Brexit, Trade Deals and GDPR: What happens next?

cytonn-photography-n95VMLxqM2I-unsplash

Regardless of whether we have a Brexit trade deal with the EU, GDPR and the Data Protection Act 2018 are here to stay. There will however be some changes to prepare for and a new title for GDPR to get used to. 

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the regulations”) were made last year to amend GDPR and the DPA ready for a post Brexit UK. Until the end of the Brexit transition period (currently 31st December 2020) the GDPR will apply “as is”. On 1st January 2021 the regulations will amend GDPR and retitle it as “UK GDPR”. 

The amendments are essentially a tidying up exercise. The EU version of GDPR, contains many references to EU laws, institutions, currency and powers which will cease to be relevant in the UK after the transition period. The UK GDPR will have these references omitted or replaced with British equivalents where applicable. The functions that are currently assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. There are however more significant issues which will impact many organisations (both Data Controllers and Processors) as the UK leaves the EU data protection regime. 

EU Representative  

Just like the EU GDPR, the UK GDPR will have an extra territorial effect. In addition to applying to organisations established in the UK that process personal data, it will also apply to organisations outside the UK if they offer goods or services to or monitor the behaviour of UK residents. Consequently, some organisations may have to comply concurrently with both versions of GDPR. Article 27 of both versions requires organisations established outside their jurisdiction. This means UK organisations that continue to be subject to the EU GDPR, after 31st December, will need to appoint a representative in the EU and vice versa. A number of companies have sprung up to offer this service. Who to choose will depend on many factors including expertise, type of service offered and language spoken. 

International Transfers 

On 1st January 2021, the UK will become a third country for the purposes of international data transfers under the EU GDPR. This means that the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. This is proving increasingly unlikely before the deadline. 

The UK GDPR deals with post Brexit international data transfers from the UK by recognising all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision. It also contains a similar mechanism (to the EU GDPR) for data transfers to the US known as the Privacy Shield. This may be problematic given that the European Court of Justice ruled in the  “Schrems II case” that the Privacy Shield was invalid. In its ruling the ECJ was concerned about US authorities’ wide ranging powers to access the personal data of EU residents and the impact on their privacy. The same could be said for UK laws which means that there will also be uncertainty about EU transfers of personal data to the UK. 

The UK GDPR will also recognise current EU Standard Contractual Clauses as valid for international transfers. Use of such clauses, whilst still lawful, will again need careful consideration. The ECJ in Schrems was clear that the responsibility lies with Data Controllers in the EU and the recipient of the personal data to satisfy themselves, on a case by case basis, that the legislation of the third country enables the recipient to comply with the standard data protection clauses before transferring personal data to that third country. If a country, like the USA, has legislation in place that obliges recipients to share personal data with public authorities, then Data Controllers must assess, on a case by case basis, whether that mandatory requirement doesn’t go beyond what is necessary in a democratic society to safeguard national security, defence and public security. 

Keeling Schedule 

The Government has produced a  Keeling Schedule document showing the detailed changes that will be made to the GDPR to make it the UK GDPR. You can buy a bound colour copy here. This is a popular supplement to our GDPR Handbook

The regulations also amend the DPA 2018 which must be alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will soon become part of the UK GDPR. 

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes.  

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 17 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in Brexit, EU, Schrems, Uncategorized and tagged , , . Bookmark the permalink.

2 Responses to Brexit, Trade Deals and GDPR: What happens next?

  1. Michelle Gabay says:

    thanks Ibrahim – I still can’t get a clear view on what we do as a third country data controller receiving our data back from an EU Processor – other than putting suitable measures in place. There is not a specific EU Processor to third country Controller Model Clause – its whether the European Regulators consider their Processors need to have something in place for the transfer or whether we are simply receiving our data back from the EU, which the UK considers adequate. That is, do we re-paper with existing Model Clauses which don’t cover that transfer, do we consider the UK is satisfied, there is no issue, or do we consider a European Regulator might want to see what the Data Processor has done to legitimise that particular transfer…

    • Hi Michelle. From 1st Jan the UK will not be an adequate country as far as the EU is concerned unless there miraculously appears an EU adequacy finding. So for your EU processors sending data back to you in the UK they have to consider the EU GDPR restrictions on transfers. You are right there are no SCCs to cover this. So they are left with applying an Art 49 derogation. Consent, contract or compelling legitimate interests come to mind. Remember though that if you are based in the UK, there is no issue for you when receiving the data from your EU processor. Hope this helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s