It’s only taken three and a half years, but on January 22nd, the Prime Minister Boris Johnson broke the news that the UK had officially crossed the “Brexit finish line” after Parliament passed legislation implementing the Withdrawal agreement. On 31st of January at precisely 23:00 GMT, the UK will officially leave the EU, although there will be a transition period until at least the end of 2020.
However, while the debate chapter in the Brexit story has finally reached a conclusion and the UK can – in the words of the PM – move forward as one, there are still a number of challenges ahead. In particular, the issue of data protection.
Adequacy challenges ahead
Personal data is currency that underpins our modern global economy. As such, the uninterrupted free flow of data is a priority for both the UK and the EU. One of the most significant elements in European data protection law is the prohibition of sending personal data outside of the EU. Beyond January 31st, the UK will be subject to this prohibition – meaning the flow of data between both the UK and the EU will be interrupted.
To overcome this issue, the European Commission would need to adopt an ‘adequacy’ decision in respect to the UK’s data protection framework. If it finds that there is a risk that personal data from the EEA could be passed on to countries which do not themselves offer an adequate level of protection, the EU is unlikely to declare the UK data protection standards as ‘adequate’.
While a positive adequacy decision would be beneficial to both sides, it may not be as simple as a box-ticking exercise. Currently, there are already a number of cases in front of the European Court of Justice which could impede the UK’s case for a quick adequacy decision. Earlier this month, for instance, The EU Court’s Advocate General Manuel Campos Sanchez-Bordina issued an opinion on four linked cases in France, Belgium and Britain in which governments called for greater powers to override data privacy for national security reasons.
According to the Advocate general, EU law applies to data collection for national security purposes and therefore governments and private companies are subject to these legal requirements. The opinion further stated that the current arrangements in the UK do not comply with existing EU data retention law.
Of course, once the transition period is over, the UK will no longer be regulated by the European General Data Protection Regulation. However, an adverse decision from the Court would certainly not aid in securing a quick adequacy decision.
The future of UK data protection
After the transition phase, an adequacy decision is undoubtedly the most desired and likely outcome – but it could take months (or years, if history has taught us anything) to happen. If no arrangements or deals are made between the UK and the EU in 2020, the end of the year will see the UK leaving in a “no-deal” scenario, effectively rendering it a “third country” with respect to data protection law.
In this version of events, UK businesses and those with UK operations who rely on the flow of personal data from the EU will need to have additional controls in place such as standard contractual clauses or binding corporate rules to ensure compliance.
Once the Withdrawal Agreement reaches an end, the UK will formally be independent from the EU’s General Data Protection Regulation that has governed the processing of personal data in all member states since May 2018. Instead, the UK will pass into law its own version, aptly named the UK-GDPR. Already, this has potential to trigger confusion for those of us who spent the last several years wrapping our heads around and preparing for the biggest shake up to data protection law in 20 years (the GDPR.)
The new UK-GDPR will sit alongside the European GDPR, which will still apply to the UK until the end of the transition period (December 31st 2020). Yes – you read correctly – for the entirety of 2020, there will effectively be two GDPRs governing the UK, in addition to the Data Protection Act 2018 which also takes effect from January 31st.
It’s a lot to take in, but what does it mean in practice?
Preparing for the UK-GDPR
The United Kingdom General Data Protection Regulation is, in essence, the same law as the European GDPR – only updated to reflect domestic law. This means less panic for business leaders and Data Protection Officers who have spent the last three years growing accustomed to the core definitions made famous from the European GDPR. Legal terminology that defines concepts such as ‘personal data’ and ‘rights of data subjects’ are mirrored in the UK-GDPR.
That being said, there are still several notable deviations between the EU and UK versions of the legal text that could see significant changes to the UK data protection landscape. The key changes can be found in the UK government’s Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC regulation), expanding on areas including national security, intelligence services and immigration.
According to the UK-GDPR, there will be certain instances in which the regular protection laws for personal data can be bypassed – for example, if the matter concerns national security.
Another deviation from the EU GDPR is the appointment of the Information Commissioner, the leading data protection authority in the UK, as the leading supervisor and enforcer on UK GDPR – replacing the European Data Protection Board as the highest supervisory authority.
From January 31st, any company or website that collects and processes the personal data of individuals inside the UK must be fully compliant to the UK GDPR. Moreover, EU companies offering services in the UK will need to appoint a UK representative, defined in the legal text as “a natural or legal person established in the United Kingdom who represents the controller or processor.” Finally, the UK-GDPR deviates from the EU GDPR in that it lowers the age of valid consent from 16 years old to 13 years old in the UK.
Commenting on the upcoming challenges linked with data protection in light of our impending departure from the bloc, EU & Competition and Commercial Lawyer Duncan Gillespie said:
“For organisations who receive personal data from within the EU, the model clauses will need to be in place unless the EU Commission has made a finding that the UK has an adequate system of data protection law in place.”
“Such a finding will be a place if there is a negotiated withdrawal from the EU but not necessarily if there is a Nigel Farage style departure with the UK waving two fingers at the EU.”