BREXIT: Implications for GDPR
On the 30th January 2020 the Information Commissioner’s Office said it is “business as usual for data protection” during the Brexit transition period starting the following day and running until the end of 2020. And this has been the case. There has been no major upheaval in the law and companies have not felt any change since exit day.
However, as we quickly approach the end of the transition period, the future status of the United Kingdom (UK) within the European Union (EU) data protection policies remains unclear. This, no doubt, has resulted in anxiety for businesses that frequently transfer data to and from the EU.
For businesses operating strictly from and within the UK there will not be a significant change felt in terms of compliance with General Data Protection Regulations (GDPR). The UK Government has already implemented secondary legislation which will amend the Data Protection Act 2018 and merge it with the EU GDPR. This is now referred to by the Government as the UK GDPR, which is distinct, though nearly identical, to the EU GDPR. What this means in practice is that businesses will not need to amend or change their current rules and policies to comply with UK GDPR if they already comply with EU GDPR.
While this is much needed good news for businesses in the UK, there is still a great amount of uncertainty regarding the UK’s status within EU GDPR come New Year’s Day 2021. Whilst negotiations rage on, we have yet to reach an agreement as to whether the UK will join the EU’s ‘White List’ or whether it will be considered a ‘Third Country’. This is an important distinction for businesses in the UK because a ‘White list’ country can essentially operate as though it was an EU member state for the purposes of EU GDPR.
As it stands and without a deal, it looks increasingly likely that the UK will become a Third Country, which means there would be immediate implications for both EU and UK businesses from 1 January 2021:
- For businesses operating within an EU member state, the UK’s ‘Third Country’ status would mean that appropriate safeguards would be required for any transfers of data to the UK. This requirement is outlined in Art.46 of the EU GDPR. Realistically it is likely that EU businesses in this situation will be required to enter into the EU’s standard contractual clauses for data protection with any businesses in the UK to whom they propose to transfer data. If you currently receive data from the EU, you may find that you will be asked to consider entering into the EU’s standard contractual clauses for data protection.
- Those businesses operating within the UK would find themselves having to now comply with the requirements of UK GDPR, which, assuming they are already in compliance with EU GDPR, should not require any change in practice. As it stands, all EU member states remain on the UK’s ‘White List’ (but this is always susceptible to change), and therefore if nothing changes, UK businesses should remain free to transfer data to other businesses in EU member states.
While it may seem absurd that the EU may overnight disapply the UK from data regulations causing mass uncertainty, such a situation is not unprecedented. This was the case in 2015 following the EU Safe Harbour invalidity findings, the aftermath of which left businesses scrambling to review their data flows to ascertain whether alternative measures were required to be implemented to ensure compliance on the export of data.
There is real concern that the UK will not be viewed as ‘adequate’ in order to join the EU ‘White List’. The recent European Court of Human Rights case Big Brother Watch and others v UK  raised concern among EU member states about the UK’s mass surveillance programme and how it handles data. Similarly, there is worry that data shared to the UK could be ‘bounced’ to other ‘Third Countries’ such as America, which is classed as inadequate under EU GDPR.
For now though, the future like many issues related to Brexit, is uncertain. Should the UK join the coveted EU data protection ‘White List’, businesses will feel no change in day to day operations. Should the UK become a ‘Third Country’, businesses within the UK may find difficulties in procedures as simple as accessing cloud storage hosted in Germany.
For more information regarding our Business and Commercial department and their services please visit our website, or call us on 01603 620508.
This article was produced on the 17th November 2020 by our Business & Commercial team for information purposes only and should not be construed or relied upon as specific legal advice.