This second instalment of our Brexit & Data Digest outlines the main sources of data protection law in the UK following the end of the Brexit transition period, and how the EU GDPR may continue to have relevance for companies located in the UK.
With the UK now unambiguously outside of the EU, the EU General Data Protection Regulation (2016/679) is no longer directly part of the UK’s body of legislation. This is the second instalment of our Data & Brexit Digest, highlighting some practical data protection implications of Brexit, the end of the transition period, and the adoption of the EU-UK Trade and Cooperation Agreement (the “TCA”).
Sources of data protection law in the UK
The EU GDPR has been retained in UK law, effectively having being copied onto the UK statute book, with some essential adjustments to allow it to function independently of EU law and institutions. This was achieved through the European Union (Withdrawal) Act 2018 and secondary legislation (see below). The retained version of the GDPR is now known as the “UK General Data Protection Regulation” or “UK GDPR”. The UK GDPR must continue to be read alongside the Data Protection Act 2018 – in other words, they now jointly make up the mainstay of data protection law in the UK.
The most significant secondary legislation passed by the UK government was the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419 (the “Regulations”), which came into force on 31 December 2020 as the transition period ended. It is these Regulations which amend the retained UK GDPR (a) ensuring that it functions effectively as domestic legislation and (b) redistributing certain powers vested in the European Commission and supervisory authorities under the EU GDPR. On the redistribution of powers, critically, the Regulations provide that in future the UK Secretary of State may adopt adequacy decisions under the UK GDPR in respect of third countries for the purposes of international data flows from the UK; under the EU GDPR, this power lies with the European Commission.
Even post-Brexit, UK companies and businesses cannot afford to discount the continuing relevance of the EU GDPR. EU data protection law will continue to impact UK operations in some circumstances:
As we noted in Part 1, the TCA limits the UK’s ability to amend domestic data protection law in certain respects during the bridging period (which could last up to 6 months). However, notwithstanding this, the UK government is currently consulting on its National Data Strategy, with the consultation document suggesting that UK data protection law is likely to be amended in the coming year. While it is not possible to predict the precise changes, certain areas such as international transfers of personal data appear high on the agenda (following the end of the bridging period). Similarly, the UK’s data protection authority, the ICO, has indicated there will be a consultation on new UK standard contractual clauses for data transfers.
The UK’s data protection regime looks set for a period of change in the latter part of 2021, notwithstanding the significant impact changes already brought about by Brexit. Businesses will need to be alive to these regulatory changes and monitor developments carefully. In our next instalment, we look at the impact on contracts and policy documents and provide some drafting tips.