Late in the afternoon of 24 December 2020, the UK government and the EU Commission announced that the UK and EU had agreed the terms of a post-Brexit Free Trade Deal. The text of the Agreement was published later the same day. The media (and social media in particular) are already myth-ridden. Here, we consider and bust some myths related to privacy and data protection.
Myth 1 – as GDPR is an EU regulation, it no longer applies in the UK.
While the EU GDPR no longer applies directly in the UK (save for its extra-territorial reach – as referred to under Myth 2) the UK is committed to maintaining high standards of data protection and has, therefore, incorporated the GDPR into UK law (by virtue of section 3 of the European Union (Withdrawal) Act 2018). The UK version is known as “UK GDPR”. This reflects various consequential technical changes that have been made to adapt EU GDPR to work under UK law. Broadly, therefore, UK organisations need to continue to comply with the UK version of GDPR.
However, in respect of personal data of data subjects outside the UK that was acquired before 31 December 2020 (known as “legacy data”) this will continue to be subject to the EU GDPR as it stood on that date (known as the “frozen GDPR”). This should not make a material difference, save that frozen GDPR will be as interpreted by the European Court whereas UK GDPR is as interpreted by the UK courts, and so some divergence may emerge over time.
At present, many organisations have drafted their GDPR compliance documentation from the perspective of the UK being a member of the EU. GDPR compliance documentation should therefore be reviewed to ensure that these references are updated accordingly. In particular, privacy notices may need to be updated in relation to international transfers and the appointment of a representative. Also, data processing or data sharing contracts with third parties should be reviewed to ascertain whether these contain any restrictions on transfers outside the EEA.
Going forward, the main sources of UK data protection law will be the UK GDPR as well as the Data Protection Act 2018.
Myth 2 – as we have left the EU, UK companies no longer need to comply with the EU GDPR.
Notwithstanding that the UK is no longer a member of the EU, many UK organisations will continue to be caught by the EU GDPR due to its extra-territorial reach. If you market to EU consumers, or you monitor the behaviour of individuals located in the EU, you will need to comply with both the UK data protection regime and the EU regime. This carries with it the potential for regulatory actions including fines from both EEA authorities and the ICO, in the event of a data breach or infringement of data laws.
UK organisations that are subject to EU GDPR but have no establishment within the EU will have to consider whether they are required to appoint an EU representative pursuant to Article 27 GDPR. The “representative” is a separate role to a data protection officer and may assume some direct compliance responsibility.
In addition, UK organisations carrying out processing in the EEA following Brexit may be required to update their lead supervisory authority as the ICO can no longer act as the lead supervisory authority outside the UK.
Myth 3 – as a Brexit deal was done, data flows from EU to UK can continue.
This is only partly correct. There was no “adequacy decision” within the Trade and Cooperation Agreement (TCA). However, the TCA provides a temporary “bridging mechanism” to allow transfers of personal data from the EEA to the UK to continue. This arrangement only lasts for four months, extendable by two months unless one of the parties objects.
So, what will happen when this bridging mechanism expires? The hope and expectation is that the UK will receive the benefit of an adequacy decision within the 4-6 month period. An adequacy decision would allow transfers of data from the EEA to the UK without the need for any other transfer mechanism (such as standard contractual clauses). In a joint declaration published alongside the TCA, the European Commission stated its intention promptly to proceed with the procedure for the adoption of an adequacy decision. However, while an adequacy decision seems reasonably likely, it is not guaranteed. As such, it will be prudent for organisations to take stock of their international transfers and be prepared to implement another transfer mechanism in case of need.
In any event, following Schrems II in July 2020, and the issue by the European Commission of proposed new standard contractual clauses in November 2020, all cross border data flows will need to be reviewed and updated in 2021. In addition, in order to rely on standard contractual clauses, organisations will need to carry out a “transfer impact assessment” to determine whether the clauses guarantee an equivalent level of protection for the transferred data as applies under GDPR; if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection – see further https://idatalaw.com/2020/11/20/new-guidance-for-international-transfers-post-schrems-ii/
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.
Click here to read more myth busters relating to the EU / UK trade agreement.