0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Forgotten your password?

Brexit - now what for data protection law?

17 February 2021

This article is taken from February's public matters newsletter. Click here to view more articles from this issue.


The transition period has ended. What does this mean for data protection law?

The UK has implemented the General Data Protection Regulation ("GDPR") directly into UK law through the European Union (Withdrawal) Act 2018 in a form as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 (likely to be referred to as the “UK GDPR”).

This new piece of legislation includes a Keeling Schedule which shows the tracked changes versions of the UK GDPR and the DPA 2018. UK organisations will need to comply with the UK GDPR.

In addition, UK organisations will continue to be subject to the extra territorial provisions of the EU GDPR (Article 3(2)) where EU data is being processed. There may therefore be two versions of the GDPR to comply with for some personal data processing.

The UK exit deal includes an extension for personal data to flow freely between the European Economic Area ("EEA") and the UK for four months with an optional two month period of extension, so the EU has until the end of June 2021 to agree an adequacy decision.

The UK is free to change its privacy laws at any time but doing so would allow the EU to cancel the extension period or any adequacy decision.

International data transfers

The deal means that transfers of personal data from the EEA to the UK do not qualify as transfers to a third country. No additional transfer mechanism is required during the extension period, however it would be a sensible precaution for most UK businesses (and the position that the ICO also advises) to have the SCCs in place anyway if you are transferring personal data from the EU to the UK.

EU and UK Representatives

The requirement to appoint an EU representative does not appear to have been waived by the UK exit deal. CNIL, the French regulator, has issued a statement reminding UK businesses that they will be required to appoint an EU representative from 1 January 2021.

If your business regularly deals with personal data of individuals in the EU then Browne Jacobson can help you to get an EU representative in place. As your representative in the EU there are certain qualities that you are likely to want from an EU representative (and you’re likely to want a contract in place) we can help with that process.

Which Supervisory Authority?

The ICO will be the supervisory authority for the UK GDPR.

If your organisation is also established in the EU then you will have a lead supervisory authority in the EU jurisdiction where you is established (or if established in multiple EU jurisdictions then that will be determined according to European Data Protection Board guidance (“EDPB Guidance”). Bear in mind that this means you could now be fined by both the ICO and the EU lead supervisory authority.

If the organisation is not established in the EU but is offering goods or services or monitoring the behaviour of data subjects in the EU then it will be subject to the ICO and the supervisory authority in each jurisdiction. The ICO’s guidance is clear that “In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.”

As set out in the EDPB Guidance, having an EU representative does not mean you are established in the EU for the purposes of qualifying for a lead supervisory authority. A UK organisation with no EU establishments and an EU representative in France could still be fined by each and any supervisory authority in jurisdictions where data subjects have been affected.

Drafting documents

UK organisations will need to consider the drafting of their agreements, particularly the definitions of GDPR which will now need to appreciate the fact that there are two separate GDPRs.

Depending on the transfers of data involved you may need to revise existing contracts to include the SCCs and to amend any privacy notices to refer to the correct legislation and representative.

training and events

19May

Regeneration review - where are we now? Online

We are delighted to invite you to our regeneration webinar, where we will be looking at four keys areas of regeneration; public law, planning, construction and real estate.

View event

focus on...

Legal updates

UK Community Renewal Fund: prospectus 2021-2022

We explain the UK Community Renewal Fund priorities, submission and assessment of proposals and points to note for authorities.

View

Carbon neutrality - air quality

Catch up on our on-demand video where we discuss the current statutory framework for the regulation of air quality and how this is likely to evolve.

View

Legal updates

The countdown to private finance initiative (PFI) handover – what’s your seven-year plan?

We consider key actions for public authorities in managing the PFI handover process.

View

Legal updates

Gavin Williamson provides clear indication of the Government’s vision for a fully academised state school system

Gavin Williamson has a clear vision for the future of the state-funded school system and that is for every school to be part of a family of schools in a strong multi-academy trust.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Richard Nicholas

Richard Nicholas

Partner and Responsible for In House Lawyers

View profile

mailing list sign up



Select which mailings you would like to receive from us.

Sign up