Published on Friday, January 31, 2020 - 14:26 by Camilla Winlo
At 11pm tonight, the UK will leave the European Union. But what does it mean for data protection?
Does GDPR still apply in the UK?
Yes – GDPR does continue to apply in the UK and that won’t change. It was signed into law as the Data Protection Act 2018 so all the requirements of GDPR have been made requirements in the UK already.
What about ePrivacy?
The ePrivacy Directive will regulate electronic communications and is going through the process of being turned into an EU Regulation. This has proved rather difficult to agree and we think it’s unlikely that a final version will be approved before the transition period ends on 31 December 2020. At the moment, it’s not clear whether the UK will choose to implement ePrivacy as it is agreed for the EU or write its own rules. Either way, many of the topic areas – like cookies - have already been considered by the ICO and incorporated into the Privacy and Electronic Communications Regulation which is the current equivalent of ePrivacy.
Do I need to appoint a Member State Representative?
Not today. While Article 27 of GDPR says that non-EU countries must appoint a Member State Representative if they want to process personal data relating to EU citizens, organisations based in the UK do not need to do this during the transition period, to 31 December 2020. This Representative becomes the contact point for the supervisory body.
It’s not clear what will happen after the transition period. It’s possible that UK organisations will need to appoint a Member State Representative– and that EU organisations processing data belonging to UK citizens will need to do the same. However, the EU has yet to confirm how it can enforce that requirement. In our view, it may be that EU organisations choose to do business with organisations that have a local representative for their own risk management reasons and the enforceability becomes secondary to practicality.
Can I still transfer data between the UK and the EU?
Yes. During the transition period, you can still transfer data between the UK and the EU with GDPR safeguarding the transfer. After the transition period, this may change. The UK has already stated that it considers the EU ‘adequate’ – in other words, that data can be safely transferred there with no extra requirements – but the EU has not said that it will consider us ‘adequate’ yet – in other words, there may be extra requirements for data to come from the EU to the UK.
Extra requirements are likely to be Standard Contractual Clauses (if you are transferring data to another organisation) or Binding Corporate Rules (if you are transferring data to another part of your organisation’s group of companies), both of which will need to be incorporated into data processing agreements by data protection lawyers.
Will the Information Commissioner continue to collaborate with other EU Regulators?
The Information Commissioner has said that she intends to continue to collaborate with her counterparts in the EU, and during the transition period we expect that this will continue to happen. This means that we can look at decisions made by other EU Regulators and expect that the same facts would result in a similar decision in the UK. It also means that the Information Commissioner is likely to continue to support live investigations by other Member State lead Regulators rather than launching her own investigations.
However, this may change after the transition period, especially if the EU does not grant the UK ‘adequacy’. If this happens, we may see a gradual divergence of the UK and EU data protection regulatory landscape.
So nothing’s changing then?
Not today. Ask us again in a year…
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: