Boris Johnson’s election victory means that we are almost certainly heading for Brexit on 31st January 2020 with his version of a deal. Having won a large Conservative majority in the House of Commons, it should be relatively easy for him to pass the Withdrawal Agreement Bill which is likely to be re-introduced to Parliament this week.
What are the implications for the UK’s data protection regime in the form of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018). Can we bin them on the 31st January with our red EU passports? The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made earlier this year. Some of the sixty one pages of regulations (dealing with minor issues) came into force on 29th March 2019, with the rest coming into force on exit day (now 31st January 2020 unless something, akin to Elvis returning from the moon, happens in the next few weeks!).
With Boris’s deal likely to be approved by Parliament, the implications of the above regulations will not be felt until the end of the transition period (currently 31stDecember 2020). Until then GDPR will apply “as is”. Unless the transition period is extended (it was a Conservative manifesto pledge not to do so) a revision of GDPR, to be known as the “UK GDPR”, will come into force on 1stJanuary 2021. A brief summary of the key changes follows.
The EU version of GDPR, contains many references to EU laws, institutions, currency and powers, amongst other things, which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the Secretary of State or the Information Commissioner.
The regulations also deal with post Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the DPA 2018. Broadly these mirror the current arrangements in the GDPR so that the UK will
- Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision
- Give powers to the Secretary of State to determine or revoke adequacy
- Recognise current EU Standard Contractual Clauses as valid for international transfers but the ICO will have the power to issue more clauses
- Recognise all Binding Corporate Rules authorised before Exit Day
- Introduce an extraterritoriality into the UK data protection regime
Of course from Exit Day, the UK will become a third country for the purposes of international data transfers under GDPR. This means that after the end of the transitional period, the lawful transfer of personal data from the EU into the UK without additional safeguards being required will only be possible if the UK achieves adequacy status and join a list of 12 countries. The regulations attempt to make the UK version of GDPR as robust as the EU version and hopefully achieve an adequacy decision quickly, but this is by no means a certainty. It is very unlikely to be achieved by 1st January 2021 which means that Data Controllers and Processors have to start putting in additional safeguards now to maintain the free flow of data.
The new regulations also amend the DPA 2018 which must be alongside GDPR.
Chapter 3 of Part 2 of the DPA 2018 currently applies a broadly equivalent data protection regime to certain types of data processing to which the GDPR does not apply (“the applied GDPR”). For example, where personal data processing is related to immigration and to manual unstructured data held by a public authority covered by the Freedom of Information Act 2000 (FOI). This will become part of the UK GDPR.
More on Brexit and the new regulations here. All Data Controllers and Processors need to prepare now for the UK GDPR.