This is the third in a series of briefings about the data protection issues which need to be considered in relation to Brexit.
The Current Position
On the 24th December 2020, the UK and EU reached a trade deal and co-operation agreement to address the arrangements at the end of the Brexit transition period on the 31st December 2020. The agreement includes interim provisions, a bridging mechanism, for the movement of personal data to the UK. This is to last four months, plus an additional two months, unless either party objects, or if an adequacy agreement is reached earlier, meaning this will come to an end on the 30th June at the latest.
This allows personal data to continue to move between the UK and EU without additional safeguards. This also includes transfers with Norway, Iceland, and Liechtenstein. During this period, the UK is restricted in what powers it can exercise concerning data protection legislation unless approval is obtained from the EU.
If the UK wishes to make changes to any data protection legislation, that is not in EU law, then the UK will be required to notify the EU. In this case, either party may request, within five working days, a meeting of the Partnership Council, which would need to be held within two weeks. If neither party requests the meeting, then the EU is deemed to approve the proposed amendment. This now allows organisations, like yours, more time to address any changes that may be required, should an adequacy agreement not be reached.
The ICO is continuing to advise organisations to prepare alternative transfer mechanisms. This includes incorporating standard contractual clauses (SCC), binding cooperate rules, and implementing a strong code of conduct, under Article 46 EU GDPR.
From the end of this interim period, under part 3 of the European Union (Withdrawal Agreement) 2020 (EUWA), UK companies will need to continue to apply EU law on personal data, where the personal data was processed in the UK before the end of the transition period or that personal data is processed in the UK after the transition period on the basis of the withdrawal agreement – Article 7(1) EUWA. This will continue to be the case until an adequacy decision is reached. However, it should be noted that if the UK is deemed to be inadequate, any EU personal data will still need to be processed in accordance with EU law.
The UK’s Information Commissioner is no longer a part of the EU GDPR co-operation and consistency arrangements so will no longer have a seat on the European Data Protection Board (EDPB). Powers of the European Commission are now transferred to the Information Commissioner or the Secretary of State. Those powers include:
- The power to issue SCC’s for processor contracts – Article 28 UK GDPR;
- Remedies are now amended to refer to the Information Commissioner and UK courts – Articles 77-83 UK GDPR; and
- There has been a change in data breach notification obligations, all breaches are to be notified to the ICO, as well as the requirement for prior consultation – Article 26 UK GDPR.
With regards to international transfers and adequacy decisions, Schedule 21 of the DPA 2018 provides more detail. This includes information on standard contractual clauses (SCC)
and binding corporate rules (BCR), made by the ICO, that are continued to be used after the end of the interim period.
Other laws that have been amended as a result of changes in UK data protection law include the Anti-terrorism, Crime and Security Act 2001 and the Investigatory Powers Act 2016. It would be wise to watch changes to these acts closely, as this may influence the outcome of an adequacy decision.
What Jurisdiction Do the EU Courts Have in the UK Now?
Under the withdrawal agreement, the Court of Justice of the EU (CJEU) will continue to have jurisdiction, even now after the transition period has come to an end, in some areas of law. This will continue to last while the Withdrawal Agreement remains valid. With regards to data protection law, the reach of the CJEU could continue to hold weight beyond the interim period we are currently in. This could be dependent on the outcome of the adequacy agreement, especially when considering the implications data protection law can have on human rights.
Any cases that were pending a decision in the CJEU up until the end of the transition period will still set precedence in the UK, following Article 86(1) of the withdrawal agreement. Article 86(1) also states that the European Commission will have four years from the end of the transition period to bring any infringement proceedings against the UK for breaches in EU law that took place up until the end of the transition period. Any judgments made under these articles will be binding on the UK.
If the UK and EU were to ever dispute the interpretation of the withdrawal agreement, then an arbitration panel can be established to resolve the issue under Article 170. Under Article 174, the panel can go to the CJEU to offer an interpretation, where any decision would be binding on the UK. This can only happen with disputes over EU law, not disputes between the UK and EU. There is an additional aspect to the withdrawal agreement that allows the UK courts the power to send preliminary references to the CJEU about any meaning of Part 2 of the withdrawal agreement up to eight years from 31st December 2020. This will be particularly important for questions relating to EU citizens’ rights. In terms of data protection law, this could be particularly important when it comes to UK companies processing the personal data of EU citizens, both in and outside of the UK, and further clarity should come when we obtain an outcome on the adequacy decision. Taking this into account, it would be best practice for UK companies to continue to follow the guidance of the ICO and both the UK and EU GDPR.
As is stands, the CJEU will no longer have any jurisdiction over UK legislation from the 1st January 2021. But it is important to consider that any monumental differences in the UK and EU’s law could affect future relationships.
The UK government has stated it is still committed to the European Convention of Human Rights (ECHR), formed by the Council of Europe, and will therefore be bound to the European Court of Human Rights. This is a treaty signed by 47 Member States; however, it is important to remember that the ECHR is not an EU institution. The Council of Europe was founded post World War II to uphold human rights, democracy, and the rule of law in Europe. The most important right to consider in regard to data protection is Article 8 of the ECHR, which provides the right to respect for private and family life. The UK will have to continue to uphold this qualified right in terms of data privacy, regardless of an adequacy agreement, and so changes to UK surveillance laws should be approached with caution.
- Applicable legislation – organisations need to consider what legislation applies, whether it’s the UK GDPR, DPA 2018, and/or the EU GDPR.
- International data transfers – organisations need to review how data flows to and from the UK and EU.
- Representatives and DPOs – organisations need to consider whether they need to appoint a representative in the UK and, or the EU.
- Applicable Regulators – organisations need to consider what regulators they will need to follow.
- Privacy notices – organisations need to update their privacy notices to reference the UK GDPR and EU GDPR.
- DPIAs – these may need to be reviewed, with special consideration of international transfers.
- Contracts – review of ROPAs to check any changes to international transfers or changes to terminology, as well as the addition of SCC’s.
Key Changes to the Legislation:
- In the UK, the ‘GDPR’ is now referred to as the ‘UK GDPR’.
- The UK GDPR is defined in section 3(10) of the amended DPA 2018: ” “The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
- Section 3 of the European Union (Withdrawal) Act 2018 (EUWA) converts the GDPR into retained EU law.
- The amendments made to the UK GDPR and the DPA 2018 merge the provisions from the EU GDPR.
- The UK GDPR will not automatically incorporate changes to the EU GDPR moving forward, any changes will need to be enacted by the UK through the UK GDPR and DPA 2018.
- The DPA 2018 uses the term EU GDPR to refer to the General Protection Regulation (EU) 2016/679) as it continues to apply in the EU.
- Under ‘Lawfulness of processing’, a child’s consent concerning information society services has been amended to reflect the fact the UK has set the age for consent at 13 years of age.
- The DPA 2018 has added additional information to article 9 of the GDPR, where it refers to additional conditions that are allowed for the processing of special category data when it’s in the public interest or being undertaken by a public body.