“Business as usual” for UK-EU data protection transition in 2020.
On 29 January 2020, the EU Parliament approved the UK Withdrawal Agreement after the UK Parliament’s ratification via the EU Withdrawal Act 2020 on 23 January 2020 (Withdrawal Agreement). The Withdrawal Agreement maintains the UK pre-Brexit position and clarifies that the GDPR continues to apply in the UK during the transition period (between 1 February 2020 and 31 December 2020, or any extension agreed by UK and EU), allowing both sides to negotiate the future data protection relationship. The ICO confirmed that the GDPR will continue to apply, and that during the transition it will be “business as usual”.
The provisions of the UK GDPR will be incorporated directly into UK law from the end of the transition period, and will sit alongside the current UK Data Protection Act 2018. At the end of the transition period, there will be the current EU GDPR as well as a UK GDPR. The Withdrawal Agreement includes technical amendments to the current GDPR, so that it will work in a UK-only context.
What will happen to UK businesses that process data in the EEA during the transition period?
- The current GDPR will continue to apply in the UK, so UK- and EEA-based controllers will not need to take any immediate action.
- The UK GDPR will not come into force until the end of the transition period, therefore, businesses that are established in the EEA, and/or that offer services to EEA and UK users, will not be subject to separate fining regimes under the EU and UK versions of the GDPR until the end of 2020.
Which supervisory authority will regulate the UK’s processing during the transition period and thereafter?
- The Information Commissioner’s Office (ICO) will remain an “independent supervisory authority” under the UK’s data protection legislation.
- The current GDPR continues to apply under the Withdrawal Agreement, with the exception of Chapter VII. Therefore, the ICO has ceased membership of the European Data Protection Board (EDPB), as of 1 February 2020. During the transition period, the ICO is not required to cooperate with other supervisory authorities or to comply with decisions of the EDPB. However, the ICO has said it “will engage in the co-operation and consistency mechanism under GDPR and will continue to act as a Lead Supervisory Authority”.
- The ICO has advised that the “One-Stop-Shop” and lead authority arrangements will no longer apply to processing after the transition period. Organisations in the UK will have to deal with both the ICO and the supervisory authority or authorities in other EEA states where they are established. If UK organisations are not established in the EEA, they will still have to comply with the EU GDPR if processing relates to offering goods or services to, or monitoring behaviour of, individuals in the EEA.
- The UK government intends to work towards maintaining close working relationships between the ICO and the EEA supervisory authorities once the UK has left the EU. However, in the spirit of the Brexit referendum, the UK government wants to have the freedom to diverge from EU data protection rules after the end of the transition period, so the UK’s participation in the EDPB may not be a foregone conclusion.
- Organisations that carry out cross-border processing, with the ICO as lead authority, should review EDPB guidance and consider whether any other EEA supervisory authority could be the lead authority after the transition period.
What will happen to data transfers between the EU and the UK?
- Nothing will change during the transition period, and data may flow freely from UK to EEA countries and vice versa. However, after the transition period, the UK will be a third country, and the EDPB must approve the UK data protection regime as “adequate” to enable the free-flow of personal data, i.e., the EU Commission must approve the UK as providing data protection safeguards and remedies to data subjects to the same or higher level as the EU in order to be added to the list of white-listed countries. If the UK does not receive an adequacy decision, EU organisations transferring data to the UK will need to implement transfer mechanisms in accordance with Articles 44-50 GDPR (e.g., the model clauses).
- If negotiations break down and adequacy is not obtained, the default position will be the same as for a no-deal Brexit, according to the ICO. The ICO will continue to post no-deal guidance on the ICO website during the transition period, and will update that guidance to reflect any developments.
- The ICO has stated that it will not impose restrictions on data flowing from the UK to the EU. Whether this continues to stand after the end of the transition period remains to be seen.
- The ICO will recognise binding corporate rules authorised under the EU process until the end of the transition period, to ensure appropriate safeguards for transfers from the UK. However, organisations that have a UK lead company will need to revisit their binding corporate rules (BCRs) to find an EU lead company in their group post transition.
How will personal data transfers from the UK to other third countries be affected during and after the transition ?
- The US Department of Commerce announced that the Privacy Shield will continue to apply to UK data transfers throughout 2020, but all US organisations under the Privacy Shield scheme must update their public commitment to comply with the Privacy Shield to include the UK. These public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on the US Privacy Shield.
- The UK government intends to recognise the EU adequacy decisions that the European Commission made prior to the withdrawal date. This will allow transfers to continue to most organisations, countries, territories, or sectors covered by an EU adequacy decision after UK withdrawal.
- Data transfer agreements may need to be reviewed to ensure they cover UK to third-country data flows, since the vast majority of transfer agreements were drafted with the assumption that UK was part of the EU, which is no longer the case.
How will the UK GDPR and EU GDPR affect UK companies at the end of the transition period?
- At the end of the transition period, the EU GDPR and UK GDPR will both be in force, and companies will be subject to both regimes if they are:
- Established in the UK and the EEA
- Established in the UK, and offer goods and services to, or monitor the behaviour of, individuals in the EEA
- Established in the EEA, and offer and offer goods and services to, or monitor the behaviour of, individuals in the UK
- Established outside of the UK and EEA, but offer goods and services to, or monitor the behaviour of, individuals in the UK and EEA
Will UK and EU businesses need to appoint Article 27 GDPR representatives?
- The current regime will continue to apply during the transition period, so UK companies without an EEA presence, offering goods or services to, or monitoring the behaviour of, individuals in the EEA will not need to appoint an EU-based legal representative. Conversely, EU companies that do not have a UK presence, but offer goods or services to UK users, will not need to appoint a UK representative.
- Similarly, a non-UK/EEA controller subject to the GDPR by virtue of Article 3(2), because it offers goods or services to individuals in the EEA and/or UK, does not need two representatives during the transition period, e.g., one in the EU and one in the UK.
- Once the transition period has ended, UK organisations that are subject to jurisdiction under Article 3(2) EU GDPR will be required to appoint an EU-based legal representative if they offer goods and services to data subjects in Member States or monitor the behaviour of data subjects in Member States.
- Conversely, organisations from the EEA or other countries, that offer goods and services to data subjects, or monitor data subjects’ behaviour in the UK, will have to appoint a representative in the UK under Article 27 UK GDPR.
Will the Privacy and Electronic Communications Regulations (PECR) apply during and after the transition period?
- The current PECR rules, based on the EU E-Privacy Directive, covering marketing, cookies, and electronic communications are set out in UK law, and will continue to apply during and after the transition period.
- Whether the UK adopts the new EU ePrivacy Regulation remains to be seen, and this issue will no doubt form part of the negotiations with the EU.