This second instalment of our Brexit & Data Digest outlines the main sources of data protection law in the UK following the end of the Brexit transition period, and how the EU GDPR may continue to have relevance for companies located in the UK.
With the UK now unambiguously outside of the EU, the EU General Data Protection Regulation (2016/679) is no longer directly part of the UK’s body of legislation. This is the second instalment of our Data & Brexit Digest, highlighting some practical data protection implications of Brexit, the end of the transition period, and the adoption of the EU-UK Trade and Cooperation Agreement (the “TCA”).
Sources of data protection law in the UK
The EU GDPR has been retained in UK law, effectively having being copied onto the UK statute book, with some essential adjustments to allow it to function independently of EU law and institutions. This was achieved through the European Union (Withdrawal) Act 2018 and secondary legislation (see below). The retained version of the GDPR is now known as the “UK General Data Protection Regulation” or “UK GDPR”. The UK GDPR must continue to be read alongside the Data Protection Act 2018 – in other words, they now jointly make up the mainstay of data protection law in the UK.
The most significant secondary legislation passed by the UK government was the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419 (the “Regulations”), which came into force on 31 December 2020 as the transition period ended. It is these Regulations which amend the retained UK GDPR (a) ensuring that it functions effectively as domestic legislation and (b) redistributing certain powers vested in the European Commission and supervisory authorities under the EU GDPR. On the redistribution of powers, critically, the Regulations provide that in future the UK Secretary of State may adopt adequacy decisions under the UK GDPR in respect of third countries for the purposes of international data flows from the UK; under the EU GDPR, this power lies with the European Commission.
Even post-Brexit, UK companies and businesses cannot afford to discount the continuing relevance of the EU GDPR. EU data protection law will continue to impact UK operations in some circumstances:
- Long-arm application of the EU GDPR: the EU GDPR may continue to apply to a company, in addition to the UK GDPR, where that company is either “established” in an EU Member State (e.g. by having a branch office or other stable arrangements there), or otherwise meets the requirements for extra-territorial application set out in Article 3(2); this will be the case if a company offers goods and services to individuals based in the EU, or monitors the behaviour of such individuals.
- Pre-Brexit “legacy” data: pursuant to the EU-UK Withdrawal Agreement, EU data protection law (including the EU GDPR, the Law Enforcement Directive (2016/680) and to an extent the e-Privacy Directive 2002/58/EC) will continue to apply to organisations holding personal data about individuals located outside the UK, where the personal data was collected before the end of the transition period.
- The latest draft of the long-awaited EU ePrivacy Regulation, which is intended replace the existing ePrivacy Directive (2002/58/EC), provides for the legislation to have extraterritorial effect in some circumstances.
As we noted in Part 1, the TCA limits the UK’s ability to amend domestic data protection law in certain respects during the bridging period (which could last up to 6 months). However, notwithstanding this, the UK government is currently consulting on its National Data Strategy, with the consultation document suggesting that UK data protection law is likely to be amended in the coming year. While it is not possible to predict the precise changes, certain areas such as international transfers of personal data appear high on the agenda (following the end of the bridging period). Similarly, the UK’s data protection authority, the ICO, has indicated there will be a consultation on new UK standard contractual clauses for data transfers.
The UK’s data protection regime looks set for a period of change in the latter part of 2021, notwithstanding the significant impact changes already brought about by Brexit. Businesses will need to be alive to these regulatory changes and monitor developments carefully. In our next instalment, we look at the impact on contracts and policy documents and provide some drafting tips.