As we all know the Brexit transition period is coming to an end on 1 January 2021. But what does this mean for data protection?
On 1 January, the ‘EU GDPR’ will no longer apply to the UK, and instead, the UK government will incorporate the ‘EU GDPR’ into UK data protection law and create the ‘UK GDPR’. The Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR) will remain in place.
In practice little will change, technical tweaks and amendments will be made to legislation, but the same core principles, obligations and rights will essentially remain the same. However, there are implications for businesses who transfer or receive personal data to/from the UK and the EEA/EU (we will just refer to the EU for the purposes of this blog).
This is because after the transition period ends, the UK will become a ‘third country’ (i.e. one which is not a member state of the EU). This label will have important consequences for incoming data flows from the EU. When the UK was a member of the EU, the transfer/receipt of personal data between the UK and the rest of the EU was straightforward as all member states were subject to the EU GDPR, however this will all change.
Sending data to the EU
Businesses in the UK sending personal data to other businesses/organisations in the EU will be subject to the UK GDPR. There are currently no changes to the way businesses can do this.
Receiving data from the EU
If the UK leaves the EU without an adequacy decision (explained below) at the end of the transition period, there will be immediate implications for businesses. In the absence of an adequacy decision, there will have to be appropriate safeguards in place for any transfers of data from the EU to the UK for the purposes of the EU GDPR. This is because UK businesses receiving personal data from EU member states will be a ‘third country’ and no longer subject to the EU GDPR regime.
Adequacy decisions are decisions made by the EU Commission (EC) which can determine whether a country outside the EU offers an adequate level of data protection similar to that of the EU GDPR. The UK is currently going through an adequacy assessment. The government was due to make an announcement in the latter stages of this year about the outcome of the assessment, however no announcement has been forthcoming.
If the UK does not get an adequacy decision by the end of the transition period, the EU country sending personal data to the UK will need to consider an appropriate safeguard to ensure personal data can transfer lawfully.
Examples of appropriate safeguards include ‘standard contractual clauses (SCCs)’ which place obligations on the data sender and the data receiver to protect the rights of the individual whose data is being transferred and ‘binding corporate rules (BCRs)’ which are internal codes of conduct which apply to multi-national groups.
If a data transfer is not covered by an adequacy decision or appropriate safeguard, an exemption may apply depending on specific limited circumstances.
As no announcement seems likely before the end of the transition period as to how to manage data flows post-Brexit, businesses should be prepared for anything. We would strongly advise businesses who have existing data flows within the EU to review its framework, implement SCSs where possible and/or review its existing data sharing arrangements with international organisations which send/receive data of EU citizens on its behalf.