Data Protection Law
UK GDPR, EU GDPR, DPA 2018, DP Regulations. Confused? Hopefully this blog will help you understand what is happening with data protection laws in the UK now that the Brexit transition period has ended.
The UK data protection authority, the Information Commissioner’s Office (ICO), is telling us that at the end of the Brexit transition period, data protection compliance should continue as usual. The key principles, rights and obligations remain the same. What then is the consequence of the Brexit transition period ending on data protection in the UK?
Most importantly, following the end of the transition period, the EU and the UK will be operating under different, albeit very similar, data protection regimes. This means that any transfer of data between the two regimes will be considered as such – i.e. between two independent data protection legal systems.
The Legislation – UK GDPR and the DP Brexit Regulations
A confusing aspect of the UK’s new data protection regime is its reference to legislation. There is mention of the ‘UK GDPR’ and ‘DP Brexit Regulations’. In order to clear up any misunderstanding it is useful to consider how data protection legislation operated before Brexit
Before Brexit data protection was mainly governed by two pieces of legislation: the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018. The first being EU law and the second being the mechanism by which it was implemented into UK law.
With the coming of Brexit came a concern with what the UK government should do with all its EU law. The European Union (Withdrawal) Act 2018 sought to retain EU law already implemented in the UK, including GDPR. Simply put, retained EU Law is copied and amended before becoming UK law. The EU data protection law GDPR, in its retained form, is now known as the UK GDPR. This is in contrast to data protection law in the EU now known (in the UK) as the EU GDPR.
The Data Protection Act 2018 (DPA), although already being UK law, was also defined as retained EU law for the purposes of the European Union (Withdrawal) Act 2018 and therefore at the end of the transition period it will continue to be a main source of data protection law in the UK.
In order for the retained EU data protection law to work in the UK after the transition period it needs to be amended. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (referred to here as the DP Brexit Regulations) is the legislation by which this will be achieved. The amendments made to the UK GDPR and the DPA by the DP Brexit Regulations will therefore merge to form the core of the UK’s data protection law. Organisations will need to consider two legal texts after the transition period: the UK GDPR and the DPA.
Changes made by the DP Brexit Regulations
The purpose of the DP Brexit Regulations is first and foremost to integrate EU data protection law, as it stands, into UK law after the transition period. Therefore most of the changes are relatively predictable. Here are a few:
- The Information Commissioner (UK data protection authority) is no longer a party to EU GDPR co-operation, consistency mechanisms and will not have a seat on the European Data Protection Board (EDPB).
- Amendments are made throughout the UK GDPR to change references to EU institutions, member states and decisions.
- European Commission powers are transferred to the Information Commissioner or the Secretary of State. For example the Information Commissioner has the power to issue Standard Contractual Clauses (a mechanism by which data is transferred internationally).
- Section 4 of the DPA is amended to make clear that it applies to personal data to which the UK GDPR applies and that it supplements and must be read with the UK GDPR.
- A new section 17A in the DPA covers transfers based on adequacy regulations (a mechanism by which data is transferred internationally). The Secretary of State has the power to make “adequacy regulations” to specify that a third country, territory, sector or international organisation ensures an adequate level of data protection.
At the end of the transition period, the UK would have been a third country under the EU GDPR, meaning that EU controllers and processors would need to ensure that an adequacy mechanism was in place to protect transfers i.e. Standard Contractual Clauses or Binding Corporate Rules.
However, on 24 December 2020, the UK and EU reached a trade and co-operation agreement addressing the arrangements following the end of the Brexit transition period on 31 December 2020 (as implemented by the European Union (Future Relationship) Act 2020).
Most significantly the agreement has introduced at least a four month period (extended another two months unless one of the parties objects) in which data can flow between the regimes without additional safeguards. The aim of the agreement is to give organisations breathing space while the Commission continues its assessment of adequacy for the UK. If the UK is granted an adequacy decision then data will continue to flow freely between the regimes after this period.
Data processed or obtained before the end of the transition period
From the end of the transition period the UK is required to continue applying “EU law on the protection of personal data” to the processing of EU personal data where the personal data was processed before the end of the transition period. It will therefore be helpful for organisations to know what data has been processed in the EU before the end of the transition period so that, should the regimes diverge, that data continues to have EU law applied to it. By contrast, personal data about UK data subjects processed in the UK before the end of the transition period will fall under the UK GDPR and DPA.
More to come – UK GDPR and EU GDPR to diverge?
The big next development in data protection and Brexit will be whether or not the commission grants the UK an adequacy decision. Organisations should have a clear idea of how they are going to confront the possibility that no adequacy decision is reached. This will mean reviewing data flows and the contracts that enable them.
The ICO is right to say that the data protection principles before Brexit will largely remain the same in the UK. The UK GDPR and DPA as a new legislative framework are more than anything else a replica of what has come before. But with an adequacy decision pending and the EU’s draft E-Privacy Regulation still being finalised and therefore without a hope of being applied in the UK, the two data protection regimes could split in significant ways in a relatively short amount of time.