Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
This article is taken from February's public matters newsletter. Click here to view more articles from this issue.
The transition period has ended. What does this mean for data protection law?
The UK has implemented the General Data Protection Regulation ("GDPR") directly into UK law through the European Union (Withdrawal) Act 2018 in a form as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 (likely to be referred to as the “UK GDPR”).
This new piece of legislation includes a Keeling Schedule which shows the tracked changes versions of the UK GDPR and the DPA 2018. UK organisations will need to comply with the UK GDPR.
In addition, UK organisations will continue to be subject to the extra territorial provisions of the EU GDPR (Article 3(2)) where EU data is being processed. There may therefore be two versions of the GDPR to comply with for some personal data processing.
The UK exit deal includes an extension for personal data to flow freely between the European Economic Area ("EEA") and the UK for four months with an optional two month period of extension, so the EU has until the end of June 2021 to agree an adequacy decision.
The UK is free to change its privacy laws at any time but doing so would allow the EU to cancel the extension period or any adequacy decision.
International data transfers
The deal means that transfers of personal data from the EEA to the UK do not qualify as transfers to a third country. No additional transfer mechanism is required during the extension period, however it would be a sensible precaution for most UK businesses (and the position that the ICO also advises) to have the SCCs in place anyway if you are transferring personal data from the EU to the UK.
EU and UK Representatives
The requirement to appoint an EU representative does not appear to have been waived by the UK exit deal. CNIL, the French regulator, has issued a statement reminding UK businesses that they will be required to appoint an EU representative from 1 January 2021.
If your business regularly deals with personal data of individuals in the EU then Browne Jacobson can help you to get an EU representative in place. As your representative in the EU there are certain qualities that you are likely to want from an EU representative (and you’re likely to want a contract in place) we can help with that process.
Which Supervisory Authority?
The ICO will be the supervisory authority for the UK GDPR.
If your organisation is also established in the EU then you will have a lead supervisory authority in the EU jurisdiction where you is established (or if established in multiple EU jurisdictions then that will be determined according to European Data Protection Board guidance (“EDPB Guidance”). Bear in mind that this means you could now be fined by both the ICO and the EU lead supervisory authority.
If the organisation is not established in the EU but is offering goods or services or monitoring the behaviour of data subjects in the EU then it will be subject to the ICO and the supervisory authority in each jurisdiction. The ICO’s guidance is clear that “In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.”
As set out in the EDPB Guidance, having an EU representative does not mean you are established in the EU for the purposes of qualifying for a lead supervisory authority. A UK organisation with no EU establishments and an EU representative in France could still be fined by each and any supervisory authority in jurisdictions where data subjects have been affected.
Drafting documents
UK organisations will need to consider the drafting of their agreements, particularly the definitions of GDPR which will now need to appreciate the fact that there are two separate GDPRs.
Depending on the transfers of data involved you may need to revise existing contracts to include the SCCs and to amend any privacy notices to refer to the correct legislation and representative.
Contact
Richard Nicholas
Partner
richard.nicholas@brownejacobson.com
+44 (0)121 237 3992
Related expertise
You may be interested in...
Legal Update - Employment Rights Bill
The Employment Rights Bill: Is it here yet?
Legal Update
June 2025: A busy month for kinship care
Legal Update
A new planning bill for Wales: What will this mean?
Legal Update
PuFin takes flight: Homes England launches new bank
Opinion
Pride Month: A time to review DEI
Guide
Legal project management: A cornerstone in operational delivery of inquiries
Legal Update
Navigating legal realties for new councillors
Legal Update
Analysis: National audit on group-based child sexual exploitation and abuse (June 2025)
Press Release
Browne Jacobson comments on the government's 10 year infrastructure strategy
Opinion
Employer redundancy guide: Sourcing alternative employment
Press Release - Firm news
Browne Jacobson delivers record-breaking growth as strategic vision drives exceptional performance
Legal Update
What might the public inquiry on child sexual exploitation look like
On-Demand
Managing data risks effectively in M&A strategies and corporate transactions
Opinion
Spending Review: Setting the stage for UK investment
Guide
Using AI for recruitment: The data issues
Press Release
Spending Review 2025: Browne Jacobson lawyers respond to Chancellor’s announcement
Legal Update
ESG and sustainability report: Rethinking communication and credibility
Press Release
Majority of UK organisations remain committed to sustainability and ESG, says new research
Legal Update
Producing robust capacity assessments and the approaches to assessing capacity
Legal Update - Public matters newsletter
Public matters: May 2025
Legal Update
Is the standards regime about to undergo a significant overhaul?
Video
Investigations and inquiries into child sexual exploitation and grooming
Legal Update
Navigating the streets: The legal landscape of low traffic neighbourhoods
Legal Update - Planning reform
All change: The implications of planning reform upon regeneration projects
Legal Update
Supporting local authorities in tackling housing challenges
Legal Update
Consultation on proposed changes to Estyn inspection regime in Wales
Published Article
Andrew Walker, Bridget Tatham: The case for better risk management
Legal Update
AI-driven legal access to information: DSARs, FOI requests, and the emerging landscape
Opinion
Disciplinary procedures and mental health: Employer considerations
Published Article
Anonymity injunctions for clinicians
Legal Update
Supporting mental wellbeing in the workplace: Practical steps for businesses
Press Release
Browne Jacobson appointed to Adra legal framework as housing association launches 2030 vision
Press Release - Firm news
Browne Jacobson appoints Will Thomas as Partner in planning team
Guide - Autonomous vehicles
Autonomous vehicles in the UK: Where are we now?
Press Release
US-UK trade deal: Reaction from Browne Jacobson lawyers
Legal Update - IP insights
IP insights: May 2025
Press Release
Browne Jacobson signs strategic partnership with Local Government Information Unit
Opinion
EHRC releases guidance for employers after Supreme Court ruling on definition of woman
Press Release
Browne Jacobson to explore skills challenges in built environment at UKREiiF event
