Brexit and Data Protection

The General Data Protection Regulation (GDPR) is an EU Regulation and, after the end of the transition period, no longer directly applies in the UK. However, the Government has introduced legislation, in the form of the EU (Withdrawal) Act 2018 and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which will, in effect, preserve the GDPR in UK law, albeit with amendments for the UK context. This separate law has been called 'UK GDPR' to differentiate it from the existing GDPR. UK based organisations that also have an establishment in the EEA, or that process the personal data of individuals based in the EEA, will need to continue to comply with the actual GDPR, as it has extra-territorial effect in certain circumstances.

Further, under the terms of the EU/UK Withdrawal Agreement (WA), if no adequacy decision is granted in favour of the UK's data protection regime, Article 71 of the WA will govern the processing of so-called 'legacy personal data'. This is data of non-UK individuals that was processed by a UK controller before 31 December 2020 – such data must continue to be processed in compliance with the actual GDPR, but as it stands on 31 December 2020. We discuss the implications of Article 71 WA in more detail here.

Accordingly, organisations that do business in the UK and the EEA will need to navigate and comply with two regulatory regimes, 'UK GDPR' and the actual GDPR (and potentially a third where Article 71 WA applies, i.e., actual GDPR as at 31 December 2020). These regimes will approach data protection from a similar set of principles and objectives and, in many areas, no separate action will be required. However, there may be divergences that will need to be taken into account, particularly as time passes, and there are a number of important issues to consider, such as in relation to flows of personal data. Organisations may also find that they are at risk of enforcement actions or complaints in several jurisdictions across the EEA and/or the UK (either by regulatory authorities or by individuals) arising out of the same incident.

The free flow of personal data between the EEA and the UK is an issue of critical importance for most organisations. 

Transfers of personal data to and from the EEA

The Trade and Co-operation Agreement between the UK and EU provided a six month bridging period for the EU Commission to consider its assessment of whether the UK's data protection regime is adequate. On 28 June 2021, the European Commission announced that it was conferring adequacy on the UK's data protection regime (and in relation to data in a law enforcement context). This means that data flows from the EEA to the UK can continue without further safeguards under GDPR being necessary (as was already the case for data transfers from the UK to the EEA).  However, as we discuss here, the adequacy decisions do contain a sunset clause which requires a reassessment of the adequacy decisions after four years.  It is also possible that there may be legal challenges to the validity of the adequacy decisions before the European Court of Justice.  

Transfers of personal data from the UK to other jurisdictions

These can continue where the Commission has already adopted adequacy decisions for the relevant jurisdiction (although in due course the UK will put in place new adequacy regulations of its own). For all other countries, an appropriate safeguard must be put in place for the transfer. Transfers of personal data from the UK to the US, where many businesses will have relied upon the Privacy Shield before the Schrems II decision, will however need to be considered very carefully, in light of developing guidance. The general position is that any transfer of personal data to a jurisdiction which does not have an adequacy decision, needs to be subject to close scrutiny by the parties.

Transfers of personal data from non-EEA jurisdictions to the UK

Where the EU has made an adequacy decision in respect of a particular country, the UK is working with those countries to make specific arrangements for data transfers to continue to flow to the UK. Pending those arrangements, it will be necessary to ensure compliance with local law on the transfer of personal data. See the ICO Brexit page for more information.

Group Companies and Binding Corporate Rules (BCRs)

In relation to restricted transfers from the UK which are within a corporate group, it may be possible to rely upon BCRs. The European Data Protection Board (EDPB) has issued guidance in relation to BCRs approved by the ICO. These will require a new BCR supervisory authority lead in the EEA and revisions to the content of the BCRs. The ICO has also published guidance confirming that holders of BCRs that were authorised by the ICO will be automatically eligible for a UK BCR.  They will need to produce a UK version of their BCRs by 1 January 2021, and provide this to the ICO on or before the next annual update due date. The guidance also clarifies the position for BCRs that were authorised by another lead supervisory authority and the steps that need to be taken for those to be eligible for a UK BCR.

It is important also to note that the effect of CJEU's decision in Schrems II will be to require existing BCRs also to be reassessed to ensure whether appropriate safeguards are in place in respect of the specific transfers involved, and whether supplementary measures need to be adopted.  

Under GDPR, EEA-based organisations which carry out processing in more than one EEA state only need to deal with a single regulatory authority as their lead supervisory authority. This is known as the 'One Stop Shop' principle. It means that, for example, there would only be one fine imposed by an authority as a result of an infringement that covered a number of EEA territories, and that single fine would cover the whole EEA.

Non-EEA based organisations cannot rely upon the One Stop Shop principle. However, they may be liable for a breach of GDPR on the basis of its extra-territorial effect in certain circumstances. You should consider what cross-border processing you carry out, as this will affect the extent to which you are subject to the ICO and/or EEA supervisory authorities after the end of the transition period:

Organisations with a main establishment in the UK and establishments in the EEA: You may wish to consider whether any of your EEA establishments in the EEA could be your main establishment, in order to take advantage of the GDPR 'One Stop Shop', and avoid being at risk of regulatory action from multiple EEA regulators. Even if you are able to demonstrate that you have an EEA main establishment, however, where cross-border processing involves the EEA and the UK, you will still be subject to the ICO's jurisdiction, as well as the lead EEA regulator.

Organisations with a main establishment in the UK and no establishments elsewhere in the EEA: you will no longer be able to take advantage of the GDPR 'One Stop Shop'. As GDPR has extra-territorial effect in certain circumstances, you may have to deal with the supervisory authorities in all EEA states where data subjects are located, and whose personal data you process.

If you are based in the UK and do not have an establishment in the EEA, and you offer goods or services to data subjects in the EEA or monitor their behaviour, you will need to appoint a representative in the EEA, unless you can take advantage of an exception. Exceptions will need to be assessed on a case-by-case basis. 

If it is appropriate for you to appoint an EEA representative, you must ensure they are based in an EEA state where at least some of the individuals whose personal data you process are located. The role of the representative is largely a passive one – it will be identified in Privacy Notices and can be sent communications from EU individuals and EU data protection supervisory authorities. The representative needs to maintain records of processing activities and co-operate with a supervisory authority if it raises any issues.  

Under the 'UK GDPR', relevant organisations located outside of the UK will need to appoint a UK representative, again subject to a relevant exception applying.

Your Privacy Notices and related documents such as terms and conditions for websites, and terms of business will need to be updated to take into account the various regulatory regimes that you are subject to after the end of the transition period, i.e., GDPR and/or the 'UK GDPR'. Other relevant documents such as data processing agreements and data protection impact assessments should also be reviewed.

Your updated Privacy Notices and communications with individuals will also need to: explain how you will transfer personal data to and from the EEA/UK and other jurisdictions; identify an EEA/UK representative (where one is appointed); and consider carefully the appropriate legal basis for processing personal data, as existing bases may no longer apply.

The UK GDPR will require data controllers to appoint a Data Protection Officer (DPO) by reference to the same criteria as under GDPR. In some circumstances, this can be the same person, provided they are easily accessible from both your UK and EEA establishments but you may need separate DPOs.

If you are a company operating with essential services (e.g., banking, health care, energy and transport) or you are currently providing online marketplaces, online search engines or cloud computing services to those in the EU, you may will also need to consider the effect of Brexit on the Network and Information Systems Regulations. The Regulations will continue to apply in the UK after the end of the transition period. As with GDPR, digital service providers will need to consider appointing representatives in the EEA and/or UK as appropriate. The Government has issued guidance for providers operating in the EU and for non-UK providers operating in the UK.