By Tom Preece
GDPR after Brexit
The General Data Protection Regulation has been around for years, and you likely cannot make it through a news cycle without hearing the term “Brexit” yet, questions still abound about what they mean together. In case you missed it, the trade and cooperation agreement of 12/24/2020 outlined how data transfers will be treated going forward between the UK and the European Economic Area (starting at the bottom of page 406), but you might find answers to your questions faster below.
Is there something in the agreement that makes data transfers ok?
Yes, for now. The UK and the EU agreed that for 4 months, plus a 2-month extension period, data transfers from the EU into the UK can continue unimpeded (the “Specified Period”). The Specified Period could end early if the UK is granted an Adequacy Decision, meaning that the EU thinks the UK has “adequate” data protections in place for the free flow of data to continue. If the decision is not granted by the end of the Specified Period, you will need to rely on another mechanism to get data into the UK, such as entering into the EU Standard Contractual Clauses, or implementing Binding Corporate Rules. The Information Commissioner’s Office (ICO) in the UK actually says it’s a ‘sensible precaution’ to do so.
I’m a business, do I need to do something differently now that Brexit has… Brexited?
Not immediately. Most people hope the European Commission will grant the adequacy decision to the UK. After all, the UK was one of the chief architects of the GDPR, they have already implemented Directive 95/46, and implemented GDPR into Domestic law. However, there is a chance that the European Commission might not decide before the Specified Period is over, which leaves a limbo risk. You can protect against that risk, and any future uncertainties, by a range of measures— two of which are mentioned above. Data localization is also becoming a popular control, although, remember that data localization is not mentioned or required by the GDPR and that some are critical of its efficacy.
This answer assumes you are asking about your clients that are EU citizens. Remember that the same data protections are required under UK law for UK citizens, the only difference now is that the ICO is no longer just the leading Data Protection Authority for the UK, it is also the leading supervisor, regulator, and enforcer. For customers who are UK citizens, you shouldn’t need to make any changes (unless of course, you weren’t already compliant… ahem…).
I’m a UK citizen, are my rights affected?
The UK passed a law called UK GDPR, which took effect on January 31st, 2020. The law took the EU’s GDPR law word for word and changed it to accommodate domestic areas of law, such as National Security, Intelligence Services, and Immigration. The majority of the GDPR was preserved, meaning you are afforded the exact same rights as before, including the extraterritorial power of the GDPR. In other words, no matter where a company is located in the world, the regulation still applies if it decides to collect and process your data (looking at you, USA).
Is there a chance the European Commission will not grant the adequacy decision?
Yes, there is a chance. The changes the in UK GDPR for National Security, Intelligence Services, and Immigration have been a source of debate, as some of the changes provide for circumstances where the regular protection of personal data can be bypassed. Many warn of the possibility it could be enough to undermine an adequacy decision, or at least delay it beyond the Specified Period, pointing to past criticisms by the European Court of Human Rights of the UK 2016 Investigatory Powers Act.
Can the ICO still be my single point of contact for the one-stop-shop mechanism?
Nope. The EU GDPR thoughtfully allowed companies to deal with one lead supervisory authority, instead of having to deal with all 28 DPAs in the EU. If your lead supervisory authority was the ICO in the UK, you are going to have to change it to one of the remaining 27. If you do not have a main establishment somewhere in the EU, there is a chance you can no longer take advantage of the ‘one-stop-shop’ mechanism.
Anything else I need to know about the GDPR after Brexit?
Remember that, like any other law or regulation, courts make decisions all the time based on cases brought before them, which apply the law as written to a real-life circumstance. The next time a similar case is brought, it’s expected the law is applied in a similar way. What you now have is two laws (EU GDPR and UK GDPR) which are essentially starting in the same place, except going forward you have two different court systems making independent decisions on them. Potentially, the case law in these two different jurisdictions could take the laws in entirely different directions over time. If you are thinking long-term, an adequacy decision should not necessarily be considered a permanent solution. As always, it will require continuing review and diligence to make sure your company is compliant with both laws, and the data transfer mechanisms you rely on are still accepted by all parties.