The UK Parliament’s rejection of the Government’s Brexit withdrawal agreement might be an anticipated turn of events, but it also means that the possibility of the UK leaving the EU with a No Deal Brexit is becoming more and more likely. Time is running out and uncertainty is building up, so in preparation UK government recently released additional guidance to supplement the ICO’s description of the future data protection regime.
The pre-effective days of the GDPR (25th of May 2018) were a time of many speculations whether UK businesses need to get compliant with the Regulation given the ongoing negotiations on Brexit. The timeframe was confusing – the effective date of the GDPR was just 6-7 months prior the final resolutions on the UK-EU Brexit negotiations, which are expected to finish on 29th of March 2019. Most business experts were hoping that, since the UK was initiating Brexit, GDPR compliance would be unnecessary.
The benefits of the GDPR are numerous, among which are the better-defined data subject’s rights, the ability to exercise more control over how, when and why their personal data is being used, the opportunities to easily file complaints when necessary with pre-defined authorities or employees of the companies. However, businesses are still concerned mostly with the extra administrative burden and the cost associated with GDPR implementation.
The UK Government’s solution was the adoption of the UK’s Data Protection Act, which not only covers all of GDPR’s requirements but in some ways is stricter and builds upon them. The Data Protection Act was first only a Data protection Bill, announced in the annual Queen’s speech on June 21st 2017 further highlighting that the UK will remain a “world-class” data protection regime.
The Data Protection Act had a twofold meaning – on one hand, to implement the GDPR measures and requirements by making them even stricter and stronger, and on anther– to reassure that the provisions of the GDPR are reaffirmed even after Brexit.
The Information Commissioner Elizabeth Denham of the UK’s ICO has published a blog, explaining the possible outcomes for data transfers after Brexit.
- UK leaves EU with a proper and well-structured withdrawal agreement that specifically provides for the continued flow of personal data – In this scenario the two-way flow of personal data will be clear and specific.
- UK leaves EU without a withdrawal agreement that specifically provides for the continued flow of personal data – This second option is the negative outcome of the negotiations and organisations impacted by this outcome need to be prepared, though not every organisation dealing with personal data of the EU citizens will be affected. For example:
- Internal dealings with personal data inside the UK’s borders won’t change, as the Government has made clear that the GDPR will be absorbed into UK law at the point of exit, and it is expected that there will be no substantial change of the rules that most organisations need to follow. This legal Act was called the “UK GDPR”.
- In case the data protection transfers take place outside of the UK’s borders:
– The UK Government has stated that it intends to permit data flow from the UK to EEA countries.
– However, transfers of personal information from the EEA to the UK will be affected.
In this context, the ICO has issued a broader guidance on the effects of leaving the EU without a withdrawal agreement in order to help the affected organisations in their preparations.
One of the Guidance’s general remarks is the fact that after Brexit, certain parts of the GDPR won’t be in force for the UK anymore. For example, those requirements mentioning the UK’s participation as a Member State of the EU will no longer be valid. At the same time, since it was already mentioned that the internal UK regime won’t change significantly, the figures of the data processor and the data controller will still be valid, however, when data processing is taking place outside of the UK or involves processing of personal data of UK citizens, the UK GDPR will be in force. This will be the case when goods and services are being offered to UK citizens from outside or when monitoring the behaviour of individuals takes place in the UK.
The full Guidance, issued from ICO, could be found HERE
Disclimer: The content of this article is intended to provide a general guide to the subject matter, it is not legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.