Data Protection after Brexit. What’s going on?
Data protection is a rapidly evolving area of law and the end of the Brexit transition period has paved the way for important potential future changes, particularly in relation to transfers of personal data from and to the UK.
Does my business need to worry about data protection after Brexit?
Yes, if you are a business which processes personal data i.e. data which relates to an identified or identifiable person such as names, e-mail addresses, job titles, and less obvious things like IP addresses.
What happened at the end of the transition period?
Laws were passed before the end of the transition period to incorporate the GDPR (as it applied to the UK as a member of the EU) into English (and UK) law. The retained law is known as the UK GDPR and together with the Data Protection Act 2018 constitutes the bulk of the UK’s data protection law. The ‘old’ GDPR which applied to the UK as a former EU Member State is now known instead as the EU GDPR. Both the EU GDPR and the UK GDPR have extra-territorial effect (meaning they can apply to businesses not established in the EU or the UK (respectively)) so businesses need to evaluate whether one or both now apply to them.
What about international data transfers an SCCS?
A hot topic before the end of the transition period was transfers of personal data to and from the UK (note a transfer includes having access to personal data, not just it being physically transferred). Laws passed before the end of the transition period mean on a temporary basis member of the EEA, EU and Gibraltar are automatically recognised by the UK as adequate in respect of data protection.
In addition, the Trade and Cooperation Agreement (the Brexit Deal) which was finalised on 24 December 2020 includes a 4 month bridging period with effect from 01 January 2021 during which transfers of personal data from the EEA (and the EU) to the UK can continue unimpeded. This 4 month period is extendable by a further 2 months, meaning the total bridging period is potentially 6 months long (so expiring in July 2021).
For international data transfers, the next major consideration is whether or not the EU Commission issues an Adequacy Decision in respect of the UK. It is not guaranteed, but it would be surprising if such an Adequacy Decision was not issued; the Brexit Deal paves the way for it, not issuing one would set the bar for adequacy impossibly high and the financial costs to many businesses if one is not issued is very large.
In the (surprising) event that an Adequacy Decision is not issued in favour of the UK before the end of the current bridging period, then unless UK legislates to suddenly reverse its current recognition of the EEA and EU as adequate, then the main issue for applicable businesses to consider will be transfers of personal data from the EEA and the EU to the UK in respect of a UK-based data controller. A mechanism frequently relied upon is to put in place Standard Contractual Clauses (SCCs). These are basically a set of standard contractual terms which if complied with protect data subjects rights and interests under the EU (and now UK) GDPR. However, the current SCCs are deficient in that they cannot be used for processor to controller or processor to processor international personal data transfers. To plug these gaps the EU Commission prepared draft new SCCs and made them available for public consultation in early December last year. The EU Commission is expected to adopt the final version of these new SCCS in early 2021. These new SCCs are made pursuant to the EU GDPR so EU or EEA based data processors can use them with UK based data controllers as such processors will be subject to the EU GDPR.
What action can I take to comply with new data protection rules post Brexit?
Well, that depends on the nature of your business, but practical steps which could be sensible for you to start considering now are:
- appointing an EU Representative. UK companies trading within the EU may be caught by the EU GDPR’s extra-territorial provisions (provisions which apply to companies established outside the EU). UK companies caught by these provisions are required to appoint an EU Representative. Take a look at our guest blog from Macrus Broix of Trade with Europe regarding appointing an EU Representative.
- appointing a UK Representative. EU companies which have a branch in the UK may be deemed to be established in the UK under the UK GDPR and may therefore be subject to the EU GDPR and the UK GDPR. UK companies trading with the EU may be subject to the EU GDPR. Where UK companies they are caught by the EU GDPR’s extra-territorial provisions they may be required to appoint a representative in the EU.
- monitoring the status of new draft model Standard Contractual Clauses.
- Checking you contracts and policies (including your privacy and cookie policies) and amending them to reflect that the UK is no longer a member of the EU and so is no longer subject to the EU GDPR but the UK GDPR (although as set out above UK companies can still be caught by the EU GDPR).
Expert Brexit legal advice
If you would like to find out more about how your business should navigate the new rules and remain compliant, please contact our team of business solicitors. Call 0117 906 9400 or email email@example.com
 The EEA comprises the EU member states and also Iceland, Liechtenstein and Norway.
 A finding by the European Commission that a third country, territory, specific sector in a third country or an international organisation offers levels of data protection that are essentially equivalent to that within the EU. An adequacy decision permits a cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority (e.g. the ICO in the UK).