The UK officially left the EU as of 31 January 2020. Although data protection is not foremost in people’s minds when considering the impact of Brexit, it will have an impact on the data protection landscape. Even though the UK government has committed to incorporating the EU General Data Protection Regulation (GDPR) into domestic law, meaning that the GDPR will continue to apply in its current form, businesses should be aware of a number of key issues. Our ultimate guide explains all the facts about Brexit and the GDPR.
FAQ about Brexit and the GDPR
Since the Brexit referendum in 2016, negotiations have been taking place between the UK and the EU. The aspired deal is known as the Withdrawal Agreement and establishes the terms of the UK’s withdrawal from the EU. The aim of the Agreement is to ensure that the withdrawal occurs in an orderly manner, which will offer legal certainty once the Treaties and EU law cease to apply to the UK. The latest draft of the Agreement is available online.
The Withdrawal Agreement stipulates that EU law (including the GDPR and other relevant data protection laws, e.g. the EU ePrivacy Directive) will continue to apply during a transition period after the Brexit day. The transition period ends 31 December 2020, meaning that until the end of 2020 nothing will change. Personal data can flow freely between the EU and the UK and UK companies will be required to continue to comply with both the GDPR and national data protection laws.
Article 71 of the Withdrawal Agreement specifically provides that after the end of the transition period, personal data from individuals in the UK or the EU will be processed in accordance with the GDPR until an adequacy decision is reached by the EU.
Ideally, the UK government and the EU will negotiate a data protection arrangement that suits both parties. This could be in the form of an adequacy decision, meaning that the personal data protection regime of the UK provides appropriate safeguards. UK business operations would then enjoy uninterrupted flow of personal data with the EU and the EEA without necessitating any further safeguards.
If no such decision is reached, the UK will become a so-called third country. To this effect, EU law will require additional measures to be put in place by UK companies (e.g. Standard Contractual Clauses) when personal data is transferred from the EU/EEA to the UK in order to render them lawful.
The reality is that it is going to be difficult for the UK to get an adequacy decision by the end of December 2020. To date, the quickest adequacy decision (regarding Argentina) took 18 months.
It is important to note that such an assessment goes beyond the mere application of the rules of the GDPR, ePrivacy Directive and the Police and Justice Data Protection Directive: it will also take into account data protection related issues such as interference on the fundamental right to privacy and data protection by surveillance legislation. There are concerns that the EU Commission will take a rather detailed look at the UK’s crime and national security legislation during its assessment, particularly the Investigatory Powers Act 2016. Thus, it is feared that the assessment could take quite a while.
During the transition period, the UK will have to decide on data transfer to non-EU countries. The UK Data Protection Act 2018 includes the possibility to establish new rules for international data transfers. However, the UK government plans to keep all the adequacy decisions the EU has made, including the EU-U.S. Privacy Shield, until after the end of the transition period.
After the end of the transition period, the wording of the Privacy Shield will need to be updated and controls and protections required for its certification will then be deemed to be under the control of the Information Commissioner’s Office (ICO).
The current PECR rules are derived from an EU Directive. However, as the PECR is UK law, the rules covering marketing, cookies and electronic communications will continue to apply after the UK leaves the EU.
The EU is currently working on replacing the rules of ePrivacy with the new ePrivacy Regulation. Since the EU regulations were not finalised before Brexit, the new regulation will not have a direct influence on UK law.
The following is a brief description of the most important sectoral laws, including data protection regulations:
- Security of Network & Information Systems Regulations 2018 (NIS Regulations): Pertain to the provision of digital services such as online marketplaces, online search engines and cloud services.
Even though these regulations are derived from EU law, they will continue to apply after Brexit.
- eIDAS regulation: An EU regulation that stipulates the rules for electronic identification and trust services.
As the eIDAS is an EU regulation, it will cease to apply after the UK’s exit from the EU. However, it is anticipated that the British government will incorporate the respective rules into UK law.
- Freedom of Information Act 2000: Applies to businesses and organisations working for a public authority.
The FIA is the foundation of UK data protection law and will continue to apply.
- Environmental Information Regulations (EIR): Pertain to the provision of public access to environmental information held by public authorities.
Even though the rules derive from EU law, they will continue to apply after leaving the EU.
You want to prepare your company for all Brexit contingencies? Then get expert data protection advice now!