With 2021 coming to a close and the advent of the UK formally leaving the EU upon us, we can look back over the past year and marvel at the trials and tribulations that Brexit has brought. Brexit has certainly shaken up all areas of industry in the UK and Data Protection has been no different. In this blog we look back at some of the uncertainties we had around how Brexit would affect the industry, and how these have played out in reality.
Following months and months of discussions, the prospect of a “no deal” Brexit almost became a reality until, quite literally, a deal was finally struck in the eleventh hour on the 24th of December 2020. On the 1st of January, the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. came into force as enacted by the Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation., which meant that UK data protection law virtually mirrored its EU counterpart.
In addition, although Michael Gove clearly stated in June 2020 that there was not going to be an extension of the transition period, for all intents and purposes the 6 month “bridging period” which resulted from the last minute deal, in data protection terms at least did just that. This bridging period meant that organisations who had been transferring personal dataInformation which relates to an identified or identifiable natural person. from the EU to the UK could continue to do so with no additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... in place and had six months to get their ducks in a row in preparation for when a transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanism would then be required. From the EU’s perspective, this gave it the necessary time to conduct an adequacy assessment on the UK, now a third countryA country that is not part of the European Economic Area (EEA)..
After the UK became a third country on the 1st of January 2021, as expected, the UK GDPR introduced its own Representation requirement by virtue of its own Article 27. Another impact of the UK’s exodus was that organisations who processed EU residents’ personal data and had previously evaded the requirement to appoint an EU Representative by virtue of their establishment in the UK, could evade representation no longer. Whilst this was expected, once the bridging period was introduced there was a degree of uncertainty around when this requirement would kick in; turned out, it was right away.
One of the biggest Brexit conundrums that has plagued UK DPOs since the very beginning has been the question of whether the UK, once a third country, would be granted adequacy by the EU. Whilst perhaps initially considered a foregone conclusion that the UK would be granted adequacy, this was jeopardised after the Schrems II decision invalidated the US-EU Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. based upon the US’ mass surveillance laws being deemed non-compliant with the EU GDPR – laws that are not dissimilar to the UK’s.
Fortunately, after waiting with bated breath, the UK privacy industry’s prayers were answered and, again at the eleventh hour (a mere two days before the bridging period came to an end), the EU deemed the UK adequate in June… at least for now.
Aside from the questions around the UK’s own adequate status, there was also ambiguity around which countries the UK would deem adequate, now that it could make its own adequacy decisions. Ultimately, the UK copied the EU’s homework by simply deeming adequate any country with an adequate status from the EU, plus the EU itself. However, we suspect it won’t be long before the UK’s list begins expanding at a far faster rate than its EU counterpart.
When it came to the use of alternative transfer mechanisms, namely, Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs), confusion certainly reigned for a good portion of 2021. Without the UK having its own SCCs in place when it left the EU, UK organisations were able to carry on using the EU’s versions, albeit tweaked to reflect the UK GDPR’s applicability. This would have been simple, had it not been for the Schrems II decision in 2020 which called into question the validity of these SCCs.
Triggered by this case, the EU introduced a new set of SCCs in June 2021 that it stated now complied with the Schrems II decision. This sounded great, however, as the UK had left the EU by this point, UK organisations were prevented from using them. Instead, they were allowed to continue using the old, non-compliant, SCCs until the UK produced its own. The UK has since published its draft SCCs which should come into force early in 2022 but this is an area that still has not been fully resolved.
Whilst it has always been clear that the ePrivacy Directive would continue to impact the UK post-Brexit, due to it being transposed into UK law through the Privacy and Electronic Communication Regulation (PECR), the UK now being free to diverge away from the Directive as it sees fit has brought with it uncertainty. How the UK will develop its laws in this area still remains to be seen, however, if the recent DCMS consultation is anything to go by, the UK may very well be disposing of many of the rules contained in the existing PECR.
Questions also remain over to what extent, if any, the UK will choose to align its own regulation with the EU’s new ePrivacy and AI Regulations, which are both yet to come into effect.
What happens next?
It is certainly no overstatement to say that Brexit shook up the UK’s data protection landscape, bringing with it a fair share of uncertainty, anxiety and confusion. However, one year on and as we move into 2022, it appears that the dust has settled at least somewhat.
But, a question that very much still remains unanswered is to what extent the UK will now diverge away from the EU’s data protection regime. If the DCMS’ recent consultation is anything to go by, not to mention the UK Secretary of State Nadine Dorries’ recent statement about “deepening the data partnership” between the UK and the US, it appears that there is clear intention to diverge quite dramatically.
Whilst it remains to be seen how exactly this divergence will manifest itself, it is fair to say that when deciding how to move away from the EU’s restrictions, the UK will have in mind its goal of becoming a “global AI superpower”.
The above uncertainties all also play into the wider question of whether the UK will keep its adequate status granted by the EU. Whilst the UK government has been extremely bold over recent months in their proposed reforms of UK data protection law, a delicate balance must be struck if it wants to keep its adequate status. If the UK does choose to implement the significant changes proposed in the DCMS’ consultation document, the UK’s adequate status will likely be left hanging by a thread.
For now, we just have to wait to see the result of the consultation, as well as what else 2022 has in store.
If you would like to know more about our outsourced data protection services, visit our service page or contact us below.
Fill in your details below and we’ll get back to you as soon as possible