Regardless of whether we have a Brexit trade deal with the EU, GDPR and the Data Protection Act 2018 are here to stay. There will however be some changes to prepare for and a new title for GDPR to get used to.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the regulations”) were made last year to amend GDPR and the DPA ready for a post Brexit UK. Until the end of the Brexit transition period (currently 31st December 2020) the GDPR will apply “as is”. On 1st January 2021 the regulations will amend GDPR and retitle it as “UK GDPR”.
The amendments are essentially a tidying up exercise. The EU version of GDPR, contains many references to EU laws, institutions, currency and powers which will cease to be relevant in the UK after the transition period. The UK GDPR will have these references omitted or replaced with British equivalents where applicable. The functions that are currently assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner. There are however more significant issues which will impact many organisations (both Data Controllers and Processors) as the UK leaves the EU data protection regime.
Just like the EU GDPR, the UK GDPR will have an extra territorial effect. In addition to applying to organisations established in the UK that process personal data, it will also apply to organisations outside the UK if they offer goods or services to or monitor the behaviour of UK residents. Consequently, some organisations may have to comply concurrently with both versions of GDPR. Article 27 of both versions requires organisations established outside their jurisdiction. This means UK organisations that continue to be subject to the EU GDPR, after 31st December, will need to appoint a representative in the EU and vice versa. A number of companies have sprung up to offer this service. Who to choose will depend on many factors including expertise, type of service offered and language spoken.
On 1st January 2021, the UK will become a third country for the purposes of international data transfers under the EU GDPR. This means that the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. This is proving increasingly unlikely before the deadline.
The UK GDPR deals with post Brexit international data transfers from the UK by recognising all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision. It also contains a similar mechanism (to the EU GDPR) for data transfers to the US known as the Privacy Shield. This may be problematic given that the European Court of Justice ruled in the “Schrems II case” that the Privacy Shield was invalid. In its ruling the ECJ was concerned about US authorities’ wide ranging powers to access the personal data of EU residents and the impact on their privacy. The same could be said for UK laws which means that there will also be uncertainty about EU transfers of personal data to the UK.
The UK GDPR will also recognise current EU Standard Contractual Clauses as valid for international transfers. Use of such clauses, whilst still lawful, will again need careful consideration. The ECJ in Schrems was clear that the responsibility lies with Data Controllers in the EU and the recipient of the personal data to satisfy themselves, on a case by case basis, that the legislation of the third country enables the recipient to comply with the standard data protection clauses before transferring personal data to that third country. If a country, like the USA, has legislation in place that obliges recipients to share personal data with public authorities, then Data Controllers must assess, on a case by case basis, whether that mandatory requirement doesn’t go beyond what is necessary in a democratic society to safeguard national security, defence and public security.
The Government has produced a Keeling Schedule document showing the detailed changes that will be made to the GDPR to make it the UK GDPR. You can buy a bound colour copy here. This is a popular supplement to our GDPR Handbook.
The regulations also amend the DPA 2018 which must be alongside GDPR. Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will soon become part of the UK GDPR.
These and other GDPR developments will be discussed in detail in our online GDPR update workshop. Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our GDPR Essentials e learning course can help you do this in less than 45 minutes.