As the UK is leaving the EU on 31 January 2020 changes have to be made to legislation that is based on European law forming part of our legal framework in the UK. This includes data protection as the UK has adopted GDPR as part of its framework. As a result some references in the GDPR are being updated to references to UK domestic law, supervisory authorities become “the Information Commissioner” and powers allotted to European Union and Member States are reallocated to the Secretary of State and the Information Commissioner just to keep the GDPR workable in a UK only context.
The impact of the changes is fairly minimal and many aspects of GDPR do not change at all, for example:
- The Principles
- Conditions for consent. We differ from some EU MS by having 13 as the age of consent of a child to information society services which is allowed under EU GDPR and which was brought in under the 2018 DPA from 25 May 2018 in the UK in any event.
- Subject rights
- The law as between controllers and third party data processors is also unchanged
One or two areas throw up bigger issues. International transfers of personal data will be subject to new provisions:
- In the future, UK controllers and processors which process certain personal data relating to citizens located in certain EU Member States will have to designate an Appointed Representative in that Member State. This will apply after the end of the transition period, 31 December 2020. Equally controllers and processors located in the EU which process personal data relating to UK citizens will need to appoint a Representative in the UK and register the Appointed Representative with the Information Commissioner.
- The existing framework for legitimising transfers of personal data to countries outside of the EEA continues to apply for data transfers from the UK. The existing adequacy decisions approved by the EU are adopted into UK law as are existing Standard Contractual Clauses approved by the EU and existing Binding Corporate Rules approved by the Information Commissioner.
- After the end of the transition period, EU Member States will be “third countries” for transfers of personal data from the UK but a legal basis for these transfers is provided based on the similarity of our UK GDPR with the EU GDPR. So transfers to EU Member States will be legitimate.
- Note that if there is no Trade Deal at the end of 2020, the position will be similar to “Crashing out of the EU without a deal” scenario. Although the UK has accepted that EU Member States provide adequate protection for personal data and the UK GDPR is closely aligned to the EU GDPR, there is no such statement at EU level but there is a public statement that the European Commission will prioritise processing an Adequacy Decision for the UK before the end of the transition period. However it is still possible that data transfers will be a bargaining issue in the negotiations for a trade deal between the UK and the EU. So the issues in this area have not gone away.
Data protection law remains in a state of development as with many other aspects of our lives after Brexit. If you need any help with these issues, get in touch.