Data Protection and Brexit
Where are we now?
Brexit can be likened to some interminable opera that never seems to end! We are repeatedly told that everything will be sorted by a certain date only to discover, when that date arrives, there is to be a further transitional or implementation period. In truth, the UK and the UK will be dealing with the fallout from Brexit for many years to come.
On 24 December 2020, the EU and the UK finally reached agreement in principle on an EU-UK Trade and Cooperation Agreement (the TCA). This was intended to set out the relationship between the EU and the UK going forward from 11pm on 31 December 2020 (i.e. from the end of the implementation period relating to the previous Withdrawal Agreement). However, the TCP left many matters still to be determined by future negotiations between the parties. One such matter relates to the transfer of data to the UK from the EU or the EEA States (Norway, Iceland and Lichtenstein). In relation to such transfers, the TCP provides for a further bridging period which will continue at least until 11pm on 30 April 2021 or, if neither side objects, until 11pm on 30 June 2021.
In fact, data protection is an area of law where we are unlikely to see significant change because of Brexit. Some time ago, the Government announced its intention to keep UK data protection law in line with EU law so far as possible post-Brexit. One should never say never but it is hard to see a future government taking a different view. In 2018, Parliament passed the European Union (Withdrawal) Act, which incorporated the European General Data Protection Regulation (the GDPR) into UK law. The upshot of this is there will not be major changes to data protection law in so far as it affects a UK business that simply collects personal data from within the UK and does not seek to export it outside the UK.
One area where a degree of uncertainty remains concerns the export of personal data from the EU or EEA to the UK. Under the TCA, during the bridging period nothing will change so long as certain conditions continue to be met (which they almost certainly will). The UK has applied to the European Commission for an adequacy decision which will facilitate the continued export of personal data from the EU to the UK. One might think that the grant of such a decision is a foregone conclusion, given that UK data protection law will largely remain unchanged but we shall have to wait and see.
So, what does all this mean for businesses? In most cases, probably the best advice is to sit tight and await events. However, if your business relies on the export of personal data from the EU or EEA to the UK you may want to think about developing contingency plans in case no adequacy decision is granted before the end of the bridging period. One possibility may be the use of what are termed Standard Contractual Clauses to allow the international exporting of personal data.
To find out more, please contact David Dees or Rosemarie Moulding.