What does Brexit mean for data protection?
Author: Lowri Morgan-Macdonald
Following the end of the Brexit transition period on 31 December 2020, you may be wondering what, if any, steps you need to take in order to ensure that you continue to comply with data protection laws.
In this article, we have sought to answer some of the key questions that you may have on data protection compliance going forward.
1. What does this mean for the GDPR?
From 31 December 2020, the GDPR no longer applies to the UK as it is an EU regulation. However, the GDPR has been retained in domestic UK law and is now known as the UK GDPR and will continue to sit alongside an amended version of the Data Protection Act 2018.
This is distinct from the EU GDPR which will continue to apply in the European Economic Area (EEA).
2. Is the EU GDPR still relevant to us?
Due to its territorial scope, the EU GDPR may still apply directly to you if you either offer goods or services to individuals in the EEA, or you monitor the behaviour of individuals in the EEA.
You should therefore bear in mind that you may be subject to both the UK GDPR and EU GDPR when you process personal data and will need to ensure that you comply with both regimes in such circumstances.
The EU GDPR will also apply to any EEA organisations who transfer personal data to the UK.
3. What is the Frozen GDPR and legacy data?
The Frozen GDPR is a term used by the Information Commissioner’s Office to describe the EU GDPR as it stood on 31 December 2020. From 1 January 2021, the Frozen GDPR applies to what is known as legacy data which is essentially personal data of individuals outside the UK which is processed in the UK and which was acquired before the end of the transition period.
As such, you will need to comply with the Frozen GDPR when processing such legacy data from 1 January 2021. For these purposes, any references to the EU or to member states will be deemed to include the UK such that there will be no restrictions for transfers of personal data between the UK and the EU (see below for further details on such restrictions going forward).
This is intended to ensure consistency in how non-UK personal data is protected at the end of the transition period.
Note however that the Frozen GDPR will no longer apply if an adequacy decision is made by the European Commission in respect of the UK (see below for further details).
4. What do I need to do to transfer personal data from the UK to the EEA?
Under both the EU GDPR and the UK GDPR, personal data can only be transferred to a third country if it is covered by either (a) an adequacy decision or regulation; (b) appropriate safeguards (such as standard contractual clauses); or (c) one of the limited exceptions.
From 1 January 2021, any country outside the UK, including the EEA, is considered a third country for the purposes of the UK GDPR such that a UK organisation can only transfer personal data to such a third party if it is covered by one of the mechanisms referenced above.
However, the UK government has confirmed that transfers of personal data from the UK to the EEA and/or any countries which were covered by a European Commission adequacy decision as at 31 December 2020 (which include Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay and, in certain circumstances, Japan and Canada) will be permitted – this means that you will not need to take any further actions at this stage in order to transfer personal data to such territories.
5. What do I need to do to transfer personal data from the UK to the EEA?
From 1 January 2021, the UK is considered a third country for the purposes of the EU GDPR which means that an EEA organisation can only transfer personal data to the UK if it is covered by one of the mechanisms mentioned above.
It was hoped that the European Commission would reach an adequacy decision in respect of the UK prior to the end of the transition period. Although that has not yet occurred, as part of the EU-UK Trade and Cooperation Agreement which was reached on Christmas Eve, a so-called ‘bridge’ was agreed which allows the free flow of personal data from the EEA to the UK to continue following the end of the transition period. The bridge will remain in place either until a UK adequacy decision is reached by the European Commission, or until 30 June 2021, whichever comes first.
The European Commission finally published a draft adequacy decision in respect of the UK on 19 of February 2021. This draft decision will now be shared with the European Data Protection Board for a non-binding opinion before finally being presented to EU member states for their formal approval. The UK has strongly encouraged the EU to complete the final approval process as soon as possible so that data can continue to flow freely between the EU and UK.
However, if the bridge comes to an end without an adequacy decision having been approved, any organisations still subject to the EU GDPR will need to ensure that one of the other mechanisms referenced above are in place.
6. Do I need to appoint a European representative?
From 1 January 2021, any UK controller or processor who does not have offices, branches or other establishments in the EEA, but who is either offering goods or services to individuals in the EEA, or is monitoring the behaviour of individuals in the EEA, may need to appoint a European representative.
This is because in such circumstances, you will still need to comply with the EU GDPR which requires you to appoint a representative in the EEA if you do not have a base there.
Amongst other requirements, the representative must be based in the EEA state where at least some of the individuals whose personal data you are processing is located. That representative will be authorised to act on your behalf regarding compliance with the EU GDPR.
For example, if you are a UK company that does not have offices in any EEA countries but has a regular customer base in France and Germany, you may need to appoint a European representative based in either France or Germany to act as your direct contact for data subjects and EEA supervisory authorities.
The only exceptions to this requirement are where (a) you are a public authority; or (b) where your processing is only occasional, of low risk to the data protection rights of individuals and does not involve large-scale use of special category or criminal offence data.
7. Do I need to appoint a UK representative?
Under the UK GDPR, any controller or processor that does not have a base in the UK but who is offering goods or services to individuals in the UK or is monitoring the behaviour of individuals in the UK may need to appoint a UK representative.
Equivalent requirements apply here as to the appointment of a European representative as referenced above.