What happens to GDPR on exit day?
GDPR during the transition period
As we’re all well aware, the UK will finally leave the European Union later today. The UK and the EU will then have until 31 December 2020 (the “transition period”, provided for in the withdrawal agreement) to negotiate an agreement setting out their future relationship. This raises the question: will the UK still be bound by the GDPR post-Brexit? In short, yes. During the transition period, GDPR will continue to apply and the data protection landscape will remain unchanged.
The current regime consists of the EU GDPR, supplemented by the UK Data Protection Act 2018 (DPA). As well as modifying the EU GDPR, the DPA applies a similar data protection regime (referred to as the “applied GDPR”) to areas falling outside the scope of EU GDPR. So for now you should continue to follow the current rules and regulations and ICO guidance.
During the transition period, if you are offering goods and services to customers in the EU, the ICO has confirmed that you do not yet need to appoint a European representative but may need to do so from the end of the transition period.
What happens at the end of the transition period?
Following through on its commitment to incorporating EU GDPR into domestic UK law on exit day, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Regulations”), which will apply changes needed to the EU GDPR so that it remains relevant to the UK after Brexit (such as removing references to the UK’s participation as a member state), and merges the EU GDPR with the DPA to ensure that the UK data protection framework continues to function correctly. This regime will be known as the UK GDPR.
The EU GDPR will continue to apply in the UK until the end of the transition period – from this point on UK GDPR will apply. What the exact data protection landscape will look like post 2020 will depend upon the negotiations that take place during the transition period, but we believe, based on the information available to us now, that it’s unlikely there will be any change to the existing main data protection principles.
Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The good news is that the Exit Regulations will ensure that this arrangement will continue so that data still flows from the UK to the US. However, US entities will need to update their privacy notices to expressly extend protection to transfers from the UK.
What we also know is that from the end of the transition period, the UK may be classified as a “third country” for the purposes of EU GDPR. The EU GDPR places restrictions on data transfers to third countries (i.e. countries other than EU member states and the three EEA states that have adopted a national law implementing GDPR (Norway, Iceland and Liechtenstein)). To date, the EU has granted a number of adequacy decisions, where they determine whether a country offers personal data an adequate level of protection, including in favour of the Isle of Man, Jersey and Guernsey.
It’s highly likely that the UK will apply for adequacy status from the EU and the EU has already indicated that it’s prepared to consider this but won’t do so until after exit day. But unless this happens before 31 December 2020, UK businesses processing data on behalf of EU data controllers will only be able to transfer data if appropriate safeguards are in place to protect the data transfer to the UK. This includes putting in place some form of data transfer agreement with the EU business incorporating the standard data protection contractual clauses (known as “Model Clauses”) approved by the EU, as a legal basis to protect the transfer of personal data to the third country.
However, once adequacy status is granted, the UK would no longer be classified as a third country and the need for Model Clauses or other safeguards to be put in place would fall away. Just how long this process will take is unknown, but it’s unlikely to happen quickly and there’s no guarantee it’ll happen before 31 December. Businesses dealing with third countries should therefore follow developments regarding the granting of an adequacy decision closely, as breaches of the requirements relating to this particular area of EU GDPR are subject to the higher level of fines (up to €20 million or 4% of annual global turnover, whatever is higher).
If your business transfers data to countries outside of the EU where the EU has already made an adequacy decision, then the position will remain unchanged and your data can continue to flow. The UK government has confirmed that it will recognise existing EU adequacy decisions made prior to exit date. However, you should still keep a close eye on developments as you may see the situation where the EU subsequently grants an adequacy decision to a country and the UK takes a different stance and chooses not to adopt it.
At the current time, whilst we’re in the transition period, there shouldn’t be too much for businesses to do with the majority of data protection rules staying the same, but it’s important that businesses follow developments as we move towards the end of the transition period. As the ICO says in its guidance on post Brexit data protection, your best preparation at this point in time is to ensure you comply with GDPR now.