Data protection now that the UK has left the EU
On 31 December 2020, the Brexit transition period came to an end and a new UK data protection regime came into being. Businesses transferring personal data to and from other countries – which of course may include transfers to overseas service providers who host personal data outside the UK – will need to address how they continue to do this under the new regime.
Prior to Brexit, UK data protection law was principally governed by the General Data Protection Regulation (EU GDPR), which created a harmonised legal framework regulating the way in which personal data is collected, used, and shared throughout the EU. In addition, the EU GDPR was supplemented by the UK Data Protection Act 2018 (UK DPA) which exercised a number of provisions within the EU GDPR and covered additional matters beyond the scope of the EU GDPR (such as law enforcement processing and intelligence services processing).
However, following 31 December 2020, the EU GDPR ceased to directly apply to the UK, but effectively became part of UK domestic law. In order to ensure that it works in a UK context, various amendments were made to the EU GDPR by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This amended version of the EU GDPR is what is now commonly known as the “UK GDPR”. It has very similar terms to the original EU GDPR, but stands separate to the EU GDPR as part of UK domestic law. Alongside the creation of the UK GDPR, various consequential amendments were also made to the UK DPA so that they work with each other.
Will your business need to comply with both the EU GDPR and the UK GDPR?
If you are a UK business that deals with the personal data of individuals situated both in the UK and the EU, it is likely that you will have to comply with both the EU GDPR and the UK GDPR and risk dual enforcement action from both respective data protection authorities in the event of any breach.
By way of example, if you are a business based in the UK that does not have any branches, offices or other establishments in the EU, but you are offering goods and services to individuals in the EU or you monitor the behaviour of individuals in the EU, as you are required by the EU GDPR to appoint an EU based representative to act on your behalf in respect of your EU GDPR compliance. Therefore you may need to be conscious of whether your business falls within one or both regimes, as there may be additional compliance requirements that need to be addressed.
Data Transfers from the EU to the UK
A common concern pre-Brexit was that once the UK left the EU, the European Commission would decide that the UK did not offer an adequate level of data protection and thus transfers of personal data from the EU to the UK would require further transfer mechanisms in order to remain lawful.
This issue was addressed in the EU-UK Trade and Cooperation Agreement, which declared that whilst the European Commission continued its assessment of the adequacy of the UK data protection regime, transfers to the UK are to be considered as if they were still transfers within the EU.
This means that if your business is receiving personal data from organisations situated in the EU, it will not need to make any changes to its current arrangements for the time being. However, this interim solution is only for a limited period of up to four months (extendable to six months) so the current arrangements could potentially end at the end of April or June 2021 depending on the results of this adequacy assessment.
With this in mind, it should be noted that on 19 February 2021, the European Commission published its draft decision on the UK’s adequacy under the EU GDPR and the Law Enforcement Directive and found the UK to be adequate. The draft decision will now be considered by the European Data Protection Board and a committee of the 27 EU states. If the committee approves the draft decision, then the European Commission will formally adopt it. In the meantime, the UK effectively has to maintain its existing data protection regime during this interim period and can only amend it in limited circumstances.
Data Transfers from the UK to the EU
If your business is transferring personal data to an organisation in the EU, the UK Government have confirmed that it deems the EU member states to provide an adequate level of protection for personal data, and so personal data flows from the UK to the EU can continue without additional transfer mechanisms. This decision will be kept under review. Minor updates will nevertheless still generally be required to most businesses’ privacy notices and other documentation to reflect the changes brought about by Brexit.
Going forward however, now the transitional period has ended, the UK will have the ability for its data protection laws to develop independently of the EU GDPR, and to enter into its own independent arrangements with countries outside of the EU. It will therefore be important for businesses to take care in evaluating and applying the separate UK and EU regimes and to stay up to date with changes in both as they diverge over time and take separate identities
Here to Help
For advice in respect of the UK data protection regime, please contact either James Sarjantson on 0113 201 0401 –ku.oc1618911262.fcl@1618911262nostn1618911262ajras1618911262j1618911262 or Thomas Taylor on 0113 204 0407 – ku.oc1618911262.fcl@1618911262rolya1618911262tt1618911262
This article was written by Thomas Taylor. Thomas is a solicitor in our Corporate department. Based in our Leeds Office Thomas specialises in commercial contracts
Find out how Thomas can help you call 0113 201 0407 or ku.oc1618911262.fcl@1618911262rolya1618911262tt1618911262
Disclaimer: This article is for general information only and does not constitute legal advice. For legal advice on any specific set of circumstances, contact the author.