Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
This article is taken from February's public matters newsletter. Click here to view more articles from this issue.
The transition period has ended. What does this mean for data protection law?
The UK has implemented the General Data Protection Regulation ("GDPR") directly into UK law through the European Union (Withdrawal) Act 2018 in a form as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 (likely to be referred to as the “UK GDPR”).
This new piece of legislation includes a Keeling Schedule which shows the tracked changes versions of the UK GDPR and the DPA 2018. UK organisations will need to comply with the UK GDPR.
In addition, UK organisations will continue to be subject to the extra territorial provisions of the EU GDPR (Article 3(2)) where EU data is being processed. There may therefore be two versions of the GDPR to comply with for some personal data processing.
The UK exit deal includes an extension for personal data to flow freely between the European Economic Area ("EEA") and the UK for four months with an optional two month period of extension, so the EU has until the end of June 2021 to agree an adequacy decision.
The UK is free to change its privacy laws at any time but doing so would allow the EU to cancel the extension period or any adequacy decision.
International data transfers
The deal means that transfers of personal data from the EEA to the UK do not qualify as transfers to a third country. No additional transfer mechanism is required during the extension period, however it would be a sensible precaution for most UK businesses (and the position that the ICO also advises) to have the SCCs in place anyway if you are transferring personal data from the EU to the UK.
EU and UK Representatives
The requirement to appoint an EU representative does not appear to have been waived by the UK exit deal. CNIL, the French regulator, has issued a statement reminding UK businesses that they will be required to appoint an EU representative from 1 January 2021.
If your business regularly deals with personal data of individuals in the EU then Browne Jacobson can help you to get an EU representative in place. As your representative in the EU there are certain qualities that you are likely to want from an EU representative (and you’re likely to want a contract in place) we can help with that process.
Which Supervisory Authority?
The ICO will be the supervisory authority for the UK GDPR.
If your organisation is also established in the EU then you will have a lead supervisory authority in the EU jurisdiction where you is established (or if established in multiple EU jurisdictions then that will be determined according to European Data Protection Board guidance (“EDPB Guidance”). Bear in mind that this means you could now be fined by both the ICO and the EU lead supervisory authority.
If the organisation is not established in the EU but is offering goods or services or monitoring the behaviour of data subjects in the EU then it will be subject to the ICO and the supervisory authority in each jurisdiction. The ICO’s guidance is clear that “In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.”
As set out in the EDPB Guidance, having an EU representative does not mean you are established in the EU for the purposes of qualifying for a lead supervisory authority. A UK organisation with no EU establishments and an EU representative in France could still be fined by each and any supervisory authority in jurisdictions where data subjects have been affected.
Drafting documents
UK organisations will need to consider the drafting of their agreements, particularly the definitions of GDPR which will now need to appreciate the fact that there are two separate GDPRs.
Depending on the transfers of data involved you may need to revise existing contracts to include the SCCs and to amend any privacy notices to refer to the correct legislation and representative.
Contact
Richard Nicholas
Partner
richard.nicholas@brownejacobson.com
+44 (0)121 237 3992
Related expertise
You may be interested in...
Opinion
Monitoring Workers – ICO Guidance
Legal Update - Procurement Act
Procurement Bill: Competitive flexible procedure, how will this work in practice?
Legal Update - Procurement Act
Procurement Bill - Are they still playing ping-pong?
Online Event
Data Shared Insights: Information sharing – why, when, how?
Legal Update
ICO consultation on fertility tracking apps
Press Release
Browne Jacobson collaborates with LGiU on report highlighting “critical” role of local government to hit net zero
Guide
Net Zero and Local Democracy: building and maintaining public support
Opinion
Vicarious liability of amateur sports teams for player on player injuries
Legal Update - Procurement Act
Procurement Act 2023: Getting Ready for Reform - the countdown is on!
Legal Update
Personal injury discount rate in England and Wales
Legal Update
Reinforced Autoclaved Aerated Concrete ('RAAC') implications for schools
Legal Update - Public matters newsletter
Public matters - September 2023
Legal Update
Fixed recoverable costs regime – are you ready?
Opinion
Parental alienation a tool for domestic abuse?
Opinion
£600m funding unveiled to boost social care workforce
Opinion
Are councils failing to tackle anti-social behaviour?
Press Release
Browne Jacobson announces appointment of Barrister to its Cardiff office
Legal Update
PPN 08/23: using standard contracts
Legal Update
Review of a subsidy control decision: The Durham Company Ltd v Durham County Council, 27 July 2023
Legal Update
Browne Jacobson grows Cardiff team with two new appointments
Press Release
Browne Jacobson advising the Welsh Government on the delivery of significant number of renewable energy projects
Published Article
UK: Legal issues with deepfakes
![Local authorities contracting out enforcement of debts - A review of the High Court’s judgment in Bailiffs Limited v Breckland Council [2023] EWHC 1569](/getattachment/69fe511b-7da4-4d9a-ac5b-f18436ce5fe2/gov-shutterstock_682694722-14.jpg?variant=HeroImageTabletVariantDefinition)
Legal Update
Local authorities contracting out enforcement of debts - A review of the High Court’s judgment in Bailiffs Limited v Breckland Council [2023] EWHC 1569
Opinion
Right to request flexible working – changes ahead for employers
Press Release
Browne Jacobson successfully defend vicarious liability claim appeal in connected person foster care case
Press Release - #BeingBrowneJacobson
Building our future town centres: advising local authorities on landmark acquisitions
Opinion
Are teacher strikes coming to an end?
Opinion
Further consultants strike announced following government pay offer
Opinion
Agency worker cover during strikes
Legal Update - Public matters newsletter
Public Matters - June 2023
Legal Update
What are we to do about self reporting in PFI contracts?
Legal Update
Guidance on contract changes: James Waste Management LLP v Essex County Council
Legal Update
Case summary: the importance of bringing a procurement claim within the appropriate time limits
Legal Update - Procurement Act
New obligations for Welsh public bodies on social partnership and socially responsible procurement
Legal Update
Public Consultation on a Mandatory Reporting Regime for Child Sexual Abuse
Legal Update
Top tips on tackling air pollution risk in a changing climate
Article
Challenging procurement decisions by way of Judicial Review - the key principles
Opinion
NHS announces artificial intelligence fund
Legal Update
New guidance for employers on Subject Access Requests published by the ICO
