Whilst competing factions in the UK Parliament continue to wrangle over the UK’s future relationship with the EU, in the background work continues to ensure that regulatory regimes, including data protection law, will function smoothly once the UK does, eventually, leave the Union. To that end, the Government has now published the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“Exit Regulations“, available here).
The regulations are the statutory instrument which amends the GDPR to ensure it will “work” and make sense in the UK post-Brexit. The Exit Regulations will have effect on either (i) 30 March 2019, if there is a ‘no deal’ Brexit; or (ii) at the end of the transition period (1 January 2021 at the earliest), if the UK and EU approve the draft Withdrawal Agreement currently before the UK Parliament.
We have covered the implications of Brexit for data protection law, including the fundamental differences between a ‘no deal’ and a Withdrawal Agreement based Brexit, in a number of previous blog posts, most recently in our Brexit flowchart, available here. The Exit Regulations fit into that picture as follows:
- If the UK leaves the EU without a Withdrawal Agreement, then the GDPR will be transposed into UK domestic law as ‘retained UK law’ under section 3 of the EU (Withdrawal) Act 2018 (sometimes referred to as the ‘Great Repeal’ Act). We can refer to this new domestic law as the ‘UK GDPR’.
- The GDPR contains numerous references to EU institutions and to Member States – consequently, amendments will need to be made to the UK GDPR in order for it to make sense in the post-Brexit UK context.
- The Exit Regulations make these amendments to the UK GDPR.
For the most part, the Exit Regulations are unremarkable and serve a functional role in ensuring that the UK GDPR, which in most fundamental respects is identical to the EU GDPR, is a coherent piece of UK law. However, the following points are worth noting in relation to the changes made by the Exit Regulations:
- The Exit Regulations create a specific territorial scope for the UK GDPR which mirrors the territorial scope of the EU GDPR – i.e. the UK GDPR will apply to any controllers and processors established in the UK as well as those outside the UK but which offer goods and services to data subjects in the UK or monitor the behaviour of data subjects in the UK.
- Whilst the data protection standards set by the UK and EU versions of the GDPR are essentially the same, they will be completely distinct laws. Consequently, companies operating in both the UK and the EU need to be aware of the circumstances in which they will be subject to the UK GDPR (overseen by the Information Commissioner’s Office (“ICO“)) and the EU GDPR (overseen by the remaining Member States’ supervisory authorities), as well as the real possibility for dual / overlapping regulation. Companies in the UK may still be subject to the extra-territorial effect of the EU GDPR in respect of business done in the EU (and vice versa). Amongst other consequences, this will have the practical effect of necessitating the notification of cross-border personal data breaches in both the UK and at least one EU Member State (where the lead supervisory authority is located).
- EU clients subject to the UK GDPR may need to appoint a UK representative (just as UK clients subject to the EU GDPR may need an EU based representative).
- The UK will, through the ICO, be empowered to make its own adequacy decisions in respect of third countries (including EU Member States) in order to permit the unrestricted transfer of personal data from the UK to those countries.
- Also in relation to international transfers, once the UK has left the EU, the ICO will be able to create its own standard contractual clauses for the purposes of the UK GDPR. However, note that in its recent guidance (available here), the ICO has stated that UK based controllers and processors “will be able to continue to rely on the same mechanisms” (i.e. the current, EU Commission approved SCCs) in the immediate post-Brexit environment, and the ICO is empowered to approve the EU SCCs as an appropriate safeguard.
- The Exit Regulations remove Chapter VII of the GDPR from the UK GDPR – this deals with co-operation between EU supervisory authorities, and naturally will no longer be relevant to post-Brexit UK. Art. 50 (which is about broader international co-operation) is retained.
Whilst the Exit Regulations are likely to pass by largely unnoticed by the majority of companies, they will soon become essential reading in order to navigate the new world of the UK GDPR post-Brexit, and to understand the subtle but important differences between it and its EU cousin.