Brexit, GDPR, & PECR – the UK Data Protection landscape
As the end of the transition period looms, what does Brexit mean for UK data protection law? And what does it mean for the marketing and cookie rules your business needs to adhere to?
2020 has been a year of tumult, economic turmoil and loo roll shortages. One could be forgiven for forgetting all about Brexit. Remember that? Like the shark from ‘Jaws’ (and the sequels) Brexit hasn’t gone anywhere– it’s lurking, waiting to strike.
Amid ongoing debates around the post-Brexit UK economy, many questions remain unanswered. For data protection, there are some answers, but also much uncertainty.
- Will GDPR still apply in the UK?
- What if my business operates in EEA?
- Data transfers – what is ‘adequacy’ and will the UK get it?
- What about the UK’s Data Protection Act 2018?
- What about marketing and cookie rules – does PECR still apply?
- What about the EU’s ePrivacy Regulation?
- What will the ICO’s role be?
Fear not (okay, maybe a little). Like Mystic Meg, but in PPE, I’ve looked into my crystal ball of data protection to predict what might happen come 1st January 2021…
Will GDPR still apply in the UK?
Deep Joy! It’s time for us to get familiar with two new terms; EU GDPR and UK GDPR.
On 1st January 2021, at the end of the transition period EU GDPR will no longer apply to the UK, as it’s an EU Regulation.
However, the UK Government intends to incorporate the GDPR into UK data protection law; hence UK GDPR. So, in practice, there will be little change to the core data protection principles governing your business activities. Your legal obligations regarding individuals’ rights, for instance, essentially remain the same.
UK GDPR will of course need some tweaks and technical amendments to reflect the UK’s status outside the EU to make it fit for purpose in a UK-only context. These are set out in detail in the new data protection exit regulations.
The Information Commissioner’s Office (ICO) is stressing its GDPR guidance will still apply;
“We expect UK data protection law to be essentially aligned with the GDPR, so you should continue to use our existing guidance. Following the approach in our guidance will help you comply now and after the end of the transitional period. We will continue to keep our guidance under review and update it where necessary.”
There is a slight caveat. Nothing’s set in stone. Some believe there could be a more significant divergence from EU GDPR.
While some pray the UK will continue to stick closely with EU data protection practices, others who might welcome a lighter touch, cite the GDPR as a piece of bureaucratic EU legislation that hampers innovation.
The outcome is likely to rest with how well (or not) the negotiations pan out.
What if my business operates in European Economic Area (EEA)?
There’s no ambiguity here; EU GDPR will still apply directly to your activities if you operate within the EEA. This is because the territorial scope of the regulation extends to businesses around the globe who offer goods and services to EU citizens or monitor the behaviour of individuals located in Europe.
Data transfers – what is ‘adequacy’ and will the UK get it?
Post Brexit, if you use suppliers or work with other organisations in Europe, EU GDPR will still apply if they send personal data to you.
The UK will become what is termed a ‘third country’ to Europe. Data transfers from the EEA to third countries are subject to restrictions unless the European Commission grants a status called ‘adequacy’.
Essentially the EC awards adequacy to countries if they are judged to have similar data protection provisions as the EU. For example, countries including Argentina, Israel , New Zealand and most recently Japan have each been awarded ‘adequacy’ status by the EC.
If the UK is granted adequacy, the free flow of personal data will continue without any new restrictions – but it’s a big ‘if.’
Adequacy may not be granted if the UK is considered to have deviated too much from EU GDPR and / or if concerns about UK surveillance laws prevail.
My thoughts are that if the negotiations go sour, and if adequacy is denied (at least for the time being), the UK government could be tempted to branch out and adopt a lighter touch to data protection regulation and enforcement. This would have significant ramifications for businesses operating in both UK and Europe.
What about the UK’s Data Protection Act 2018?
The UK’s DPA 2018 will continue to apply. To quote the ICO, this ‘currently supplements and tailors the GDPR within the UK.’
For example, the Act covers the areas where EU Member States were given national-level discretion on certain aspects of the law, such as the age of consent of a child in relation to online services. The DPA 2018 also separately covers areas such as data protection requirements for law enforcement specific to the UK.
What about marketing and cookie rules – does PECR still apply?
The UK’s Privacy and Electronic Communications Regulations 2003 (PECR) (and subsequent amendments) currently sit alongside the GDPR.
PECR is a UK-specific regulation derived from EU law (known as the ‘eprivacy directive’). It will therefore remain in place and is not affected by the UK leaving the EU. So, no change there.
What about the EU’s ePrivacy Regulation?
There are ongoing plans to replace the EU ePrivacy Directive with a new EU ePrivacy Regulation. It is long overdue an update as life has moved on with significant technological developments since its conception. Again, like with GDPR there’s the aim of harmonising rules across Europe.
Countless drafts have been published, but a final version of the regulation is still not agreed. If and when it’s finalised, we will have to wait and see whether the UK chooses to implement this into UK law in a similar way to GDPR.
The general consensus is the UK would want to align itself with the EU on this. Much I suspect will depend on how closely aligned the UK is with the EU when the regulation is agreed.
What will the ICO’s role be?
The ICO has clearly said it will remain the supervisory authority body governing UK data protection legislation. But it will no longer be an EU supervisory authority. Therefore, if you process the data of EU citizens or monitor their behaviour you need to make sure, if you don’t already, that you have a nominated EU representative.
In summary, our industry is a small cog in the vast machine of Brexit as the negotiations rumble on. Horse-trading and compromises seem inevitable. What a deal on EU-UK data transfers, if any, will look like might result in a different regime for data protection outside the EU. Conversely, it might look remarkably similar to the one we have now!
At least there’s the reassurance that those of us handling EU citizen’s data know the data protection regime will remain the same, giving an element of continuity. The message from the ICO is clear that all UK businesses should continue to comply with GDPR. Flexibility, transparency and resilience will see you through choppy waters ahead.
Philippa Donn, August 2020
For more information please see the ICO’s guidance: Data protection at the end of the transition period
And you can rely on us here at DPN should you require specific assistance to navigate any of these issues. Contact us for an informal chat.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.