The news that Boris Johnson and Ursula von der Leyen have struck a trade deal between Britain and the EU, has been a long time in coming. Its effects, however, may take six more months to be fully felt.
January 31st 2020 saw the UK’s departure from the EU, and its entry into a 11 month transition period, to negotiate the UK’s future relationship with the EU.
Brexit left in its wake inevitable questions such as: “What happens to all of the EU laws now that Britain has left the bloc?”, “Does the UK need to concern itself with the draft ePrivacy Regulation?” and… “Does the GDPR still apply?”
To answer these, let’s have a quick look of the different types of EU laws out there:
- EU Regulations bind member states and reign supreme over domestic laws.
- EU Directives set binding goals but offer member states flexibility in how to achieve them.
- EU Decisions bind those to whom they are addressed.
- EU Recommendations and EU Opinions don’t bind.
So, since the UK is not an EU member state any more, that means that these laws no longer apply to Britain, right?
Well… the answer is yes and no. To answer this accurately we need to have a look at the end result of THAT bill that saw off Theresa May’s premiership as she battled to get it through the Commons and the European Commission; THAT bill that shone a light on a backstop, and broke Boris’ promise to leave by October 31st 2019 “…Come what may”. Of course, I’m talking about the European Union (Withdrawal Agreement) Act 2020.
Admittedly, it is not the most exciting read, but that’s only because it was drafted in a way that left the reader referring numerously to its 2018 predecessor. BUT and it is a big but, it spells out on more than one occasion, and unequivocally, that the Parliament of the United Kingdom is sovereign ‘notwithstanding directly applicable or directly effective EU law continuing to be recognised and available in domestic law’.
Additionally, Theresa May promised to enshrine all EU legislation into local law within the UK. We started seeing this with the enactment of the Data Protection Act 2018 (DPA). This domestic law mirrors the GDPR, however there are some deviations (including the DPA stating that a child can consent to data processing at age 13, whilst the GDPR sets this at age 16).
Even more harmoniously, the DPA and the GDPR have been further merged by way of a UK statutory instrument: the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. (Picture a mass GDPR edit-replace of ‘Member State’ with ‘United Kingdom’ and ‘Supervisory authority’ with ‘Commissioner’.) This amends the DPA. It also amends the UK’s Privacy and Electronic Communications Regulation (PECR) with almost a throwaway line that consent in PECR must align with consent in the GDPR. These are all married with the GDPR to form a data protection framework for a post-Brexit UK called ‘the UK GDPR’, as distinct from the EU’s GDPR.
Furthermore, by Article 45 of the EU GDPR, in order to continue seamless international data flows from the EEA to the UK, the European Commission must conclude, by an adequacy decision, that the UK, as a third country, offers personal data an adequate level of protection. Failing this, UK organisations will have to rely on contracts or binding corporate rules to transfer personal data from organisations in the EEA.
So, what does that all mean?
It means that the EU’s GDPR applied until the end of the transition period (December 31st 2020), and then the UK GDPR applies.
Has there been an adequacy decision yet?
Not yet. The Brexit deal provides a short-term answer for transborder data flows between the UK and the EU. It was agreed that this period would last up to a maximum of six months, until an adequacy decision has been made. In the meantime, both the EU and the UK will continue to set a high standard of data protection in their respective jurisdictions, and a data-adequacy decision will be made by the UK, as well as the EU.
As EU data privacy rules become enshrined in one way or another in UK law, protection of the rights of individuals will be paramount. One thing is for sure, the rights offered by the GDPR and other EU laws will continue to be reflected in the national laws of the UK.
It is recommended that organisations:
- Review the state of Data Privacy laws in the wake of Brexit
- Assess the impact of these changes
- Ensure compliance in the event that no adequacy decision is reached
Compliance with post-Brexit data protection legislation is vital to reducing the risk of data breaches, and meeting the expectation of customers, regulators and public alike.
For more information on how Southwood can help you comply with post-Brexit data privacy legislation and associated services, contact [email protected]
Written by James Okoro, CIPM, FIP, CIPP/E, LL.B, Barrister – Director, Southwood Management Solutions