As part of the Withdrawal Agreement, the EU law – GDPR, will continue to apply to the UK until the end of the transition period. However, the transitional arrangements will end on 31st December 2020, and as we seem to be approaching a point whereby the UK data protection status remains unknown, I felt it prudent to update you on the current position.
The UK law implementing the Withdrawal Agreement; the European Union Withdrawal Act 2018 (the Withdrawal Act), provides for existing EU law to be converted into UK law and referred to as “retained EU law”.
Data Protection Law Updates
The GDPR will be brought into UK law (at the end of the transition period) as the ‘UK-GDPR’, but there may be further developments about how we deal with particular issues – such as UK-EU data transfers. The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review. This review process will start on day one – following the end of the transition period. As practitioners, we should be aware that the EU-GDPR is – exactly that. But in the UK the equivalent law that governs data protection will be known as the UK-GDPR, I will simplify below.
If you are processing personal data within the UK, then UK-GDPR applies. This is the existing EU-GDPR but is supplemented by the 2018 Data Protection Act and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. It is useful to refer to the Keeling schedule (see right) to see the amendments. This is effectively a document which shows track changes and is easier to understand than referring to three separate pieces of legislation. This will be the law that governs data protection for organisations that process personal data of people within the UK – post 31.12.20.
EU-GDPR will still apply for organisations that process personal data of the data subjects based within the EU & EEA post 31.12.20.
So, as you manage compliance to GDPR, and say, CCPA, post 31.12.20, practitioners may have to manage the personal data to comply with, say, UK-GDPR, EU-GDPR and CCPA, depending upon where you do business. UK & Global Practitioners will need to up their game in terms of their knowledge of the Data Protection Act 2018 and up skill in the managing of data sets to different legislative compliance standards.
The amendments shown in the Keeling schedule, will take effect at the end of the transition period by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
There is helpful guidance from the ICO on this matter:
The key principles, rights and obligations will remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
The UK government intends that the UK GDPR will also apply to controllers and processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals taking place in the UK
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR will still apply to this processing, but the way you interact with European data protection authorities will change.
This means there will be a slight divergence from the EU-GDPR, although, not enough to materially affect controllers’ responses for now . However, in the future, should there be considerable divergence, then controllers and processors will have to ensure compliance with the EU-GDPR and the changed UK-GDPR. A practical example of the challenge would be; where a controller has a database of customers who are based in the UK and EU. Where the law is the same, then no requirements to manage that database differently depending on clients exist. However, were the EU or UK Data Protection law to diverge in the future, then the real challenge exists in managing the same database to two, different, data protection compliance standards.
Departure from retained EU case law by UK Courts and Tribunals
Under the Withdrawal Act UK courts will not be bound by new decisions of the Court of Justice of the EU (CJEU) made after the transition period ends but will still be bound to interpret retained EU law in line with existing decisions of the CJEU (retained EU case law). The Withdrawal Act, however, confers the power on the UK Supreme Court and the High Court of Justiciary in Scotland to depart from retained EU case law if they consider it “right to do so.” Following consultation, the Government has now confirmed that, among others, that power will be extended to the Court of Appeal and Inner House of Court of Session, but not to the High Court or the Information Tribunals (IT).
UK courts will still be bound by the normal doctrine of precedent. However, in respect of decisions of more senior UK courts, relating to retained EU case law, this development gives greater scope for divergence from retained EU case law and may cause uncertainty leading to re-litigation of established legal principles. This will see the start of UK Data Protection law divergence post 31.12.20.
This will see the start of UK Data Protection Law divergence post 31.12.20.
Data Protection and cross-border transfer of personal data
At the end of the transition period the EU GDPR regulation will be incorporated into UK domestic law as the ‘UK GDPR’. The UK GDPR will preserve the core EU GDPR standards such as data protection principles, rights of data subjects and obligations for controllers and processors. Controllers in the UK who transfer personal data across borders to the EEA, should therefore generally continue to implement the EU GDPR compliance standards and follow the ICO’s guidance, which will be updated in due course to reflect changes.
At the end of the transition period there will be two sets of rules to consider, namely: outward transfers and inward transfers:
- The rules on organisations transferring personal data outwards from the the UK:
The UK considers that no additional safeguards will be required to transfer personal data from the UK to countries within the EEA or to countries in respect of which an adequacy decision has been issued by the European Commission.
For all other outward transfers, appropriate safeguards will be required. The rules on organisations in the UK receiving personal data from outside the UK (including from the EEA).
EU GDPR transfer rules apply to data entering ‘third countries’ (i.e.: countries located outside the EEA). The UK will become such a third country on 1 January 2021, and, from this date, personal data may lawfully occur where:
- a valid adequacy decision is in place (i.e. an adequate level of protection);
- one of a number of safeguards are in place; or
- certain derogations under the relevant GDPR regime
The European Commission is aiming to agree an adequacy decision with the UK by the end of the transition period. If this is achieved, personal data can be sent from the EEA to the UK without any further safeguarding being necessary.
However, given the uncertainty, it is not safe to assume that the UK will benefit from an adequacy decision, and companies which transfer personal data from EEA countries to the UK should consider what GDPR safeguards can be put in place to ensure that personal data can continue to flow into the UK. It would also be prudent for companies to consider reviewing personal data that it holds, so it can be easily distinguished between personal data acquired before the end of the transition period, and after.
What about Schrems II?
It is important that you know about the judgment in the Schrems II case as it relates to the transfer of personal data. The Court of Justice of the European Union (CJEU) declared the Privacy Shield invalid. This was a transfer mechanism used for transfers from the EU to America. The CJEU also cast doubt over the use of Standard Contract Clauses (SCCs) which many organisations use for transferring personal data outside the EEA. In response to this, the European Data Protection Board have now issued guidance and revised SCCs and they are presently open for consultation. The SCCs propose a 12-month transition period in which to implement the new arrangements.
In terms of organisations located within the UK and transferring personal data to the USA and third countries without adequacy decisions, it will be for the Secretary of State for DCMS (I assume via the ICO) to determine the UK SCCs in accordance with Article 46 (2) ( c) of the UK GDPR. The ICO issued a “holding” note last week and we await further guidance from the ICO in the coming months.
These are interesting times for UK companies, with the diverging UK Data Protection laws coming into force in just 7 weeks’ time. It will be interesting to see how far the UK will diverge from their current EU colleagues in developing the UK version of these SCC’s.
I have worked in Jersey, that has a Data Protection Law 2018 that mirrors the CORE points of the EU GDPR, and in some parts UK Data Protection Law. The global multi-lateral data protection regime on which it operates, as an adequate country to process data in and out of the Island, has been unfettered and has not stifled international trade.
Therefore, be aware the need for an adequacy arrangement is ever pressing, the requirements for a contingency, and the need to potentially manage your data compliance differently post Jan 2021 is often forgotten by controllers.
I will develop my thoughts further on news of the adequacy agreement status, including if there is a need to have agents in the UK and EEA in the next few weeks.
Please remember the “trade deal” and the adequacy decision are two separate matters and not co-dependent on each other, however with the shaky hand of politics, who knows!