The UK has left the EU, and the future of the UK’s data protection legislation is facing some uncertainty. Now that the Brexit transition period has ended, what does this mean for GDPR? Can businesses still transfer data outside of the UK and receive data from other countries? We explain all potential outcomes and what your organisation needs to do to maintain GDPR compliance in post-Brexit Britain.
The EU General Data Protection Regulations (GDPR) came into effect on 25 May 2018. Businesses and data controllers in the European Union (EU) and the European Economic Area (EEA) must abide by these regulations to comply with data protection law. Now that the UK has left the EU, our General Data Protection Regulations have changed.
Understanding how GDPR governance works
To understand how Brexit affects GDPR, first, it’s good to first understand how European countries are governed by GDPR.
The European Union (EU).
Established in 1993, the EU is an economic and political union of 27 countries. Countries in the EU are often obligated to share certain EU laws. This includes GDPR.
Although GDPR is the same throughout the EU, each country has an independent authority that upholds information rights in the interest of the public. In the UK, this was, and continues to be, the Information Commissioner’s Office.
The European Free Trade Association (EFTA).
In very simple terms, the EFTA is sort of like a smaller version of the EU. Established in 1960, the EFTA’s primary goal was to liberalise trade between member states. The EFTA used to have 10 member states, including the UK. The UK left in 1972, in favour of the European Economic Community (EEC). The EEC was later incorporated into the EU umbrella. Four countries remain in EFTA: Iceland, Liechtenstein, Norway and Switzerland.
EFTA countries are independent of the EU and they are not, by default, governed by GDPR. However, EFTA states can, if they wish, apply for membership of the European Economic Area (EEA). EEA members are governed by GDPR – more on that below.
Three of the four EFTA countries – Iceland, Liechtenstein and Norway – are EEA members, and so GDPR does apply in these countries. Switzerland on the other hand is not an EEA member, so GDPR does not apply to Swiss businesses unless processing data belonging to EEA and EU members, or sharing data with EEA countries.
EFTA’s response to Brexit indicates they are mostly open to the UK returning to EFTA. By doing so, the UK would regain access to many trade options, but would not be necessarily be forced to implement EU policies such as GDPR. This is, of course, unless the UK also applied to re-join the EEA.
The current UK Government has said it has no current plans to re-join EFTA, but this could one day change.
The European Economic Area (EEA).
The EEA is made up of EU members and three of the EFTA states – Iceland, Liechtenstein and Norway. It essentially allows EEA members freedom of movement between states, trade agreements, and mutual governance in areas such as GDPR.
For a country to be a member of the EEA, it must be either part of the EU or EFTA. When the UK left the EU, the UK also ceased to be a part of the EEA. Like the EFTA countries, the UK is considered a “third country”. So, unless the UK re-joins the EFTA and then also the EEA, we do not have to be governed by the same rules. If the UK does eventually re-join EFTA but does not reapply for EEA membership, the UK may be in the same position as Switzerland regarding GDPR.
As mentioned above, the UK does not have any current plans to re-join EFTA, and thus isn’t eligible to re-join the EEA. This could mean many changes to UK data protection law in the upcoming years. But what has been agreed so far?
The Brexit Deal and GDPR – What has been agreed?
The UK left the EU – and also the EEA – on 31st January 2020. Between then and 31st December 2020, the UK and the EU had to reach a trade agreement. This trade agreement, widely known as The Brexit Deal, included data processing.
The deal for data processing says that the UK no longer has to be governed by EU GDPR. It states:
“The parties reaffirm the right to regulate within their territories to achieve legitimate policy objectives, such as the protection of public health, social services, public education, safety, the environment including climate change, public morals, social or consumer protection, privacy and data protection, or the promotion and protection of cultural diversity”.
This essentially means that the UK must achieve European data protection policy objectives, but can regulate and achieve these objectives in a way that could, if the UK chooses, differ from General Data Protection Regulations.
The UK has retained GDPR in domestic law, known now as the UK GDPR. This largely mirrors the EU GDPR so for most businesses, not much will change. However, something concerning many UK businesses is the transfer of data between the UK and EEA member states. To continue these transfers, the UK must receive approval from the European Commission in the form of an adequacy decision.
What is an adequacy decision?
An adequacy decision, outlined in Article 45(1) of the GDPR, permits cross-border data transfers out of the EU. It also permits the onward transfer from or to a party outside of the EU without further authorisation from a supervisory authority.
To ensure the UK has adequate safeguards in place to protect data belonging to EEA citizens, an adequacy decision must be reached by the European Commission. The European Commission agreed to perform an adequacy assessment as part of the UK-EU Withdrawal Agreement. But, this has not yet been finalised.
In Chapter 5 of the GDPR, conditions are outlined to assess these adequacy decisions. Conditions include the country’s rules of law, respect for human rights and freedoms, relevant legislation, security measures and whether or not the country has an independent supervisory authority such as the UK’s Information Commissioner’s Office.
How will the adequacy decision affect UK businesses?
The European Commission’s adequacy decision is not yet finalised, but thus far is looking promising for the UK. If successful, the UK can continue to use UK GDPR to protect data received from the EEA. A draft decision was published on the 19th February 2021, stating:
“The Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom”.
However, there are some areas of concern that the European Commission needs to address before making a final decision:
- How the UK will share data from the EEA after receipt. For instance, if a French company shared data with a UK business, could the UK business pass that data on, for example, to an Australian company?
- Mass surveillance. UK law permits government agencies to access and retain bulk data on individuals who are not under any suspicion of criminal activity. EU GDPR doesn’t permit this. The UK also has a data-sharing agreement with the US, so could potentially share this surveillance information with the US National Security Agency.
Both are valid concerns and could compromise the data and consent of EEA citizens. The European Commission is expected to make a final decision on the UK’s adequacy by the end of 2021.
If adequacy is denied, transfers of data from the EEA will need to comply with EU GDPR transfer restrictions. If accepted, UK businesses can continue to operate within UK GDPR.
Another thing UK businesses should be mindful of is that any adequacy decisions are time-limited; they are valid for four years. Any changes the UK makes to Data Protection Legislation will be subject to future adequacy decisions.
What should you do to maintain GDPR compliance before an adequacy decision is reached?
EU GDPR no longer applies in the UK and has been replaced by UK GDPR. However, all core principles remain the same. This means most businesses can operate in the same way they have been doing since 2018 when EU GDPR was introduced in UK law.
There are many things you can do to maintain GDPR compliance both before and after any adequacy decision. When it comes to data, it’s always better to be safe than sorry. Think about the data your organisation processes, retains, shares, and what data needs to be destroyed.
The future of GDPR in the UK
One thing to be mindful of is if your business operates in the EEA, offers goods or services in the EEA, or monitors the behaviour of individuals in the EEA, the EU GDPR may still apply to you.
Data transfers between the UK and the EEA are unrestricted. This means your business can continue sharing data with EEA countries under UK GDPR. Transfers from the EEA to the UK, for the moment, are also unrestricted. However, this only applies until 30th June 2021. Unless the EU finalises an adequacy decision before 30th June 2021, the transfer of data from the EEA to the UK will need to meet EU GDPR transfer rules. You should therefore make sure your business has watertight data protection measures in place for the receipt of any data from EEA countries in line with the EU GDPR. As adequacy decisions are reviewed every four years, it may also be worth having a Plan B in place if your business will need to meet EU GDPR rules in the future.
To keep confidential information safe, only collect, process and share data that your organisation absolutely needs. Also, be sure not to keep any data longer than necessary “just in case”. Make sure you and your employees are controlling data in line with UK GDPR, and potentially also EU GDPR if relevant to your organisation’s operations.
It is also wise to securely destroy all personal information your business no longer needs. By using our shredding services for all data you no longer need, you will receive proof of destruction to demonstrate your organisation’s commitment to meeting data retention and destruction regulations.
For a more comprehensive look at the UK’s General Data Protection Regulations, we recommend looking through the ICO’s UK GDPR guide by clicking here. We would also highly recommend regularly visiting the Information Commissioner’s Office’s website for up-to-date information on data protection now the Brexit transition period has ended.
Sign up for our newsletter here to receive alerts about new blog articles, data protection advice, and Shred Station news. Thanks for reading!
All information is correct at the time of publication on 11/06/2021. To stay up-to-date with data protection guidelines after the date of publication, please contact the Information Commissioner’s Office.