The European Union’s General Data Protection Regulation (GDPR) has been in effect since 2018, and since that time businesses across the UK have been compelled to comply with European rules for handling personal data.
Following the UK’s official departure from the EU in January 2020, many businesses and organisations may be uncertain about what this means for data protection laws. Will the UK stop being subject to GDPR? What happens during the transition period?
In this article, we will look at what Brexit currently means for data handling – and give some insight into the future of British privacy legislation.
What is GDPR?
Regulation (EU) 2016/679 – the General Data Protection Regulation – was implemented by the European Union in May 2018.
The regulation is designed to safeguard personal data and protect privacy throughout the European Union and the European Economic Area (EEA). It also sets out rules for transferring data to other nations elsewhere in the world.
GDPR applies to any organisation that handles personal data from EU citizens, even if the organisation itself is located outside Europe.
Broadly, the rules of GDPR mandate that data handling organisations have to take steps to protect privacy and that individuals’ data can only be processed as per six specific legal bases (consent, contract, public task, vital interest, legitimate interest or legal requirement). All data gathering must be clearly disclosed and the legal basis for its collection made apparent.
GDPR is implemented in the UK via the Data Protection Act of 2018, a national law that updated preexisting British data legislation from 1998.
For a more detailed explanation of GDPR, please refer to the Information Commissioner’s Office for further material.
During the Brexit transition
As of January 2020, the UK is now in a transitional phase of Brexit until the 31st of December (which the government calls the ‘implementation period’). This means that European Union laws will continue to apply to British businesses and citizens until that date.
There is a possibility that the duration of this transition could be extended by up to two years with the mutual agreement of both the UK and the EU. However, the UK government has stated that it presently has no intention of applying for such an extension. (Source: The Guardian)
Therefore, during the Brexit transition, businesses in the United Kingdom are still bound by GDPR and will be until at least the end of the year.
Privacy and Electronic Communications Regulations (PECR)
Alongside GDPR rules (and often discussed in the technology sector) is PECR, the Privacy and Electronic Communications Regulations. These govern matters such as marketing communications, website cookies and customer data.
PECR is a UK-specific implementation of the EU’s ePrivacy Directive and will continue to be in effect as a British law both during the Brexit transition and after we have left the European Union.
However, the ePrivacy Directive is expected to be replaced with a new law in the near future known as the ePrivacy Regulation. It’s likely that Britain will continue to adhere to the new policies even after the end of the Brexit transition.
Website owners in the UK will be required to comply with PECR even if the website itself is hosted outside the UK – and the same will be true for international website owners creating material intended for UK audiences.
At the end of the Brexit transition window, the UK will be regarded by the European Union as a ‘third country’.
GDPR allows for unrestricted data transfer between trusted EU member states, but extra assessment is required to confirm the suitability of ‘third countries’ (non-EU member states) for receiving EU data. This is known as ‘adequacy’.
The list of third countries that have already been awarded adequacy status by the European Commission includes Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. (There is also a ‘Privacy Shield’ program in effect to facilitate data transfers between the EU and the United States of America, although this is limited only to US organisations who opt in to the framework.)
Third countries that have not passed assessments carried out by the European Commission to confirm the robustness of their data handling practices are subject to restrictions – meaning that until the UK gains adequacy status, British organisations will be limited in receiving data from Europe.
In this situation, UK businesses will still be able to receive European data, but the restrictions could mean that extra provisions are necessary. These may take the form of Standard Contractual Clauses (SCCs) between the parties sending and receiving data – essentially legal agreements drawn up between the exchanging entities at their own expense.
It is currently uncertain how long it will take for the UK to receive adequacy status, or if there might be significant hurdles to overcome. Some commenters predict that it is unlikely to happen within the timeline of the current Brexit transition, although the European Commission has stated its intention to reach an adequacy decision by the end of the year. (Source: Lexology)
Future UK data protection laws
The EU Withdrawal Act was introduced in 2018 to allow for various Brexit preparations, and one of the effects of this legislation is that it allows the British government to adopt EU laws directly onto the UK books. This was intended to provide for minimal disruption to the British legal system after Brexit, and effectively created a new category of British legislation known as ‘EU retained laws’.
After the transition period has ended and the United Kingdom is technically no longer required to adhere to the principles of EU GDPR, the government will adopt GDPR principles directly into British law. This will be known as ‘UK GDPR’.
The EU version of GDPR will no longer apply to UK businesses and organisations unless they deal with EU member countries – perhaps by offering goods and services to European individuals or dealing with their personal data.
UK GDPR may differ in some small particulars from the EU regulation (with some minor amendments to make it suitable for UK implementation), but for the most part, there will be little functional difference to British data privacy laws after the end of the Brexit transition.
In summary, the main source of uncertainty will be our data-sharing relationship with Europe after the transition. This will largely depend on the findings of the European Commission as they evaluate British data handling practices with a view to awarding adequacy.
However, for most practical purposes, there is likely to be little or no change for the majority of UK businesses and organisations during the Brexit transition period – and the future landscape of British data protection law should look quite similar to the current situation.
|This post was contributed by Girlings Solicitors – a well-respected law firm in Kent offering Corporate & Commercial, Debt Recovery, and other business law services. With nearly 140 years of experience providing business, personal and not-for-profit legal support, Girlings is one of the largest and oldest law firms in Ashford, Canterbury and Herne Bay.|