This new UK data protection regime, coupled with the UK's departure from the EU, requires UK, EU and international businesses to take steps to ensure they remain compliant with the two separate data protection regimes which now exist: EU GDPR and UK GDPR.
It is easy to think that data transfers between the EU and UK are the only concern for ongoing data protection compliance, but there are a number of other aspects to consider. Both the EU GDPR and the UK GDPR have extra-territorial effect, and businesses need to think about the impact which the two regimes will have on their data flows, records of processing, contracts, policies and procedures, along with requirements to appoint EU data protection representatives. These broader considerations apply irrespective of the interim data transfer arrangement reached in the EU-UK Trade and Cooperation Agreement in December 2020.
In this Insight, we summarise the post-Brexit position on data protection, and set out some key practical steps for businesses to consider. (While we refer throughout to the EU, in most instances the same position applies in respect of other EEA countries, namely Norway, Liechtenstein and Iceland.)
What data protection laws applied in the UK up until 31 December 2020?
Until 31 December 2020, all EU data protection laws applied in full (notably the GDPR and the E-Privacy Directive), together with all current UK implementing legislation, such as the Privacy and Electronic Communications Regulations (PECR) in relation to the E-Privacy Directive.
In addition, the UK Data Protection Act 2018 (UK DPA) applied. The UK DPA supplemented the GDPR and exercised a number of derogations within the GDPR, which EU member states are entitled to implement, as well as covering additional matters beyond the GDPR (such as law enforcement processing and intelligence services processing).
This collection of data protection laws was interpreted in accordance with case law from the Court of Justice of the European Union (CJEU) and the UK courts, and in light of regulatory guidance from the European Data Protection Board and (in the UK) the ICO.
What data protection laws apply in the UK after 31 December 2020?
As at 1 January 2021, the EU GDPR ceased to directly apply to the UK, but effectively became part of UK domestic law. All EU-derived UK domestic legislation (such as PECR) continues to apply.
However, to ensure that the EU GDPR works in a UK context, various amendments to it were required. These were made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The amendments aim to ensure the EU GDPR makes sense and is directly applicable in the UK on a standalone basis – for example, references to "the Union" become "the United Kingdom".
This amended version of the EU GDPR is what is now commonly known as the "UK GDPR". It has very similar terms to the original EU GDPR, but stands separate to EU GDPR as part of UK domestic law. Alongside the creation of UK GDPR, various consequential amendments were also made to the UK DPA so that they work with each other.
In addition, CJEU case law as at the end of the transition period forms part of UK domestic law and so will remain binding on UK domestic courts. However, the UK Supreme Court and the Court of Appeal can choose to depart from CJEU decisions.
Finally, it should be borne in mind that:
- the EU GDPR may still apply in the UK as well by virtue of its extra-territorial effect (see below); and
- under the Brexit Withdrawal Agreement the EU GDPR as in force on 31 December 2020 will continue to apply to certain legacy data for so long as the UK does not benefit from an "adequacy" decision from the EU (see below). In this context, legacy data comprises personal data of a non-UK individual which was either acquired before the end of the Brexit transition period and processed under EU data protection law, or processed on the basis of the Withdrawal Agreement after the end of the Brexit transition period.
Might some businesses need to comply with both the new UK regime and the EU GDPR and national EU regimes?
Yes, some businesses will be subject to both regimes. The key point is to assess the application of each regime separately, bearing in mind that Article 3 of both the EU GDPR and the UK GDPR gives them extra-territorial effect.
For example, if a UK organisation has processing activities in both the EU and UK, or is targeting customers or monitoring individuals in the EU from the UK, then that organisation will be subject to regulatory responsibilities under both the UK regime (UK GDPR, UK DPA and PECR) and the EU GDPR. The same applies the other way round – for example where an EU-based organisation has processing activities in both the EU and UK or is targeting customers or monitoring individuals in the UK from the EU.
In essence, organisations with pan-European operations are likely to have to comply with two separate, but similar, legislative regimes, with the consequential risk of dual enforcement action (by EU Data Protection Authorities in the EU and the ICO in the UK) in the event of any breach.
This means that organisations need to consider carefully whether they are within just one or both regimes, and in particular take (or rule out the need to take) the key steps which we have highlighted towards the end of this Insight.
Will the UK be 'adequate' for data transfers from the EU?
This issue is addressed in the EU-UK Trade and Cooperation Agreement (TCA). A common question pre-Brexit had been whether, once the UK was a third country for the purposes of the EU GDPR, the European Commission would decide that the UK offered an adequate level of data protection and thus transfers of personal data from the EU to the UK could continue without any further transfer mechanisms being required under EU GDPR. Alternatively, would those transfers need to be legitimised with a transfer mechanism such as standard contractual clauses and supplementary measures?
While an adequacy decision is not included in the TCA itself, the joint political declaration published alongside the TCA states that the EU will undertake an adequacy assessment.
In addition, the TCA puts in place an interim solution that buys the EU more time to conclude its formal adequacy decision. Under this, transfers to the UK are to be considered as if they were still transfers within the EU – so no other transfer mechanisms, such as standard contractual clauses (or supplementary measures), are required for those transfers for the moment.
However, there are some strings attached:
- the interim solution is for a limited period of up to four months, extendable to six months, so a future potential cliff-edge at the end of April / June 2021 is still possible if the adequacy process drags on (or does not deem the UK to be adequate); and
- while the interim solution applies, the UK effectively has to preserve its existing data protection regime, and is precluded from altering it or exercising certain powers under it (for example, to enter into new international data transfer arrangements) except in limited circumstances.
Although the ICO has welcomed the interim solution, it still "recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data".
It is also important to bear in mind that even though personal data can still be transferred without additional mechanisms, it does not affect how other aspects of EU GDPR and UK GDPR might apply to that personal data. For example, the twin regime issue mentioned above may still give rise to other considerations.
Will the EU be 'adequate' for data transfers from the UK?
Yes. The UK has already confirmed that, on a transitional basis, it deems the EU member states to be adequate to allow for data flows from the UK without additional mechanisms.
Consequently, there are currently no changes to the way businesses send personal data to the EU, although again the twin regime issue mentioned in may give rise to other considerations. In addition, updates will be required to privacy notices and other documentation (such as contracts and records of processing) to reflect these transfers.
Will the current EU 'adequate' destinations for data transfers be 'adequate' for ex-UK transfers under the UK GDPR?
Yes. Transfers from the UK to other countries can continue under existing arrangements. (That includes transfers under the current European Commission adequacy decisions for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
However, UK organisations should check that their privacy notices and other documentation (such as contracts and records of processing) reflect these transfers appropriately.
What standard contractual clauses should be used for ex-UK transfers?
The UK has specifically legislated for this issue. In essence, data exporters can use existing EU versions of standard contractual clauses, either "as is", or with the limited changes needed to reflect the UK's withdrawal from the EU.
The expectation is that the ICO will approve a new set of standard contractual clauses in due course, which are likely to replicate and align with the new draft standard contractual clauses published by the European Commission in November 2020.
Do organisations need to appoint separate UK and EU DPOs?
No, not necessarily. In principle, a Data Protection Officer can act for a group of companies within the UK and EU, provided that they can still perform their tasks effectively and remain easily accessible to the group's employees, regulators, and people whose personal data you process, as envisaged by Articles 38 and 39 of EU GDPR and UK GDPR.
Key practical steps
Bearing in mind the issues covered, here are some of the practical steps that businesses should be taking:
- Map data flows: Ensure details of data flows to and from the EU to the UK have been mapped out to help assess and take appropriate next steps to comply with the two GDPR regimes (EU and UK) post Brexit.
- Update records of processing: Update records to meet EU GDPR and UK GDPR requirements – for example, to record the specific lawful basis or conditions for any processing activities required under UK GDPR – to accurately reflect data flows and to include the correct terminology.
- Re-evaluate lead supervisory authority: Assess whether there is an EU supervisory authority that now qualifies as a lead supervisory authority and the impact of dealing with the UK ICO and a new EU supervisory authority or multiple authorities in practice, for example, if notifying a security breach.
- Appoint a UK and/or EU representative: Consider whether to appoint a UK representative if the business is offering goods or services to, or monitoring of the behaviour of, individuals in the UK, and does not have an establishment in the UK. Similarly, consider whether to appoint an EU representative if the business does not have an establishment in the EU but is offering goods or services, or monitoring of the behaviour of, individuals in the EU.
- Update privacy notices: Revise internal and external privacy notices to ensure they clearly describe data flows, cover the relevant requirements of the UK GDPR and differentiate where necessary, for example, to reflect new variations to complaints escalation in the UK versus EU.
- Amend existing contracts and templates: Update terms to include relevant data transfer wording and appropriate referencing to the UK GDPR and EU GDPR.
- Consider whether DPIAs and LIAs need to be updated: Existing data protection impact assessments and/or legitimate interests assessments may need to be updated to ensure they comply with the UK GDPR.
- Ensure appropriate safeguards are in place for cross-border data flows: While nothing further is required immediately, keep this under review depending on the outcome of the EU's adequacy assessment in respect of the UK.