The UK left the EU on 31 January 2020. This article examines some of the key questions arising in relation to two key questions:
What does Brexit mean for the GDPR; and
What steps will UK based businesses and organisations will need to take in order to ensure that EU derived personal data can continue to be processed once the existing transition period has ended?
Are UK businesses and organisations still subject to the GDPR?
Yes. The UK’s membership of the EU ended on 31 January 2020. However, the withdrawal agreement that’s presently in place between the UK and the EU created what is known as a “transition period”. This period is presently expected to last until 31 December 2020 (although this date may be delayed by up to two years if both the UK and EU agree). During this period, EU law will continue to apply to the UK, and this means that the UK will remain subject to the GDPR.
Will the UK continue to operate the GDPR at the end of the transitional period?
Technically the answer to this question is no.
A new UK GDPR will automatically come into being at the end of the transitional period. At this point the existing GDPR will become known in the UK as the EU GDPR.
The UK GDPR will (initially at least) simply merge the EU GDPR and the applied GDPR (which arises under the Data Protection Act 2018) and so for businesses and organisations operating exclusively in the UK their existing data protection policies and procedures will continue to be relevant and it is unlikely that significant amendments and/or changes will need to be made.
Will the EU GDPR impact UK based businesses and organisations once the transitional period is over?
Potentially yes. The EU GDPR will continue apply whenever a UK based business or organisation offers goods or services to individuals/data subjects located in the EU together with the monitoring of those individuals’ behaviour.
Remember also that the EU GDPR states that tracking individuals on the internet to analyse or predict their personal preferences will also trigger the application of the EU GDPR.
All in all, the message is fairly straightforward. If you do business within the EU (even if you have no physical presence there) you will still need to comply with the EU GDPR.
What will the future data protection relationship between the UK and the EU look like?
If only we knew! The end of the transitional period will see the UK become what is known as a “third country” for the purposes of EU data protection law.
Third country status has several potentially negative consequences for UK based businesses and organisations, in relation to cross-border data transfers, competent supervisory authorities and the enforcement of the EU GDPR (more on this later).
There’s been a lot of talk about EU “adequacy decisions”, what are they?
The EU GDPR permits the European Commission to recognise a third country’s data protection laws as being adequate. In terms of data protection, an adequacy decision is extremely useful since it effectively means that cross-border data transfers can take place with a minimum of fuss and delay.
It’s worth noting that the political declaration between the UK and the EU states that the European Commission will endeavour to adopt decisions regarding the UK’s adequacy by the end of 2020 “if the applicable conditions are met”.
If the EU Commission does make an adequacy decision in respect of the UK’s data protection regime by the end of 2020 this will mean that cross-border personal data transfers between the UK and the EU operate in the same way that they do now and that they will be less complex than they will otherwise need to be.
OK, so what happens if the UK leaves the EU without an adequacy decision?
If the UK leaves the EU without an adequacy decision at the end of the transition period, this will likely have the following immediate implications for UK and EU businesses:
- The UK’s status as a “third country” would mean that under the EU GDPR appropriate safeguards (i.e. EU’s standard contractual clauses) would need to be implemented before any transfers of personal data from the EU to the UK could take place; and
- For businesses and organisations operating in the UK, outbound cross-border transfers of personal data will be subject to the UK GDPR. The UK government has already passed legislation recognising all EEA countries as being “adequate”. This is a sensible and pragmatic step as it will permit data transfers to these countries to continue once the transition period has ended.
Will the ICO continue to be a supervisory authority for the purposes of the EU GDPR after the transition period has ended?
No, the ICO will cease to be a “supervisory authority” for the purposes of the EU GDPR once the transition period has ended.
Businesses and organisations that plan to continue carrying out cross-border processing, will need to review the EDPB guidance in order to consider whether any other EEA supervisory authority will be able to act as a lead authority once the transition period has ended.
Will we need to appoint a European representative once the transition period has ended?
Businesses and organisations based in the UK that do not have a branch, office or other establishment in any EU or EEA country, that continue to offer goods or services to individuals in those countries and/or monitor the behavior of individuals in those countries following the transition period will, in most cases, need to appoint a European representative.
This European representative will need to be based in an EU or EEA state where some of the individuals whose personal data is being processed are located. The European representative can be an individual, or a company or organisation established in the EEA.
Businesses and organisations will need to give details of their chosen European representative to the EEA-based individuals whose personal data is being processed. This will typically be done by including their details within standard privacy notices. Additionally, this information must also make it easily accessible to supervisory authorities (e.g. via publication on the businesses or organisation’s website).
Please contact us if you’d like more information about the issues raised in this article and/or or to find out more about the various Data Protection related policies, procedures, guidance and training that we provide.
Disclaimer: the information set out above does not constitute legal advice and it is provided for general information purposes only. No warranty, whether express or implied is given and neither the author or Harrington Law shall be liable for any technical, editorial, typographical or other errors or omissions within the information provided.