What’s this all about?
These FAQs are about the UK’s data protection regime post-Brexit, i.e. what applies as of 1 January 2021. It’s a complicated topic so this note is longer and more complex than usual. We use some specialist data protection terms which are explained at www.bit.ly/gdprwords.
What’s the timeline?
By way of reminder, the 2020-2021 Brexit timeline is as follows:
- 31 January 2020: the UK left the EU, under the terms of the 2019 EU-UK Withdrawal Agreement;
- 1 February-31 December 2020: the so-called “transition period” when EU rules continued to apply generally in the UK, including for data protection; and,
- 1 January 2021: the new relationship between the UK and the EU started, under the terms of the EU-UK Trade and Cooperation Agreement (TCA), including for data protection.
What is the UK’s data protection legislation?
The UK’s core data protection legislation consists of the Data Protection Act 2018 (DPA 2018). This was enacted (amongst other reasons) in order to implement certain aspects of the EU General Data Protection Regulation (EU GDPR).
The UK DPA 2018 also provides for:
- Some exemptions, for example for the processing of some health data;
- Some extra compliance requirements (policy documentation) for example for processing criminal offence personal data; and,
- Aspects that are not related to EU GDPR and are unique to the UK data protection regime, notably some criminal offences for example the Section 170 offence of unlawfully obtaining data or refusing to return it when a data controller asks for it back.
For more on the UK DPA 2018 see here: https://www.corderycompliance.com/client-alert-data-protection-act-2018/.
What is “UK GDPR”?
At the end of the Brexit 2020 transition period, under various UK Brexit-specific legislation, EU GDPR was incorporated into UK domestic law as the so-called “UK GDPR”. Technically-speaking this is a separate piece of legislation called “Retained Regulation (EU) 2016/679”, which sits alongside the DPA 2018. This is not simply a copy and paste of EU GDPR – although in a number of instances EU GDPR and UK GDPR are the same there are also some differences between them, essentially to cater for the UK having left the EU, ranging from mostly minor changes to a number of significant changes.
Generally-speaking, the UK GDPR regime maintains the core principles, obligations and rights of EU GDPR. Therefore, organisations, whether in their capacity as data controllers or data processors, can in general terms continue to implement the compliance standards set under EU GDPR.
However, for regulatory guidance, organisations will need to follow the guidance of the UK’s Information Commissioner’s Office (ICO), always bearing in mind that guidance is only guidance (court rulings being the ultimate interpretation of UK data protection law). For example, there is the ICO’s guidance on data protection and the end of the Brexit 2020 transition period (see here: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/information-rights-at-the-end-of-the-transition-period-frequently-asked-questions/). The ICO will also be updating its existing guidance to address the UK GDPR regime.
Despite the retention of core EU GDPR in the UK’s data protection regime the end of the Brexit 2020 transition period and the creation of UK GDPR nevertheless has a number of practical and legal implications for organisations, as explained in these FAQs.
Does pre-Brexit EU law still apply to the UK?
The UK has “retained” EU law that existed prior to the UK leaving the EU. So, this “retained EU law”, including UK GDPR, will be interpreted in line with the “retained” rulings of the European Court. However, the UK Supreme Court and High Court of Justiciary (Scotland’s supreme criminal court) can depart from those rulings by applying the same test for deciding whether to depart from their own case-law; the list of UK courts that may depart from “retained” European Court case-law may be extended in the future.
What about enforcement in the UK?
The ICO remains the regulator in the UK, tasked with enforcing the UK DPA 2018 and UK GDPR.
Does the EU-UK Trade and Cooperation Agreement (TCA) deal with the issue of an “Adequacy Decision” for the UK?
Yes, and no. With regard to data transfers, in EU data protection terms, because the UK is outside the EU/EEA it is now considered to be a so-called “third country”. So, the EU GDPR provisions that deal with data transfers (Model Clauses, Binding Corporate Rules etc.) apply to the EU/EEA with regard to data transfers made from there to the UK. The EU GDPR data transfers provisions also provide for so-called “Adequacy Decisions”, whereby, in very simplistic terms, the EU can recognise a third country’s system as providing adequate data protection etc. and therefore data transfers from the EU/EEA to that particular third country can be made under the umbrella protection of the particular “Adequacy Decision” without any further data protection safeguards being necessary.
The TCA does not include an “Adequacy Decision” for the UK. This is because the “Adequacy Decision” process is separate to the TCA, which is still ongoing. However, the TCA provides for a stop-gap measure, the so-called “bridging period”, pending an “Adequacy Decision” for the UK, for 4 months (until 11pm UK time on 30 April 2021), which may be extended by another 2 months (until 11 pm UK time on 30 June 2021). However, the “bridging period” is provided only on the basis that:
- The UK makes no further changes to the UK GDPR regime during the “bridging period”, except for changes limited to alignment with EU data protection law; and,
- The UK does not exercise certain so-called “designated powers” without the EU’s agreement, except where the effect of the exercise of such powers is limited to alignment with EU data protection law. These powers are concerned with the creation of new mechanisms for international transfers, including authorising new Model Clauses and approving new Binding Corporate Rules.
There are more details on the temporary data transfer deal here https://bit.ly/brextemp including our thoughts on some of the challenges it faces. The upshot for organisations in the EU/EEA is that transfers of data from the EU/EEA to the UK will not be prohibited by EU GDPR whilst the deal lasts and may continue without the need for appropriate safeguards (such as Model Clauses or Binding Corporate Rules) to be put in place. This said, organisations should still consider data transfers and a Plan B as outlined in our article on the deal.
Does the EU-UK Trade and Cooperation Agreement (TCA) deal with other data protection issues?
Yes. The TCA contains various provisions establishing co-operation between the UK and the EU including on data protection enforcement. The TCA also states that that nothing in it prevents the UK or EU from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law is of general application.
Who’s my regulator?
Under EU GDPR, organisations operating across the EEA benefit from the so-called “One-Stop-Shop” regulatory system under which, generally-speaking, an organisation can generally deal with a single EU/EEA data protection regulator (i.e. who will take action on behalf of the other EU/EEA regulators acting as a so-called “lead supervisory authority”). Importantly, it also avoids the organisation having to deal with regulatory and enforcement action from every regulator in every EU/EEA country where individuals are affected. Whilst during the Brexit 2020 transition period the UK remained within the “One-Stop-Shop” system and the ICO could continue to act as a “lead supervisory authority” under EU GDPR, this arrangement has now ceased.
The upshot is that organisations should consider whether they have to:
- Be regulated by both the UK’s ICO and an EU/EEA “lead supervisory authority”; or,
- Identify who their “lead supervisory authority” is in the EU/EEA if the ICO was previously their “lead supervisory authority”; or,
- Adapt to additional regulation by the ICO where the ICO was not previously their “lead supervisory authority”.
It must be stressed that organisations with establishments only in the UK may also fall under the jurisdiction of EU/EEA supervisory authorities where EU GDPR’s extraterritorial reach applies to them (see Extra-territorial reach – compliance with UK GDPR & EU GDPR). Needless to say this will be without the benefit of “One-Stop-Shop” and may mean being subject to the supervision of and enforcement by multiple regulators across the EU/EEA.
The ICO has indicated that it intends to continue co-operation and collaboration with EU/EEA regulators concerning EU GDPR breaches affecting individuals in the UK or in the EU/EEA – it is not clear yet what this will entail.
What about data transfers between the UK and the EU/EEA?
As mentioned above (Does the EU-UK Trade and Cooperation Agreement (TCA) deal with the issue of an “Adequacy Decision” for the UK?) EU GDPR restricts and regulates data transfers from the EU/EEA to “third countries”. During the Brexit 2020 transition period data transfers could continue freely from the EU/EEA to the UK, and vice versa. This came to an end on 1 January 2021, but, pending an EU “Adequacy Decision” for the UK, the TCA allows data transfers from the EU/EEA to the UK to continue unimpeded for another 4 months, which can be extended by another 2 months. As we’ve said there’s more detail on that in our note here https://bit.ly/brextemp.
As regards data transfers from the UK to the EU/EEA, along with countries outside the EU/EEA, these are now governed by UK GDPR. Similar to the set-up under EU GDPR, UK GDPR restricts transfers of personal data outside of the UK unless appropriate safeguards are in place. The UK will however continue to recognise the EU/EEA as “adequate” under UK GDPR, at least for the time being, and thereby allow for the free flow of personal data from the UK to the EU/EEA. In time the UK will perform its own “adequacy” assessment of EU/EEA countries. In addition, the UK will:
- Temporarily recognise existing EU “Adequacy Decisions” (i.e. for the dozen or so countries for which the EU has made such decisions) to allow personal data to flow freely from the UK to those countries;
- Recognise existing EU Model Clauses – note that the ICO also has the power to issue UK Model Clauses, which it will no doubt issue in time;
- Allow Binding Corporate Rules authorised by the ICO under the EU data protection regime that preceded EU GDPR to continue to be used, and create a mechanism for the ICO to authorise Binding Corporate Rules authorised by EU regulators under the EU data protection regime that preceded EU GDPR.
Given that the TCA (4 or 6 month) “bridging period” mechanism is short and an EU “Adequacy Decision” may not be made in that time period (and even if there is a decision it may be subject to legal challenge), and given also that the UK is only temporarily allowing free flows of personal data from the UK to the EU/EEA, organisations should consider putting in place Model Clauses for data transfers between the UK and the EU/EEA; as noted above (Does the EU-UK Trade and Cooperation Agreement (TCA) deal with the issue of an “Adequacy Decision” for the UK?), the ICO has recommended this for data transfers from the EU/EEA to the UK. These should also cover for the possibility of no “Adequacy Decision” and the UK withdrawing the temporary free flow of personal data to the EU/EEA. Note that following the European Court ruling in the Schrems case in 2019, and in light of (draft) EU guidance following the ruling (see here: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en) it would also now be necessary for organisations, on a case-by-case basis, to conduct further due diligence and assess whether a transfer of personal data using Model Clauses (or other transfer mechanisms) provide an adequate level of protection in practice and if not to consider what other safeguards could be put in place.
As regards the use of Binding Corporate Rules approved by the ICO under EU GDPR, the European Commission has said the following (see here: https://ec.europa.eu/info/sites/info/files/brexit_files/info_site/data_protection_en.pdf):
- Binding Corporate Rules approved by the ICO since 25 May 2018 (i.e. under EU GDPR) no longer provide appropriate safeguards under EU law after the end of the Brexit 2020 transition period, unless they are subject to a new approval by an EU Member State regulator confirming that they provide appropriate safeguards for transfer after the end of the Brexit 2020 transition period; and,
- Binding Corporate Rules approved by the ICO before 25 May 2018 (i.e. pre-EU GDPR) may continue to be used under EU GDPR after the end of the Brexit 2020 transition period but only if any connection to the legal order of the UK, such as the corporate entity designated, the competent courts or the competent “supervisory authority”, is replaced by equivalent roles for corporate entities and competent authorities within the EU. Holders of such EU Binding Corporate Rules where the ICO was the “lead supervisory authority” must therefore identify an EU/EEA regulator to act as their new lead for their EU Binding Corporate Rules and must have transferred to them before the end of the Brexit 2020 transition period. The European Data Protection Board (EDPB) has confirmed that for Binding Corporate Rules for which the ICO acted as Binding Corporate Rules “lead supervisory authority” under the EU’s pre-EU GDPR regime, no approval will have to be issued by the new Binding Corporate Rules “lead supervisory authority” in the EEA (see here: https://edpb.europa.eu/our-work-tools/our-documents/ovrigt/information-note-bcrs-groups-undertakings-enterprises-which-have_en).
Finally, according to ICO guidance about Binding Corporate Rules (BCRs) (see here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/#bcrs):
“Holders of EU BCRs for which the ICO did not act as lead and did not issue an authorisation will be eligible automatically for a UK BCR only if certain conditions are met. These conditions are:
- their entity established in the UK must notify the ICO that they have an EU BCR and wish to have a UK BCR;
- they must provide the name and contact details of their DPO or other relevant contact; and they must supply such additional information the ICO reasonably requires.
The ICO will expect to receive a UK version of the BCRs incorporating the changes […]. The conditions should be satisfied as soon as possible and, in any event, before 30 June 2021, as no confirmation of UK BCR will be issued by Information Commissioner until they are. These BCR holders have until 30 June 2021 at the latest to provide this information.”
What about extra-territorial reach and compliance with both UK GDPR & EU GDPR?
Both UK GDPR and EU GDPR have extra-territorial reach, i.e. in certain circumstances they respectively apply to organisations where the organisation is not in the UK or the EU/EEA.
UK GDPR extends the UK’s reach in a similar fashion to that under EU GDPR, essentially to apply to:
- The processing of personal data in the context of the activities of an establishment of a controller or a processor in the UK, regardless of whether that processing takes place in the UK or not;
- The processing of personal data of data subjects who are in the UK by a controller or processor not established in the UK, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or, (b) the monitoring of their behaviour as far as their behaviour takes place within the UK;
- The processing of personal data by a controller not established in the UK, but in a place where Member State law applies by virtue of public international law.
The compliance upshot of this for organisations with regard to who will regulate them includes the following (see also Do I have to appoint a Data Protection Representative?):
- Organisations with an establishment in the UK will have to comply with UK GDPR with regard to processing personal data in the context of the activities of that UK establishment – the ICO will act as regulator;
- Organisations with an establishment in the EU/EEA will have to comply with EU GDPR with regard to processing of personal data in the context of the activities of that EU/EEA establishment – the ICO will not act as regulator and instead the relevant EU/EEA regulator(s) will play this role;
- Organisations based in the UK with offices, branches or other establishments in the EU/EEA will, in addition to having to comply with UK GDPR for UK activities, also have to comply with EU GDPR with regard to processing personal data in the context of the activities of their EU/EEA establishment(s) – the ICO and EU/EEA regulator(s) will act as regulator regulators (re UK GDPR and EU GDPR respectively);
- Organisations based in the EU/EEA with offices, branches or other establishments in the UK, will, in addition to having to comply with EU GDPR for EU/EEA activities, also need to comply with UK GDPR with regard to processing personal data in the context of the activities of their UK establishment(s) – the ICO and EU/EEA regulator(s) will act as regulators (re UK GDPR and EU GDPR respectively);
- Organisations based in the UK only (i.e. without an EU/EEA establishment), either, offering goods or services to individuals in the EU/EEA, or, monitoring the behaviour of individuals located in the EU/EEA, will have to comply with EU GDPR to process personal data relating to those activities – the relevant EU/EEA regulator(s) will act as regulator(s);
- Organisations based in the EU/EEA only (i.e. without a UK establishment), either, offering goods or services to individuals in the UK, or, monitoring the behaviour of individuals located in the UK, will have to comply with UK GDPR to process personal data relating to those activities – the ICO will act as regulator.
Do I have to appoint a Data Protection Representative?
Under EU GDPR, organisations established outside the EU/EEA (i.e. with no branches, offices etc. there) must designate a local “Data Protection Representative” (DPR) where their activities involve processing personal data of data subjects inside the EU/EEA in connection with either, providing goods or services, or, monitoring the behaviour of individuals located in the EU/EEA; this is subject to some exceptions. This local representative acts as the organisation’s contact for individuals and “supervisory authorities” in the EU/EEA.
So, under EU GDPR, as of 1 January 2021 organisations established only in the UK (i.e. with no branches, offices etc. in the EU/EEA) will no longer be “established’ in the EU/EEA and therefore UK organisations must appoint a representative in the EU/EEA where the organisation’s activities involve processing personal data of individuals inside the EU/EEA in connection with either, the provision of goods or services, or the monitoring of the behaviour of individuals located in the EU/ EEA.
Under UK GDPR, organisations established only in the EU/EEA (i.e. with no branches, offices etc. in the UK) must put in place a representative in the UK where the organisation’s activities involve processing personal data of individuals inside the UK in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the UK.
Do I still need a Data Protection Officer (DPO)?
Yes. Where EU GDPR, national Member State local law or UK GDPR conditions are respectively met requiring the appointment of a DPO, organisations will still have to have a DPO. A DPO may cover both the UK and EU/EEA so long as they are easily accessible from each establishment in the UK and EU/EEA (see ICO guidance here: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/other-minor-updates/).
Do I still have to document and keep data processing records?
Yes. Under the DPA 2018 and UK GDPR the obligation to document and keep records remains.
Depending on the circumstances, organisations will likely need to make some changes in existing documentation and records, e.g. concerning data transfers, or, where the lawful basis or conditions for processing have been recorded the documentation may need to be changed to update any references to EU GDPR or other terminology to those in UK GDPR (see also Do I need to revise any of my data protection documentation?).
Do I have to make any transparency changes?
Under UK GDPR a few changes likely need to be made apart, probably mostly tidying up privacy policies (see also Do I need to revise any of my data protection documentation?), for example as regards:
- References changed to UK GDPR from EU GDPR etc.;
- International data transfers; and,
- The Data Protection Representative (see Do I have to appoint a Data Protection Representative?).
What about fines?
There is now potentially double exposure to fines.
Fines can be imposed under UK GDPR, for UK GDPR breaches, which in the higher fining category is up to the greater of £17.5 million or 4% of annual worldwide turnover (whichever is greater). If an incident also breaches EU GDPR then fines can also be can be imposed under EU GDPR which in the higher fining category is €20 million or 4% of annual worldwide turnover (whichever is greater).
Organisations would also face double use of resources and costs in terms of dealing with the ICO in the UK and the relevant “lead supervisory authority” in the EU/EEA.
What about Legacy Data?
Under the 2019 EU-UK Withdrawal Agreement, in the event that the UK does not have an “Adequacy Decision” then EU GDPR applies in the UK to the processing of personal data of data subjects outside the UK where the personal data:
- Was processed in the UK (under EU GDPR) before the end of the transition period; or,
- Is processed in the UK after the transition period (on the basis of the 2019 EU-UK Withdrawal Agreement).
The personal data concerned is more commonly referred to as “legacy data”.
The UK has not yet been granted an “Adequacy Decision” by the EU and the “bridging period” of 4 months does not constitute an “Adequacy Decision” (see Does the EU-UK Trade and Cooperation Agreement (TCA) deal with the issue of an “Adequacy Decision” for the UK?). Therefore, the “legacy data” rule applies from the end of the transition period, including to personal data of data subjects from outside the UK that continues to be processed in the UK.
The meaning and consequences of the “legacy data” rule are far from clear; official ICO and EU guidance is expected. A key issue here is scope: the reference to data subjects outside of the UK implies that data subjects in both the EU and elsewhere in the world are in scope – but it is not clear how EU jurisdiction extends to elsewhere and to what. Also, how will the ICO and EU regulators enforce and deal with this “legacy data” rule, for example to which regulator(s) will a data breach concerning “legacy data” be notified?
If and when the UK does receive an “Adequacy Decision” the “legacy data” rule may lose its relevance and the fact that the “bridging period” exists might be interpreted as meaning that the EU recognises UK GDPR as providing temporary adequate data protection such that the “legacy data” rule might not be an issue during this period.
Nevertheless, organisations should consider identifying what personal data they have which may fall under the “legacy data” rule as it may have practical consequences for a range of areas including data breach notification, international data transfers and transparency (privacy policies and notices). Organisations should also watch out for any guidance that may be issued by the ICO and the EU. It is a topic which we will continue to cover in our GDPR Navigator briefings (see www.bit.ly/gdprnav).
Do I still have to notify data breaches and if so where?
Yes. Organisations may in fact be required to notify breaches to both the ICO in the UK, under UK GDPR, and their “lead supervisory authority” in the EU/EEA under EU GDPR. If an organisation can’t identify a lead “supervisory authority” in the EU/EEA because of the circumstances in a given breach, or if the EU GDPR “One-Stop-Shop” mechanism doesn’t apply at all, the organisation may have to notify each relevant authority in the EU/EEA (i.e. where both UK GDPR and EU GDPR apply).
Do I still have to do Data Protection Impact Assessments (DPIAs)?
Yes. Organisations may also need to review their existing DPIAs, for example, if they concern data transfers. Also, where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by a data controller to mitigate the risk and so a DPIA needs to get the seal of approval from a regulator, organisations may also need to consider which regulators they will need to go to (ICO and/or a “supervisory authority” in the EU/EEA).
Do I need to revise any of my data protection documentation?
Yes. Organisations should consider reviewing their data protection documentation with a view to revising them, for example privacy policies. Particular issues to address include the following:
- Terms – a whole range of terms may need to be revised and updated ranging from more simple additions like referring to “UK GDPR” to more sophisticated clarifications e.g. to ensure there are no inconsistencies between UK GDPR and EU GDPR;
- International data transfers – identify from where and to where data is being transferred to (UK→EU/EEA, EU/EEA→UK, UK→third country) and amend transfer mechanisms accordingly. References in documentation will very likely need to be changed, for example to ensure that wording doesn’t suggest that there are restrictions on data transfers from the UK to the EU/EEA;
- Regulator – identify who your regulator is. Remember also that in the UK controllers must be registered (for a fee), with the ICO. There are more details of this requirement here https://www.corderycompliance.com/solutions/privacy-registration-and-renewal/;
- Data Representatives – if Data Representatives are going to be appointed then they will need to be mentioned, e.g. in external privacy policies;
- Legacy data – this issue may need to be addressed e.g. in contracts;
- Liability clauses – Data Processing Agreements may need to be amended to reflect exposure to fines under UK GDPR and EU GDPR.
What practical steps can I take?
Consider taking the following practical steps:
- Understand who your regulators are;
- Review your International Data Transfer mechanisms;
- Determine if a Data Protection Representative needs to be appointed;
- Review your Data Protection Impact Assessments;
- Understand your possible exposure to sanctions;
- Identify what personal data you may have for the purposes of the “legacy data” rule; and,
- Review your data protection documentation in order to update it.
We report about compliance issues here https://www.corderycompliance.com/news/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785