The UK left the EU on 31 January 2020. However, nothing much has changed in relation to data protection as, under the Withdrawal Agreement between the UK and EU27, we are now in a 'transition period' during which EU laws continue to apply in the UK, as if it were still a Member State. The transition period will end on 31 December 2020. It is possible that it will be extended by agreement between the UK and EU27, but the UK Government has said that it does not intend to seek an extension.
For data protection compliance, it remains business as usual during the transition period. GDPR remains applicable in the UK, and data flows between the EEA and the UK can continue as they do now. However, at the end of the transition period, the UK will be a 'third country' for the purposes of GDPR, and will need the benefit of an adequacy decision from the European Commission for data transfers to the UK to continue in a straightforward fashion. Now that the UK has left the EU, the Commission can start the process of considering whether the UK does offer adequate protection, as trailed in the Political Declaration. However, an adequacy decision for the UK is not a foregone conclusion: the UK plans to continue applying GDPR after the transition period (in the form of the 'UK GDPR') but there are concerns in relation to the UK's law enforcement agencies' approach to personal data. Further, 11 months is a short period in which to finalise an adequacy decision, with some earlier decisions taking the Commission up to five years to finalise.
At the end of the transition period, the 'actual GDPR' will no longer apply in the UK. However, 'UK GDPR' will then come into effect and, of course, UK based organisations that also have an establishment in the EEA or that process personal data of individuals based in the EEA, will still need to comply with the 'actual GDPR' still. Businesses will therefore need to navigate and comply with two regulatory regimes, and be alive to the possibility of enforcement action/complaints in several jurisdictions across the EEA and/or the UK, potentially from a single data incident.
We have previously discussed the potential issues to consider at the end of the transition period. Much will depend upon how negotiations pan out over the following 11 months, but the following issues need to be kept in mind and planned for:
- Data transfers: if no adequacy decision is in place at the end of the transition period, transfers of personal data from the EEA to the UK will only be able to occur using Standard Contractual Clauses (SCCs) (the legitimacy of which is under consideration by the European Court of Justice), Binding Corporate Rules, Codes of Conduct and Certification Mechanisms, and derogations, such as data subjects' consent. It's assumed that transfers from the UK to the EEA will be able to continue as now, as the UK Government has previously said that it will treat EU data protection standards as sufficient. Businesses will have already started the process of preparing for a No Deal last year, including auditing their international flows of personal data, and this should remain a priority for 2020.
Lead supervisory authority: Under GDPR, EEA-based organisations carrying out processing in more than one EEA state need only deal with a single regulatory authority as their lead supervisory authority. Businesses that operate across the EEA that currently have the UK ICO as their lead supervisory authority should consider whether any of their EEA establishments could be their main establishment in the EEA in order to take advantage of the GDPR 'one stop shop'.
- EEA representative (and UK representative for non-UK businesses): UK businesses without an establishment in the EEA that offer goods or services to data subjects in the EEA or monitor their behaviour, will need to appoint a representative in the EEA after the end of the transition period, unless they can take advantage of an exception. Similarly, non-UK businesses operating in this way in the UK will need to appoint a UK representative.
- Updates to Privacy Policies and related documents: bear in mind the necessary changes you will need to make to Privacy Policies, website terms and conditions, and terms of business.
More information can be found in the ICO's Brexit Q&A. We will continue to monitor developments over the coming months and update this blog.