What does Brexit mean for UK data protection and ePrivacy rules?
To put it simply Brexit has not altered our general data protection obligations and responsibilities. The rules we need to abide by are essentially the same, but there are some aspects we need to be aware of (such as data transfers and representatives) and some details we should watch out for over the coming months.
Here’s a quick Q&A to answer some recent questions I’ve been asked:
1. Does GDPR still apply in the UK?
The ‘EU’ GDPR no longer applies in the UK, BUT…
a) GDPR has been retained in UK domestic law, renamed as ‘UK GDPR’. This means the key principles, rights and obligations remain the same. The UK now has the independence to keep this under review.
b) If your organisation offers good and services to EU citizens (or monitors their behaviour) EU GDPR will still apply to your handling of EU citizens data. This is because the territorial scope of EU GDPR extends beyond the European Economic Area.
2. Has the UK Data Protection Act 2018 changed?
The UK DPA 2018 remains in place and sits alongside UK GDPR. The legislation has been adapted to reflect the UK’s status outside the EU. A Keeling Schedule for the UK GDPR shows the amendments.
3. What about data transfers from the UK to the EEA, or elsewhere?
The UK Government says data transfers from the UK to the EEA can continue unrestricted for the time being.
Transfers to other countries may be subject to restrictions under UK GDPR. This essentially means, as you would have done in the past, you need to consider whether additional safeguard mechanisms are required. For more information see the ICO’s guidance on International Transfers after UK exit.
4. What about data transfers from the EEA to UK?
Outside the EU the UK becomes what is called a ‘third country’ and is subject to data transfer restrictions. However, under the Brexit trade deal, agreement has been reached whereby the UK will not be considered a ‘third country’ for up to four months, potentially extended to six months.
This allows more time for the European Commission to consider whether the UK can be granted ‘adequacy’.
If the UK is granted adequacy, transfers of data from the EEA to the UK will continue to flow freely with no requirement for additional safeguards – such as the use of EU Standard Contractual Clauses (SCCs). For more information see Brexit Deal and Data Transfers.
The ICO’s guidance on International Transfers after UK exit also covers considerations for transfers of personal data from non-EEA countries to the UK.
5. Do we need an EU Representative?
If you offer goods and services to EU citizens (or monitor their behaviour) you may need to appoint an EU Representative for data protection. If you are not sure if you fall under this requirement see Brexit: Do we need an EU representative?
6. Do we need a UK Representative?
It’s worth noting UK GDPR, like EU GDPR, has this extra territorial scope too – so if your organisation is based outside the UK, but offers goods and services to UK citizens (or monitors their behaviour) you may need to appoint a UK representative, if you don’t have an establishment within the UK.
Contact us if you would like to find out more about our UK Representative Service.
7. Do we need to update our privacy information or other documents?
You should update your privacy notices, data protection policies and processes to reflect changes in the UK data protection regime. In particular, you may need to change details in relation to international transfer arrangements.
It would also be a good idea to check any Data Protection Impact Assessments where international transfers are relevant.
If adequacy status is not granted, you may also need to review the data provisions in your contracts with EEA businesses. (Many organisations have already planned for the worst-case scenario and this is something the ICO still advising organisations to do).
8. Have marketing and cookie rules changed at all?
The simple answer is no. Marketing and cookie rules in the UK are governed by the Privacy and Electronic Communications Regulations (PECR). Based on an EU Directive these were enacted into UK law in 2003 (along with subsequent amendments), so remain in place. Recent changes made to reflect the UK’s status outside the EU are shown in a Keeling Schedule for UK GDPR.
If you target EU citizens online then country-specific marketing and cookie laws still apply.
9. Will the UK adopt the EU’s ePrivacy Regulation?
Remember this! Back in 2017 the first draft of a new ePrivacy Regulation was published, with the aim of bringing in updated and harmonised rules in tandem with GDPR (revising and expanding the scope of the EU ePrivacy Directive).
Fast-forward four years and the debate still continues, and an agreement has yet to be reach. The as yet an unanswered question is; will the UK adopt this new EU Regulation as and when it is agreed?
10. Is the UK’s data protection regime likely to diverge?
In theory the UK now has the independence to amend data protection legislation. However, the Brexit trade deal specifically mentions the EU and UK’s commitment to ensuring a high level of personal data protection and a willingness ‘to work together to promote high international standards’.
Furthermore, if the UK makes any changes to its data protection regime in the coming months, including Privacy and Electronic Communications Regulations, the arrangement whereby the UK is not yet considered a ‘third country’ for data transfers will automatically end and restrictions on transfers will be imposed. See Brexit deal & data transfers.
It seems unlikely the UK will want to rock the ‘data boat’ right now, if it hopes to be granted adequacy by the European Commission. What will be interesting, is the fallout if the EC does NOT grant adequacy to the UK. My hope is this will run smoothly, but until the ink is set, we just don’t know.
Philippa Donn, January 2020
Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.