What Happens to GDPR After Brexit in the UK?
On January 1 2021, the UK formally and effectively left the European Union. The UK is now a “third country” under the EU’s GDPR (i.e., outside the EU). As a result, The EU-GDPR is an EU regulation and it no longer applies to the UK.
The general data protection regime under UK law has been modified to address the EU-GDPR's removal from domestic applicability. The regulations amended the Data Protection Act (DPA) 2018 and merged it with the EU GDPR requirements to form a new, UK-specific data protection regime that works in a UK context after Brexit.
This new regulatory framework for UK data protection is known as UK-GDPR.
Are the EU-GDPR and the UK-GDPR Same? Is There Now a Difference Between These Two Laws?
The new UK-GDPR is nearly identical to the EU-GDPR. However, it is independent UK legislation governed and enforced by the UK data protection agencies and does not influence EU authorities.
It is based on the same legal language as the EU GDPR, but with the parts of the text that read EU and Union law replaced with the UK and domestic law. The UK-GDPR merge the two pre-existing regimes for personal data protection, namely, EU-GDPR and the DPA 2018.
The UK-GDPR took core provisions from EU-GDPR in terms of:
- Principles relating to the lawfulness of data processing (Article 5),
- Rules around the processing of special categories of personal data (Article 9),
- Conditions for consent (Article 7),
- Exception of the valid age of consent (Article 8) that is lowered to 13 years in the UK-GDPR from 16 years in the EU-GDPR, and
- The rights of the data subject (Articles 15-22).
The DPA 2018 has also been incorporated into the UK-GDPR, and it addresses the areas of law enforcement, intelligence services and immigration that EU-GDPR did not cover.
What Will Be the Impact of the Transition From EU-GDPR to UK-GDPR on UK Businesses?
While transiting from EU-GDPR into the UK-GDPR, organizations based in the UK will need to address the following areas in their DPAs and privacy policies:
-
International Transfer of Personal Data From the UK to Other Countries
A) Transfer of data from the UK to the EEA is permitted.
B) Transfers of data from the EU to the UK are also permitted following the UK adequacy decision from June 2021, ensuring unrestricted personal data flow between the EU and UK for four years (till June 2025).
C) Transfers of data from the UK to third countries (i.e., the US, Canada, etc.) are addressed by the UK government, who confirmed UK organizations can rely on the same transfer mechanisms as under the EU GDPR, i.e., adequacy decision, appropriate safeguards and exceptions.
-
The Possible Need to Appoint a Representative in the EEA
EU Representatives act as a point of contact for Lead Supervisory Authorities and data subjects. They need to be established in an EEA member state where the data subjects are based. UK businesses may now need to appoint an EU representative if:
A) They are offering goods and services or monitoring behavior of EU residents, AND
B) They don’t have a branch, office or establishment within the EEA.
How Can Websites Be Compliant With the UK-GDPR?
The UK-GDPR, like the EU-GDPR, requires websites to get users' prior consent before processing any of their personal data through cookies and third-party trackers. Also, website privacy policies must be updated to reflect that the company is fully aware of the UK-GDPR regulations and has applied them in their business activities.
"Website privacy policies must be updated to reflect that the company is fully aware of the UK-GDPR regulations"
Do Additional EU Regulations Apply Now That the UK Has Left the EU?
In addition to the UK-GDPR, the following laws apply to UK businesses:
1) PECR
Yes, it applies. PECR (Privacy and Electronic Communications Regulations) is UK legislation derived from the EU’s law e-privacy directive.
2) NIS
Yes, it applies. NIS (Network and Information Systems) is based on EU legislation but is incorporated into UK law.
3) eIDAS
Yes, but The UK eIDAS (electronic identification and trust services) regulations are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation but are tailored for use within the UK.
4) FOIA
The Freedom of Information Act 2000 forms part of UK law and will continue to apply.
5) EIR
The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law.
What Are Some of the Expected Data Protection Reforms From UK Authorities?
The government has indicated that Britain will aim to break away from European data protection requirements as it revamps its policies following Brexit. Some of the expected reforms are:
-
Revamp Cookie Consent Pop-Ups
When faced with cookie pop-ups on the internet, users typically select 'I agree,' indicating that many users do not engage with privacy information and simply accept the terms or use of cookies because they want to access the website. Therefore, the ICO has proposed a mechanism consisting of web browsers, software apps, and device settings that allow users to select long-term privacy preferences instead of through pop-ups every time they visit a website. This will ensure that privacy preferences are respected while simultaneously improving user browsing experiences and removing friction for businesses.
-
Create a New ‘Legal Basis’ for the Following Data Processing Activities
A) Monitoring, detecting or correcting bias in AI systems,
B) Using personal data for internal research and development purposes or business innovation purposes aimed at improving services for customers, and
C) Managing or maintaining a database to ensure the records of individuals are accurate.
-
Article 30 Record-Keeping Restrictions Are to Be Repealed
The record-keeping procedures are given additional flexibility based on the volume and sensitivity of personal data.
-
Raising the Threshold for Reporting Data Breaches to the ICO
Where the risk to individuals is considered "material," the government intends to request that the ICO provides guidance and examples of what is and is not reportable.
Since Its Implementation, Has Anyone Faced a Penalty for Violating UK-GDPR?
A man was fined under the UK-GDPR after his Amazon Ring doorbell system captured data on his neighbor. Amazon has since responded, issuing a statement asking product owners to "respect their neighbors' privacy and comply with any applicable laws." A British man installed his Ring camera on his shed, which captured video and audio of his neighbor from up to 68 feet away. A judge ruled the man violated UK-GDPR and that the Ring contributed to harassment.
We hope these commonly asked questions help you to understand the post-Brexit data protection regulations. Ultimately, ensuring that companies go through regular IT security and compliance health checks, security education and training and ongoing improvements across people, processes and technology controls is the way forward. This will ensure that company culture is improving and regulation and privacy compliance objectives are being met regularly. Otherwise, compliance remains a tick in the box, and we have many examples where compliance-certified companies incurred data losses and led to breaches.
Let’s hope the expected reforms ensure long-term privacy improvements, a step further than the solid ground built by GDPR so far.