Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
This article is taken from February's public matters newsletter. Click here to view more articles from this issue.
The transition period has ended. What does this mean for data protection law?
The UK has implemented the General Data Protection Regulation ("GDPR") directly into UK law through the European Union (Withdrawal) Act 2018 in a form as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 (likely to be referred to as the “UK GDPR”).
This new piece of legislation includes a Keeling Schedule which shows the tracked changes versions of the UK GDPR and the DPA 2018. UK organisations will need to comply with the UK GDPR.
In addition, UK organisations will continue to be subject to the extra territorial provisions of the EU GDPR (Article 3(2)) where EU data is being processed. There may therefore be two versions of the GDPR to comply with for some personal data processing.
The UK exit deal includes an extension for personal data to flow freely between the European Economic Area ("EEA") and the UK for four months with an optional two month period of extension, so the EU has until the end of June 2021 to agree an adequacy decision.
The UK is free to change its privacy laws at any time but doing so would allow the EU to cancel the extension period or any adequacy decision.
International data transfers
The deal means that transfers of personal data from the EEA to the UK do not qualify as transfers to a third country. No additional transfer mechanism is required during the extension period, however it would be a sensible precaution for most UK businesses (and the position that the ICO also advises) to have the SCCs in place anyway if you are transferring personal data from the EU to the UK.
EU and UK Representatives
The requirement to appoint an EU representative does not appear to have been waived by the UK exit deal. CNIL, the French regulator, has issued a statement reminding UK businesses that they will be required to appoint an EU representative from 1 January 2021.
If your business regularly deals with personal data of individuals in the EU then Browne Jacobson can help you to get an EU representative in place. As your representative in the EU there are certain qualities that you are likely to want from an EU representative (and you’re likely to want a contract in place) we can help with that process.
Which Supervisory Authority?
The ICO will be the supervisory authority for the UK GDPR.
If your organisation is also established in the EU then you will have a lead supervisory authority in the EU jurisdiction where you is established (or if established in multiple EU jurisdictions then that will be determined according to European Data Protection Board guidance (“EDPB Guidance”). Bear in mind that this means you could now be fined by both the ICO and the EU lead supervisory authority.
If the organisation is not established in the EU but is offering goods or services or monitoring the behaviour of data subjects in the EU then it will be subject to the ICO and the supervisory authority in each jurisdiction. The ICO’s guidance is clear that “In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.”
As set out in the EDPB Guidance, having an EU representative does not mean you are established in the EU for the purposes of qualifying for a lead supervisory authority. A UK organisation with no EU establishments and an EU representative in France could still be fined by each and any supervisory authority in jurisdictions where data subjects have been affected.
Drafting documents
UK organisations will need to consider the drafting of their agreements, particularly the definitions of GDPR which will now need to appreciate the fact that there are two separate GDPRs.
Depending on the transfers of data involved you may need to revise existing contracts to include the SCCs and to amend any privacy notices to refer to the correct legislation and representative.
Contact
Richard Nicholas
Partner
richard.nicholas@brownejacobson.com
+44 (0)121 237 3992
Related expertise
You may be interested in...
Online Event - Shared Insights
Shared Insights Data: Strategies for handling cyber attacks and data breaches
Press Release
Browne Jacobson appointed as legal adviser to Department for Transport Legal Advisers
Legal Update - Procurement Act
Provider Selection Regime - how will it work in practice?
Press Release
‘Privacy by design’ approach will help health and care organisations gain public trust in using technology as ICO publishes new guidance
Legal Update
Traffic Regulation Orders
Legal Update - Procurement Act
PPN 01/24: Carbon reduction contract schedule
Legal Update
Understanding the ICO's new fining guidance
Press Release
Fixing local government standards regime would help us to do our jobs, say monitoring officers at Browne Jacobson and LGiU roundtable
Legal Update - Procurement Act
Landmark judgment in OCS Group UK Limited v Community Health Partnerships Limited
Legal Update
ICO consultation on accessing care records: A legal perspective
Legal Update
Government updates guidance on holiday rules: What employers need to know
Legal Update
Subsidy control guidance update - welcome guidance on “small subsidies” introduced
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Opinion
R (Willmott) v Eastbourne Council: High Court rules council can deny social housing to disabled ex-tenant over anti-social behaviour
Legal Update
Artificial intelligence – shaping a sustainable future
Published Article
Government's asset sale plan: Short-term fix or long-term disaster?
Legal Update - Public matters newsletter
Public matters - March 2024
Press Release
Spring Budget 2024: Browne Jacobson reaction
Legal Update
Not quite a blanket ban on mobile phones in schools: DfE guidance insights
Legal Update
Charity law update – March 2024
Opinion
Caregivers at work: Navigating new carer's leave regulations
On-Demand - Shared Insights
Shared Insights: Sexual safety in the workplace — how leaders can help to create a sexual safety culture
Opinion
EHRC publishes new guidance on menopause and the workplace
Legal Update
Braceurself Ltd v NHS England 2024: Court of Appeal procurement case decision
Press Release
Browne Jacobson supports establishment of East Midlands Combined County Authority
Press Release
At the forefront of society’s biggest issues - a reflection of our public sector work throughout 2023
Legal Update
Churchill v Merthyr Tydfil Council: A game changing decision for local authorities
Legal Update
The Home Affairs Committee launched another inquiry into fraud - Stop! Think Fraud
Legal Update
Progress on the Automated Vehicles Bill
Legal Update
UK falls to lowest position for corruption – so what’s going wrong?
Legal Update
Streamlined routes for subsidies
Legal Update - Public matters newsletter
Public matters - January 2024
Legal Update - Procurement Act
Procurement reform: Making poor performance a thing of the past
Legal Update
Data protection in higher education: what to expect in 2024
Legal Update
Restrictive covenants – look before you leap!
Legal Update
The rise of AI in construction
Legal Update
Employment law in 2024: How changes impact education
Legal Update
Backpay for leavers: Employers risk unlawful deduction from wages claims
Press Release - Firm news
Browne Jacobson bolsters presence in Wales with three new appointments
