Brexit and Data Protection: Which regime will apply?

Posted on 24 November 2020

Many businesses getting ready for the end of the transition period on 31 December 2020 are keeping a close eye on whether the European Commission will make a finding of adequacy decision in favour of the UK's post-Brexit data protection regime. This has huge significance, most obviously in relation to data transfers from the European Economic Area (EEA) to the UK, in the light of the CJEU's recent decision in Schrems II concerning the most obvious mechanism for such transfers in the absence of an adequacy decision – Standard Contractual Clauses. This issue is being looked at urgently by data protection authorities globally, including the UK's ICO, given its impact on international data flows generally, and through a Brexit lens. As recently reported, the aggregate cost to UK firms of a no adequacy decision will likely be between £1 billion and £1.6 billion.

A finding or not of adequacy will also have an impact on which regime may apply in relation to certain acts of data processing by UK businesses as a result of provisions in the EU/UK Withdrawal Agreement. Businesses may need to distinguish carefully between personal data processed before the end of the transition period and data processed after the end of the transition period.

Which regime will apply after the end of the transition period?

The basic position is that, as an EU Regulation, GDPR will no longer apply directly in the UK after the end of the transition period.

However, the GDPR will be retained in UK law as part of 'EU retained law'. Dubbed 'UK GDPR', the UK's post-Brexit data protection regime will largely replicate the 'actual GDPR' as it stands at the end of the transition period with revisions to reflect the UK context. However, it is possible that there will be divergence over time, for example, if the actual GDPR is revised and the UK does not follow suit, but this would have implications for any adequacy finding.

The 'UK GDPR' will apply to acts of processing after 1 January 2021 relating to the personal data of individuals in the UK, and will also apply to controllers and processors outside the UK if, for example, they are offering goods and services to individuals in the UK or monitoring their behaviour in the UK.

This extra-territorial effect is also a feature of the actual GDPR. Accordingly, after 1 January 2021, UK businesses that have an establishment in the EEA, offer goods and services to customers in the EEA, or monitor the behaviour of individuals in the EEA, will need to continue to comply with the actual GDPR in relation to acts of processing of personal data.

As we explain in our Brexit & Data Protection guide and discuss in our recent webinar, the extra-territorial effect of both the actual and UK versions of GDPR raises a number of issues relating to, for example, the requirement to have a representative in the relevant territory unless an exception applies.

In addition, Article 71 of the UK/EU Withdrawal Agreement contains provisions relating to personal data of data subjects outside the UK (i.e., including data subjects outside of the EEA) that were processed in the UK before the end of the transition period. Unless the UK obtains an adequacy decision from the EU, the processing of such 'legacy' personal data after the end of the transition period must comply with EU law, including GDPR, as it stands on 31 December 2020. This therefore means that if a UK company was, before the end of the transition period, processing the personal data of an individual in the US, its continued processing of that date after 1 January 2021 would remain subject to the actual GDPR (as at 31 December 2020), rather than the UK GDPR.

Accordingly, unless and until an adequacy decision in favour of the UK data protection regime is in place, any continued processing of data that was obtained from data subjects outside the UK (i.e., not just limited to data subjects in the EEA) before 31 December 2020 should continue to comply with GDPR. If an adequacy decision is subsequently obtained in favour of the UK, the processing of such data will instead be subject to UK GDPR and the Data Protection Act 2018 or the actual GDPR if the data subject is in the EEA.

The potential complexity these different scenarios present can be demonstrated by the table below ('TP' refers to the transition period).

However, in practical terms, at least initially, this may not mean significant alterations to the ways in which controllers and processors, who already comply with GDPR, structure their data processing operations and compliance. That said, given the prospect of divergence between UK GDPR, EU GDPR as it develops and EU GDPR as it stands at 31 December 2020, it would be useful to conduct an audit of the different categories of data processed so that the relevant regime which will apply in relation to that processing after the end of the transition period can be identified.

 

 

UK-based controller

EU/EEA-based controller

Rest of the World-based controller

During TP

After TP

During TP

After TP

During TP

After TP

Data subject in the UK whose data is collected during or before TP

GDPR applies

UK GDPR applies

GDPR applies

GDPR applies, and UK GDPR applies if Art 3(2) of UK GDPR applies

GDPR applies if Art 3(2) of GDPR applies

UK GDPR applies if Art 3(2) of UK GDPR applies

Data subject in the UK whose data is collected after TP

N/A

UK GDPR applies           

N/A

GDPR applies, and UK GDPR applies if Art 3(2) of UK GDPR applies

N/A

UK GDPR applies if Art 3(2) of UK GDPR applies

Data subject in the EU/EEA whose data is collected during or before TP

GDPR applies

UK GDPR applies OR until there is an EU finding of adequacy about the UK, GDPR applies to such data under Art 71(1)(a) WA

GDPR applies

GDPR applies

GDPR applies if Art 3(2) of GDPR applies

GDPR applies if Art 3(2) of GDPR applies

Data subject in the EU/EEA whose data is collected after TP

N/A

UK GDPR applies, and GDPR applies if Art 3(2) of GDPR applies 

N/A

GDPR applies

N/A

GDPR applies if Art 3(2) of GDPR applies

Data subject in Rest of the World whose data is collected during or before TP

GDPR applies

UK GDPR applies OR until there is an EU finding of adequacy about the UK, GDPR applies to such data under Art 71(1)(a) WA

GDPR applies

GDPR applies

N/A N/A

Data subject in Rest of the World whose data is collected after TP

N/A

UK GDPR applies

N/A

GDPR applies

N/A

N/A

 

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

COVID-19 Enquiry

I'm a client

I'm looking for advice

Something else