPR and amended by the Exit Regulations.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 will remain in place, but will now refer to the UK GDPR.
Businesses operating in the UK and the EU trading areas will therefore need to manage privacy compliance under separate (albeit largely parallel) regimes.
Data Transfers
The GDPR imposes restrictions on the transfer of personal data to a “third country” unless that country benefits from an adequacy decision i.e. a determination from the EU that a third country has an adequate level of data protection. The UK is of course now a third country.
As a welcome interim measure the Exit Regulations:
- grant interim adequacy decisions in favour of all EEA member states. Therefore, UK organisations are able to continue to send personal data to organisations in the EEA.
- allow UK organisations to continue to rely on the 13 existing adequacy decisions adopted by the EU, which allow data to be transferred to countries previously deemed as adequate (e.g. New Zealand, Switzerland and Israel).
Over time it is expected that the UK will need to conduct its own adequacy assessments (including of all EU member states).
Of considerable concern in a no deal scenario was the transfer of data from the EU to the UK as this would have been prevented without the adoption of “standard contractual clauses” or conducting transfer impact assessments for each data transfer. Thankfully the trade agreement and the EU-UK Joint Declaration provide some interim relief in providing:
- it is lawful to transfer personal data from the EU to the UK until 1 May 2021. This interim period is intended to allow the EU time to adopt a formal adequacy decision as regards the UK (this is subject to the UK holding back from adopting any of its’ own adequacy decisions, or approving any new standard contractual clauses (SCCs), that go beyond those already approved by the EU, without prior EU approval). If no adequacy decision is granted by 1 May 2021 the interim period is extended until 1 July 2021 unless either side objects
- a clear commitment from the EU to secure a favourable adequacy decision for the UK within the near term.
The Information Commissioner has described this as the best possible outcome for UK organisations processing personal data from the EU but also recommended that organisations continue to work on alternative mechanisms for transferring date as a sensible precaution against the risk that the EU does not make an adequacy decision in favour of the UK. The hope and current expectation is that there will be such a decision but this cannot be guaranteed.
Dual Regimes
If an organisation has processing activities in both the EU and UK, or is targeting customers or monitoring individuals in the EU from the UK (or vice versa), it is likely that the organisation will be subject to regulatory responsibilities under both the EU and UK versions of the GDPR. Depending on the circumstances, this may result in additional compliance requirements to:
- Appoint a separate data protection office (DPO) for both the UK and EU.
- Nominate a new lead supervisory authority in the EU as well as registering with the ICO for processing activities in the UK.
- Appoint a local GDPR representative in the EU.
Practical Steps to Take
References in governance records, contracts and transparency notices should be updated to reflect the UK being outside the EU. For example areas for update include:
- Privacy Notices.
- Data Protection Impact Assessments.
- Contracts with third parties if they anticipate a data transfer between the EU and the UK.
If you need advice or assistance in relation to these or any other data protection issues, please contact a member of the Corporate and Commercial Team on 0808 166 8827.
|