GDPR in the UK after Brexit
Having achieved Brexit on 31 January 2020, the UK entered a transition period which completed on 31 December 2020. Following this transition period, the UK will be independent from the EU, and the EU GDPR will cease to apply to the UK. The information below explains how GDPR and data protection is affected in the UK after Brexit, including international transfers of personal data.
This article will be updated as and when new information becomes available.
This article is part of our guidance on GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you require definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA). For information concerning UK data protection, we suggest visiting the website of the UK’s Information Commissioner’s Office (ICO)
Does the GDPR apply in the UK after Brexit?
Following Brexit and the transition period, the UK is longer regulated domestically by the GDPR.
While from 31 December 2020, the EU GDPR no longer applies in the UK, organizations based in the UK must still comply with its requirements from 01 January 2021.
To ensure the UK continues to enjoy free flow of data with the EU, the UK has legislated its own version, known as the UK-GDPR (United Kingdom General Data Protection Regulation), applicable to the UK after Brexit.
This was enabled through an amendment of the UK’s Data Protection Act (DPA) 2018, which incorporates EU GDPR requirements within the DPA 2018, enabling the EU GDPR’s requirements into UK law.
From the completion of the transition period on 31 December, 2020 may require UK organizations which process EU resident’s personal data, to:
· Appoint an EU representative
- Identify an EU-based lead supervisory authority
- Incorporate SCCs (standard contractual clauses) into any contracts governing EU–UK data transfers, and/or
- Amend policies, procedures and documentation to reflect these changes
How are international data transfers affected after Brexit?
Following Brexit, and under the EU GDPR, the UK is classified as a ‘third country’, a term used for non-member states.
Under the EU GDPR, transferring personal data of EU residents to a third country is allowed only in specific circumstances:
- Where the European Commission has stated that there is an adequate level of data protection, known as an adequacy decision.
- Where appropriate safeguards are in place, for example, BCRs (Binding Corporate Rules) or SCCs
- On approved codes of conduct. However, as of yet, no such code has been agreed for data transfers from the EU to the UK
Each of these circumstances is explained below.
Under Article 27 of the EU GDPR, organizations which monitor the behaviour of, or provide goods or services to, EU residents will also need to appoint an EU representative.
Adequacy decisions
Adequacy decisions permit the flow of personal data from the EU (and Norway, Liechtenstein and Iceland) to a third country without the need for any further safeguards.
So far, 12 adequacy decisions have been adopted by the EU Commission. These are Andorra, Argentina, Canada, The Faroe Islands, Guernsey, The Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Negotiations with South Korea are ongoing.
See European Commission Adequacy decisions
The EU Commission has not yet made an adequacy decision for data transfers from the EEA into the UK.
However, as part of the EU-UK Trade and Cooperation Agreement, a bridging mechanism has been established to permit “the continued free flow of personal data from the EU/EEA to the UK” for up to 6 months post-transition until adequacy decisions come into effect.
The UK and EU are hopeful of completing the adequacy decision process within a reasonable period. However, the adequacy decision process with Japan, the last third country to be stated by the EU as having an adequate level of data protection, took just over two years.
Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR)
The absence of an EU adequacy decision means that UK organizations which process the personal data of EU residents will have to rely on other safeguards.
- SCCs are a contract between a sender and receiver of the personal data on standard set EU-approved terms and conditions. SCCs include contractual obligations to protect personal data when it leaves the EU and the protection of GDPR.
- Data protection policies adhered to by EU organizations for transferring personal data outside the EU are known as Binding Corporate Rules (BCR). BCRs apply to a group of undertakings or enterprises, and are legally binding and enforced by every group member. BCRs must be approved by a competent data protection authority in the EU.
In most cases, safeguards can be put in place using standard contractual clauses (SCCs). BCRs are typically put in place to permit multinational groups to transfer personal data from the EEA to their affiliates outside the EU.
Transferring UK personal data to the EU/EEA
Under EU GDPR, after Brexit, there are no changes to the way personal data is sent to the EU/EEA, Gibraltar and other countries that have been deemed as having an adequate level of data protection.
Transferring UK personal data to the USA
Provision has been for the transfer of UK personal data to the US under the UK statutory instrument (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), to preserve the EU-US Privacy Shield in the UK.
Further information on transferring data from the UK to other jurisdictions, can be found on the ICO’s website.
Transferring EU personal data to the USA via the UK (Schrems II)
The EU-US Privacy Shield permitted certified US organizations to process EU residents’ personal data. Following legal action by Max Schrems, an Austrian privacy campaigner, the ECJ (European Court of Justice) ruled the EU-US Privacy Shield invalid.
EU data controllers using US data processors, and US processors which process EU resident’s personal data, should use SCCs or BCRs (as appropriate) until an adequacy decision is reached between the EU and US, or a new code of conduct is approved.
On 16 July 2020, the ECJ (Court of Justice of the European Union, or CJEU) noted SCCs as a valid tool for transferring personal data internationally, but only if the law in the receiving country ensures adequate protection where they (with appropriate additional measures) provide for “essentially equivalent” protection as in the EU. In the absence of such safeguards, the processing must be suspended.
The information in this article will be updated as it becomes available
GDPR non-compliance penalties after Brexit
Penalties for not complying with the EU GDPR’s requirements remain unchanged after Brexit. Organizations can can incur fines of up to €20 million or 4% of annual global turnover, whichever is greater, for failing to adhere to EU GDPR when transferring personal data to third countries or international organizations.