Following our previous article on the no-deal Brexit data protection guidance released by DCMS and the ICO, the UK government has published draft regulations which will apply in the event of a No Deal, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Data Protection Brexit Regulations).
The Data Protection Brexit Regulations, if passed by Parliament, will make changes to the GDPR and the Data Protection Act 2018 (DPA 2018) so that the law continues to function effectively after the UK has left the EU. While the European Union (Withdrawal) Act 2018 (the Withdrawal Act) retains the GDPR in UK law at the point of exit, the Data Protection Brexit Regulations are necessary as there are a number of aspects that can't be left to the Withdrawal Act. The GDPR as it applies to the UK will, after exit day, be referred to as the UK GDPR and will apply in the same way to processing by controllers and processors who are established outside the UK. This will extend the extraterritorial application of the domestic framework to the remaining EEA Member States.
Of particular note is how transfers of personal data to third countries or international organisations will be dealt with through new adequacy regulations and that mechanisms such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) will continue to be considered appropriate safeguards for the transfer of personal data to third countries or international organisations. The provision in the GDPR to adopt a representative in certain circumstances is also retained. This means that a controller or processor outside of the UK will (in certain circumstances) have to designate a representative in the UK for the purposes of ensuring compliance with the UK GDPR.
What are the key changes?
Transfers of personal data to third countries or international organisations
Under the GDPR, controllers and processors may not transfer personal data to countries outside the EEA unless certain safeguards are in place. One established process is where the European Commission has established that the legal framework of the country in question provides an 'adequate' level of protection for personal data. When the UK leaves the EU, the UK GDPR will transfer the European Commission's power to make an adequacy decision to the Secretary of State. Through 'adequacy regulations', the Secretary of State will be able to specify whether a third country, territory, sector or international organisation ensures an adequate level of protection of personal data.
In the absence of an adequacy decision, the transfer of personal data to countries outside the EEA can still occur by using alternative safeguards, for example SCCs or BCRs. When the UK leaves the EU, the Secretary of State may issue SCCs for use by UK businesses. Interestingly, the Information Commissioner will continue to be able to authorise BCRs under the UK GDPR.
To ensure that established data flows from UK controllers to organisations outside of the UK can continue after the UK leaves the EU, the Data Protection Brexit Regulations insert transitional provisions in the DPA 2018 in relation to adequacy decisions, SCCs and BCRs.
The Data Protection Brexit Regulations also confirm that:
- the UK will be able to transfer data to jurisdictions subject to an EU adequacy decision prior to exit day;
- the use of SCCs previously issued by the European Commission will continue to be an effective basis for international data transfers from the UK to third countries after exit day (whether SCCs are in fact 'adequate' from a data protection point of view is still being challenged in proceedings before the European Court of Justice, but the ICO's guidance for now is to make use of them while they remain in effect); and
- any existing authorisations of BCRs made by the Information Commissioner prior to exit day will continue to be recognised for the purposes of the UK GDPR.
One of the greatest changes brought about by the GDPR from the previous regime was the extension in territorial scope; the GDPR covers controllers and processors who are based outside the EEA but who are processing data of persons within the EEA in relation to the offering of goods and services to them, or for monitoring purposes. The Data Protection Brexit Regulations retain this principle. In practice this means that the UK GDPR will apply to a controller or processor who is based outside of the UK, but is processing personal data of people within the UK in relation to the offering of goods and services to them or for monitoring purposes (including those established within the EEA after the UK's exit).
In certain circumstances, a controller or processor not established in the EEA is required to appoint a representative within the EEA where they are processing the personal data of data subjects in the EEA. The representative can be contacted by supervisory authorities and/or data subjects, in addition to the controller/processor. This concept has been retained in the Data Protection Brexit Regulations and so applies to a controller or processor outside of the UK who is processing the personal data of data subjects in the UK. These entities would need to appoint a UK representative.
Single General Processing Regime
In order to simplify matters at the point of exit, the Data Protection Brexit Regulations aim to create a single regime for data processing which is currently regulated in the UK by both the GDPR and the DPA 2018 (this covers activities outside the scope of EU law and includes appropriate exemptions for common foreign and security policy activities). Further, where appropriate, where any derogations were allowed under the GDPR and were set out in the DPA 2018 (or elsewhere as the case maybe) these are set out in the Data Protection Brexit Regulations. For example, Article 8 of the GPDR which applies where one is offering an information society service (ISS) directly to a child, defines a child as a person 'below the age of 16 years'. However, it also allows Member States to decide the age at which children can consent to the processing of their personal data in the context of an ISS, at national level. The UK has set this limit at age 13 and so references to '16 years old' will be substituted to '13 years old'.
To provide clarity, the retained version of the GDPR will be renamed the 'UK GDPR'.
The Data Protection Brexit Regulations correct any deficiencies arising from the UK's departure from the EU. For example, references to 'Member States' and 'Union law' are replaced with references to 'domestic law' and references to 'supervisory authorities' will be replaced with references to the ['Information] Commissioner'. Further, any functions performed by the European Commission will now be performed by the Secretary of State or the Information Commissioner (as appropriate).
A number of articles in the GDPR will be omitted from the UK GDPR as they are no longer necessary. To name two examples: Articles 60-75 GPDR make provisions for supervisory authorities of EU Member States to work together to investigate cross-border data breaches, agree on which authority should take the lead where personal data from more than one EU Member State is being processed and ensure that the GDPR is enforced consistently across Member States. It also creates the EDPB. In the absence of any subsequent agreement, when the UK leaves the EU it will no longer be party to these consistency mechanisms and will not be on the EDPB. The UK GDPR therefore removes these provisions.
Another example is where there are references in the GDPR permitting Member States to make certain data protection provisions in domestic law (see for example, articles 87, 88 and 90). These will no longer be necessary when the UK leaves the EU.
What about the PECR?
The Data Protection Brexit Regulations briefly mention the Privacy and Electronic Communications (EC Directive) Regulations 2003 solely to make it clear that any references from the GPDR incorporated into the PECR (for example, the definition of "consent") will now be amended to be taken from the UK GDPR. The planned European e-privacy Regulation, which was going to replace the PECR, was hoped by many to come out at the same time as the GDPR, but now looks like it won't be ready before – at the very earliest - the European Parliament elections in May.
The Data Protection Brexit Regulations will continue to be reviewed and should be read in conjunction with all available guidance from the ICO and DCMS. Both the UK and the EU are continuing to negotiate steps for dealing with data protection under the Withdrawal Act and Political Declaration. In its latest report, the House of Lords' EU Committee states that the European Commission will start the process of assessing the UK's data protection regime as soon as possible after the withdrawal date, with a view to adopting an ‘adequacy decision’ by the end of the transition period on 31 December 2020, to allow data flows to proceed without interruption.