Brexit & Data Protection – A vision for 2021?
- A central issue at the heart of Brexit negotiations between the UK and EU remains the free flow of Personal Data.
- Any Personal Data which has been processed prior to the end of the Transition Period will still need to comply with the GDPR in relation to that “set” of data.
- The UK GDPR is similar to the EU GDPR, but its impact differs in a number of ways.
- The more steps you take to plan for a post-Brexit data ecosystem, the easier it will be to demonstrate compliance.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) arrived with a bang on 25 May 2018, with many businesses fearing that potentially far harsher sanctions for non-compliance along with far higher fines from the Information Commissioner’s Office (ICO) and far higher numbers of civil claims based on data breaches were going to immediately cripple them. GDPR-mageddon was, apparently, upon us.
Two years on, however, and although privacy has in the words of the ICO’s 2019/20 Annual Report been “established as a mainstream concern” in the wake of a digital revolution whose effects have only been hastened by the impact of the COVID-19 outbreak, the sense remains that although businesses are expected to have moved beyond baseline compliance many are still working towards it.
We’ve seen some considerable fines imposed under the new legislation, but many SMEs in particular may continue to believe that the real targets for more punitive enforcement are either businesses with a complete disregard for their data protection obligations or bigger businesses such as British Airways, Marriott and Ticketmaster. Even multi-million pound monetary penalties levied against them have been negotiated down over time, and with the spectre of the effect of Brexit casting a shadow over the economic prospects of Q1 2021, businesses may feel as if they already have their hands full, and compliance budgets allocated.
However, one of the central issues at the heart of Brexit negotiations between the UK and EU remains the free flow of Personal Data (any information which can identify a living individual) to be used or “processed”) between the two sides after the end of the Transition Period on 31 January 2020. UK Government ad campaigns have told businesses to “get ready” for life outside the EU, and the purpose behind this Briefing is to explain why you need to do so, along with what you need to do and when.
WHERE WE ARE NOW
It’s important to note that during the Transition Period the GDPR continues to apply in the UK, supported and tailored to our local requirements by the DPA 2018. Existing guidance from the ICO remains valid, and it’s always worth keeping an eye on its website at www.ico.org.uk for updates and registering to receive their newsletters for the most up-to-date news on data protection issues more generally. Quite apart from content relating to the Brexit negotiations, the ICO regularly provides updates on direct marketing, homeworking and cybersecurity amongst a wealth of other subjects.
Any Personal Data which a Data Controller (i.e. the business, organisation or person who decides what Personal Data is collected and processed, along with its purpose for doing so) has been processing (carrying out pretty much any activity in relation to it) prior to the end of the Transition Period will still need to comply with the GDPR in relation to that “set” of data. However, what happens at the end of the Transition Period depends largely on the progress of the ongoing negotiations.
As the GDPR is a European Regulation (referred to below as the EU GDPR, for reasons which will become obvious), it won’t directly apply to the UK post-transition. It will, however, still apply extraterritorially, meaning that any business offering goods or services to or monitoring EEA residents will still need to comply with it.
In the meantime, the UK Government made new regulations last year - the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which deal specifically with how data protection will be dealt with after the Transition Period ends, and which amend the EU GDPR and DPA 2018 so that they work in a UK-only context and fit the terms of whatever our new relationship with the EU will be. These regulations are usually referred to as the UK GDPR, and it’s also important to note that the DPA 2018, which also implements, tailors and supplements the EU GDPR within the UK, will continue to apply alongside the new UK GDPR – they’ll effectively be merged into a new UK data protection regime.
WHERE WE'RE GOING
The UK GDPR is pretty similar in terms of approach to the EU GDPR, but its impact is different in certain respects, specifically in relation to cross-border Personal Data transfers.
One of the most important objectives of the new UK GDPR is to allow the UK Government to keep its data protection framework under review, and diverge from the EU approach as and where necessary. For the time being, it’s doubtful that the UK will move too far away from legislative requirements that Data Controllers are still getting used to dealing with, so any suggestion that the UK would become a “data haven” seem to be overblown. Encouraging investment into the UK will be a top priority post-transition, and where entrants into the market may find themselves having to comply with the new UK GDPR alongside the EU GDPR, the UK Government will want to make that process as easy as possible.
What this means is that Data Controllers are likely to see little immediate change in data protection compliance requirements after the end of the Transition Period. Existing GDPR Guidance from the ICO will continue to apply, and the UK Government has said that transfers of Personal Data from the UK to the EU won’t be affected or restricted. That depends, however, on a number of considerations – the most important being the concept of “Adequacy”.
ADEQUACY - WILL WE MEASURE UP?
The EU GDPR imposes minimum standards of protection for the rights of individual Data Subjects within the EEA, on the basis that its members have all committed to “adequate” protection. For the purposes of the EU GDPR, once the UK leaves the EU it will be treated as a “third country” and lose its adequacy, meaning that the transfer of Personal Data to the UK could be restricted unless it provides appropriate safeguards to protect the rights of EEA Data Subjects. The European Commission has the authority to determine whether or not any third country has “adequate” levels of data protection to allow for the unimpeded flow of Personal Data to and from it without any further safeguards needing to be put in place.
As a result, the UK Government is working on obtaining an adequacy decision from the EU Commission as soon as possible. A “Data Adequacy Assessment” is already underway, however it’s worth noting that although the UK is one of the EU’s most important trading partners, adequacy decisions can take years to be provided. The UK Government has made it clear that it will, in the context of the UK GDPR, recognise previous EU adequacy decisions so that Personal Data transfers from the UK to any third country covered by them can continue, but we need to wait considerably longer for the certainty of an EU adequacy decision in our favour. Part of the reason behind the introduction of the UK GDPR is to convince the EU that the UK has an “adequate” data protection regime.
However, the more the UK diverges from the EU GDPR over time, the less likely it is to be seen as “adequate”. Notably, the EU-US Privacy Shield was recently struck down over concerns about mass intelligence surveillance of Personal Data relating to EU data subjects within the borders of the US, which the EU determined wasn’t doing enough to safeguard their privacy. In that case, legislators have been working overtime to put a new framework in place to allow Personal Data to flow between the US and EU, and although Brexit presents a different kind of intervening event, the UK may soon find itself in a similar position to the other half of the “special relationship”.
WHAT YOU NEED TO DO
In the absence of an immediate adequacy decision, and given that we don’t as yet know whether or not the UK will be leaving the EU with a deal, businesses could be forgiven for adopting a “wait and see” approach until the position is clarified. However, the core concept of “Accountability” will remain in both the EU and UK GDPR, and the more steps you can take to plan for a post-Brexit data ecosystem, the easier it’s going to be to comply and to demonstrate that compliance:
- Draw up a “Roadmap” so that you can break down revisiting your data protection compliance into manageable tasks – many businesses will know whether or not they need to comply with either the UK GDPR in isolation or both the EU and UK GDPR based upon where their stakeholders are;
- Determine whether or not you’ll need to comply with the EU GDPR as well as the UK GDPR, dependent upon your activities;
- Privacy Notices will need to be amended to refer to either the UK GDPR, EU GDPR or both – although this may pose technical challenges in terms of delivering the right information to the right individual, their provisions will likely be pretty similar save for detail on international transfers and what safeguards are in states to where Personal Data is transferred;
- Assess the risks of any current or potential international transfers of Personal Data – the UK GDPR confirms that any transfer out of the UK is “international” (along with a transfer into the UK from the EEA) and requires similar safeguards to EU GDPR. This won’t pose immediate problems, as existing adequacy decisions will still apply for the time being. The onus is on Data Controllers to take action to ensure their own “adequacy” by ensuring relevant safeguards;
- A no-deal Brexit will mean that there’ll be no adequacy decision in place for the UK, so any transfer from EEA into UK will need additional safeguards – the safest bet is to adopt existing standard contractual clauses as per the terms of the EU GDPR (which will remain enforceable), so you may need to review your existing and proposed future contracts both now and when the UK GDPR comes into force to reflect any changes;
- After the end of the Transition Period, any Data Controller which doesn’t have an office or “establishment” in the EEA but which offers goods or services to or monitors the behaviour of EU individuals will need to appoint an EEA Representative to act on their behalf regarding compliance with the EU GDPR and manage their relationship with local supervisory authorities. A Representative can be any person, business or organisation appointed in writing and must be a first point of contact for any EEA individuals;
- Similarly, Data Controllers outside the UK targeting customers here will need to appoint their own UK representative.
As the GOV.UK website notes, there’s not much time for businesses to prepare for the end of the Transition Period. However, on the basis that the new UK GDPR system won’t diverge too much from the EU GDPR, any work done on current data protection compliance more generally will still be of value; many businesses may have done a lot of this work already but some uncertainty remains until the current negotiations come to an end, in one way or another.
What won’t change is the fact that Personal Data will remain one of the most valuable business commodities, or the need to ensure that it continues to flow as smoothly as possible.
Brexit may prove to be a reset for businesses in a many ways, and if the opportunity for that reset also allows them to revisit their data protection compliance with the benefit of two years’ experience, then it’s worth seizing.
If you’d like to discuss your current and future data protection compliance in further detail, please contact us:
firstname.lastname@example.org / 0161 838 3980
Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of BLM. Specialist legal advice should always be sought in any particular case.