It’s not me, it’s EU: changes in data protection post Brexit

The world of data protection is facing some interesting times – more so than ever before. The main reason? The ‘b’ word on everybody’s lips: Brexit. Unfortunately, as everyone knows, we’re divorcing the EU (it’s been a pretty public break up), but the decree absolute doesn’t arrive until 31 December 2020. Even though we’ve got a bit more time to iron out the kinks and return each other’s belongings, we all still need to be aware of potential changes in data protection and how to comply with them. So, Commissum to the rescue! We thought we’d compile a short guide of some of the questions we’ve been asked!

Does Brexit mean the GDPR doesn’t apply?

No. The UK must continue to comply with the GDPR until the end of the transition period. After that, as catered for by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, the EU GDPR will be replicated to create the UK GDPR which will continue to be in force.

We have customers in the EU, do we need an EU representative?

Possibly. After the transition period ends (and if you’re offering goods or services to individuals in the EEA or monitoring the behaviour of individuals located in the EEA) you will need an EU representative, unless you’re a public authority or your processing is only occasional, of low risk to the data protection rights of individuals and does not involve special category or criminal offence data on a large scale.

Likewise, the reciprocal arrangement applies if you’re based outside the UK offering goods or services to individuals in the UK or monitoring the behaviour of individuals located in the UK, you’ll need a UK representative.

However, the need for a representative doesn’t mean you’ll be required to man an entire office. The representative can be an individual or company based in the EEA, such as a law firm, consultancy or private company, appointed under a service contract.

But, before you make any plans, be aware that the situation could still change: the European Data Protection Board (EDPB) has published guidelines on appointing a representative which are out for consultation as we speak.

Can we still transfer personal data from the UK to elsewhere?

Yes. The current rules on this haven’t changed and are unlikely to. It is the intention of the ICO to replicate the EU adequacy provisions which govern how we transfer data elsewhere. The only caveat to this is EU-US Privacy Shield participants, to which we can send personal data in the US, must update their public commitment to comply with the Privacy Shield to include the UK from the end of the transition period. While it is highly unlikely that participants won’t do this, you will still need to check and assure yourself that the commitment is in place.

Can we still transfer personal data from the EU to the UK?

Again, yes. But only up until the end of the transition period – for now. The UK has effectively become what’s known as a ‘third country’ and will be requesting an adequacy agreement from the EU to ensure existing transfers can continue BUT  there’s no guarantee this will be in place in time.

In the event an agreement is not reached by the end of 2020, you’ll need to fall back on the existing arrangements for third country transfers which (in nearly all cases) will be standard contractual clauses – essentially a contract with another party to ensure adequate data protection measures are in place. Interestingly, the current standard contractual clauses templates are EU documents dating back many years. There are plans by the EDPB to revise and update these but no new version has been agreed yet. However, when they are, and it is only a matter of time, you may need to update any you have in place unless the ICO advises otherwise. Will we have specific UK versions in the future? It’s possible. Will we then need one version for transfers from the EEA and another for the rest of the world? Again, it’s possible.

What about the EU e-Privacy Regulation?

The Privacy and Electronic Communications Regulations (PECR), derived from EU law and set out in UK law, will continue to apply to marketing, cookies and electronic communications. The EU has longstanding plans to replace its own law with a new e-privacy Regulation (ePR), but it has not yet been agreed. Whether it will be copied, just like the GDPR, into UK law is unknown at this time.

What other changes do we need to be aware of?

On 3 February Boris Johnson made a written statement setting out the Government’s proposed approach to the negotiations with the EU about our future relationship. It included: “The UK will in future develop separate and independent policies in areas such as… data protection…” It’s unclear exactly what this means at present, but it could be inferring the UK will move away from the provisions of the GDPR at some point. If your organisation offers goods or services to individuals in the EEA or monitors the behaviour of individuals in the EEA, or if you employ EU citizens, the effect of this could be the necessity of having to comply with two disparate data protection regimes.

If this sounds confusing then, unfortunately, I have some more bad news: with the adoption of other geographically specific data protection laws elsewhere in the world, such as the California Consumer Privacy Act, any organisation which operates internationally is only going to find their compliance burden increases.

Of course, your Data Protection Officer has all this under control by keeping their knowledge up to date and being ready to advise you on what you need to do at a moment’s notice. What’s that you say, you don’t have a DPO? Then for you, interesting times might not begin to cover it. 

Have you still got unanswered questions about data protection post-Brexit? Or just fancy a chat? Drop us a line!