Brexit has dominated the headlines for several years now, but the dust is starting to settle with the withdrawal agreement and transition period behind us and an EU-UK Trade and Cooperation Agreement agreed and ratified by the European Parliament.
In truth, we are only at the beginning of understanding what impact Brexit will have on data protection compliance in the UK. At present we have a broadly parallel data protection regime with the EU but over time there is likely to be divergence, with the UK government already signalling its intention to take a different path.
We’ll be watching closely as our data protection regime develops here in the UK. Later this year we’ll have a new Information Commissioner and over time the government may choose to revise the legislative regime. Our courts will also have the final say over data protection matters rather than the European Court of Justice (“CJEU”). As such, change can be expected.
What we can do is advise on the current implications of Brexit for organisations in the UK. Whilst we remain aligned to the EU GDPR, there are matters to address following our ‘move’ to the UK GDPR.
In this blog, we are going to focus on the big picture including the changes to the UK data protection regime and EU / UK representatives. In the next part of this blog, we will address the hot topic of international transfers.
Brexit and data protection background
The UK left the European Union (“EU”) on 31 January 2020 and entered a transition period where the UK was still governed by EU data protection rules and was subject to CJEU decisions. Likewise, European Data Protection Board guidance remained applicable in the UK during this period (albeit not binding as the guidance is not the law).
The transition period ended on 31 December 2020. Just before the end of the transition period, on 24 December 2020, the UK and EU agreed a Brexit deal, under the EU-UK Trade and Cooperation Agreement, which came into force on 1 January 2021.
Running to more than 1200 pages, the final agreement covered a wide range of issues, as might be expected given the 45 years that the UK was an EU member state, including data protection. In advance of this agreement, however, the UK government had taken steps to implement EU regulations into UK law, including the GDPR. The statutory instrument that did this for data protection law was The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Provisions”).
UK GDPR and the data protection framework in the UK
The Exit Provisions had the effect of writing the EU GDPR into UK legislation as the UK General Data Protection Regulation (“UK GDPR”). They did this by effectively amending the GDPR to work in a UK context with the principles and rules remaining largely unchanged between the EU and UK GDPR.
The UK GDPR sits alongside an amended version of the Data Protection Act 2018 (“DPA18”). Together, they both regulate the collection and use of personal data. The Government has published Keeling Schedules for the UK GDPR and the amended DPA18 which clearly show what the amendments have been.
As things stand, the EU GDPR and UK GDPR are identical, save for the practical changes required to make the regulation applicable to the UK post-Brexit. As we’ve stated above, things may diverge over time but right now the two versions of the GDPR are aligned. This doesn’t mean that we are subject to the same regime though – quite the opposite – there are now two sets of data protection law to be considered – one for the EU/EEA and one for the UK.
Organisations may be subject to both the UK GDPR and the EU GDPR
Organisations are now subject to the UK GDPR for all processing activities that relate to the personal data of individuals in the UK. If you work only within the UK, are not established in the EU/EEA and don’t trade with overseas customers and process the personal data or people in the EU then you probably only need to be concerned about the UK GDPR.
In our increasingly international and online world, however, the chances are you may offer goods and services to people in the EU/EEA or monitor persons in the EU/EEA (remember to include online and app tracking when thinking about monitoring). In this instance, you will very likely need to comply with the EU GDPR (depending on whether you are ‘targeting’ those persons).
If you are ‘established’ in the EU/EEA such as by having employees or a branch office with workers in the EU/EEA, and your processing of personal data of persons in the EU/EEA is carried out in the context of that establishment, then you will need to comply with the EU GDPR as well.
The same rules apply in reverse for EU/EEA organisations established in the UK or selling to or monitoring individuals in the UK. Where this applies, those organisations will need to apply with the UK GDPR as well as the EU GDPR for their in-country processing.
As is always the case with data protection, things are rarely always black and white and the ‘targeting’ and ‘establishment’ criteria need consideration when confirming the scope of the EU GDPR respectively.
You may need an EU or UK representative
Under the EU GDPR, you need to appoint an EU representative if your organisation does not have a branch, office or other establishment in the EU/EEA and you offer goods or services to individuals in the EU/EEA or monitor their behaviour. This representative needs to be set up in an EU/EEA member state where some of the individuals whose personal data is being processed are located.
This means that, for instance, if your organisation processes personal data of individuals in Spain and France, the representative should be appointed in any of these two countries and not in other EU/EEA countries.
This representative may be an individual or a company or organisation established in the EU/EEA and must be able to represent your organisation in relation to its obligations under the EU GDPR. In practice, the easiest way to appoint a representative is likely to be under a simple service contract.
Because the UK GDPR is a ‘copy’ of the EU GDPR, a reciprocal obligation is contained in the UK GDPR. This means that if your organisation has no branch, office, or other establishments in the UK, you will need to appoint a UK representative if you offer goods or services to individuals in the UK or monitor their behaviour. It is important to bear in mind that this requirement applies if you are either an EU/EEA based organisations or an organisation outside the EU/EEA which is not established in the UK.
Under both the UK GDPR and EU GDPR, public authorities are not required to appoint representatives. It is also not necessary to appoint a representative if your processing is only occasional, of low risk to individuals and does not involve large-scale use of special category or criminal offence data.
International transfers between the UK, EU and beyond
In part 2 of this blog, we will address the impact of Brexit on the flows of personal data between the UK and EU and from the UK to other countries.
If the implications of Brexit on your data protection compliance remains as clear as mud, we can help. We are a specialist data protection consultancy and can assist you in meeting your data protection compliance obligations.
We provide outsourced DPO services to organisations of all sizes.
If you need support, please get in touch.