0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Brexit - now what for data protection law?

17 February 2021

This article is taken from February's public matters newsletter. Click here to view more articles from this issue.


The transition period has ended. What does this mean for data protection law?

The UK has implemented the General Data Protection Regulation ("GDPR") directly into UK law through the European Union (Withdrawal) Act 2018 in a form as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019 (likely to be referred to as the “UK GDPR”).

This new piece of legislation includes a Keeling Schedule which shows the tracked changes versions of the UK GDPR and the DPA 2018. UK organisations will need to comply with the UK GDPR.

In addition, UK organisations will continue to be subject to the extra territorial provisions of the EU GDPR (Article 3(2)) where EU data is being processed. There may therefore be two versions of the GDPR to comply with for some personal data processing.

The UK exit deal includes an extension for personal data to flow freely between the European Economic Area ("EEA") and the UK for four months with an optional two month period of extension, so the EU has until the end of June 2021 to agree an adequacy decision.

The UK is free to change its privacy laws at any time but doing so would allow the EU to cancel the extension period or any adequacy decision.

International data transfers

The deal means that transfers of personal data from the EEA to the UK do not qualify as transfers to a third country. No additional transfer mechanism is required during the extension period, however it would be a sensible precaution for most UK businesses (and the position that the ICO also advises) to have the SCCs in place anyway if you are transferring personal data from the EU to the UK.

EU and UK Representatives

The requirement to appoint an EU representative does not appear to have been waived by the UK exit deal. CNIL, the French regulator, has issued a statement reminding UK businesses that they will be required to appoint an EU representative from 1 January 2021.

If your business regularly deals with personal data of individuals in the EU then Browne Jacobson can help you to get an EU representative in place. As your representative in the EU there are certain qualities that you are likely to want from an EU representative (and you’re likely to want a contract in place) we can help with that process.

Which Supervisory Authority?

The ICO will be the supervisory authority for the UK GDPR.

If your organisation is also established in the EU then you will have a lead supervisory authority in the EU jurisdiction where you is established (or if established in multiple EU jurisdictions then that will be determined according to European Data Protection Board guidance (“EDPB Guidance”). Bear in mind that this means you could now be fined by both the ICO and the EU lead supervisory authority.

If the organisation is not established in the EU but is offering goods or services or monitoring the behaviour of data subjects in the EU then it will be subject to the ICO and the supervisory authority in each jurisdiction. The ICO’s guidance is clear that “In theory, the retailer could be fined by the ICO and the supervisory authority in every EU and EEA state where customers have been affected.”

As set out in the EDPB Guidance, having an EU representative does not mean you are established in the EU for the purposes of qualifying for a lead supervisory authority. A UK organisation with no EU establishments and an EU representative in France could still be fined by each and any supervisory authority in jurisdictions where data subjects have been affected.

Drafting documents

UK organisations will need to consider the drafting of their agreements, particularly the definitions of GDPR which will now need to appreciate the fact that there are two separate GDPRs.

Depending on the transfers of data involved you may need to revise existing contracts to include the SCCs and to amend any privacy notices to refer to the correct legislation and representative.

focus on...

Webinars

Public Sector Planning Club

We are pleased to invite you to our second virtual Planning Club. This session will cover case law update and making local plans featuring an overview of the statutory process and practical considerations.

View

Legal updates

Significant changes to trial witness statements: Practice Direction 57AC - what do you need to know?

What are the key changes to Practice Direction 57AC and Statement of Best Practice, and what are the challenges for legal representatives?

View

Legal updates

Public matters - February 2021

This month includes updates on state aid/ subsidy control regime, London Borough of Lambeth v AM, data protection, and administration law.

View

Legal updates

High Court grants local authority injunction to prevent breach of confidence

This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Richard Nicholas

Richard Nicholas

Partner and Responsible for In House Lawyers

View profile

mailing list sign up



Select which mailings you would like to receive from us.

Sign up