The UK has left the EU, so what does this mean for the future of the UK’s data protection legislation? Now that the Brexit transition period has ended, what does this mean for GDPR? Can businesses still transfer data outside of the UK and receive data from other countries? We explain all potential outcomes and what your organisation needs to do to maintain GDPR compliance in post-Brexit Britain.
The EU General Data Protection Regulations (GDPR) came into effect on 25 May 2018. Businesses and data controllers in the European Union (EU) and the European Economic Area (EEA) must abide by these regulations to comply with data protection law. Now that the UK has left the EU, our General Data Protection Regulations have changed slightly.
Understanding how GDPR governance works
To understand how Brexit affects GDPR, first, it’s good to first understand how European countries are governed by GDPR.
The European Union (EU).
Established in 1993, the EU is an economic and political union of 27 countries. Countries in the EU are often obligated to share certain EU laws. This includes GDPR.
Although GDPR is the same throughout the EU, each country has an independent authority that upholds information rights in the interest of the public. In the UK, this was, and continues to be, the Information Commissioner’s Office.
The European Free Trade Association (EFTA).
In very simple terms, the EFTA is sort of like a smaller version of the EU. Established in 1960, the EFTA’s primary goal was to liberalise trade between member states. The EFTA used to have 10 member states, including the UK. The UK left in 1972, in favour of the European Economic Community (EEC). The EEC was later incorporated into the EU umbrella. Four countries remain in EFTA: Iceland, Liechtenstein, Norway and Switzerland.
EFTA countries are independent of the EU and they are not, by default, governed by GDPR. However, EFTA states can, if they wish, apply for membership of the European Economic Area (EEA). EEA members are governed by GDPR – more on that below.
Three of the four EFTA countries – Iceland, Liechtenstein and Norway – are EEA members, and so GDPR does apply in these countries. Switzerland on the other hand is not an EEA member, so GDPR does not apply to Swiss businesses unless processing data belonging to EEA and EU members, or sharing data with EEA countries.
EFTA’s response to Brexit indicates they are mostly open to the UK returning to EFTA. By doing so, the UK would regain access to many trade options, but would not be necessarily be forced to implement EU policies such as GDPR. This is, of course, unless the UK also applied to re-join the EEA.
The current UK Government has said it has no current plans to re-join EFTA, but this could one day change.
The European Economic Area (EEA).
The EEA is made up of EU members and three of the EFTA states – Iceland, Liechtenstein and Norway. It essentially allows EEA members freedom of movement between states, trade agreements, and mutual governance in areas such as GDPR.
For a country to be a member of the EEA, it must be either part of the EU or EFTA. When the UK left the EU, the UK also ceased to be a part of the EEA. Like the EFTA countries, the UK is considered a “third country”. So, unless the UK re-joins the EFTA and then also the EEA, we do not have to be governed by the same rules. If the UK does eventually re-join EFTA but does not reapply for EEA membership, the UK may be in the same position as Switzerland regarding GDPR.
As mentioned above, the UK does not have any current plans to re-join EFTA, and thus isn’t eligible to re-join the EEA. This could mean many changes to UK data protection law in the upcoming years. But what has been agreed so far?
The Brexit Deal and GDPR – What has been agreed?
The UK left the EU – and also the EEA – on 31st January 2020. Between then and 31st December 2020, the UK and the EU had to reach a trade agreement. This trade agreement, widely known as The Brexit Deal, included data processing.
The deal for data processing says that the UK no longer has to be governed by EU GDPR. It states:
“The parties reaffirm the right to regulate within their territories to achieve legitimate policy objectives, such as the protection of public health, social services, public education, safety, the environment including climate change, public morals, social or consumer protection, privacy and data protection, or the promotion and protection of cultural diversity”.
This essentially means that the UK must achieve European data protection policy objectives, but can regulate and achieve these objectives in a way that could, if the UK chooses, differ from General Data Protection Regulations.
The UK has retained GDPR in domestic law, known now as the UK GDPR. This largely mirrors the EU GDPR so for most businesses, not much will change. However, something concerning many UK businesses is the transfer of data between the UK and EEA member states. To continue these transfers, the UK must receive approval from the European Commission in the form of an adequacy decision.
What is an adequacy decision?
An adequacy decision, outlined in Article 45(1) of the GDPR, permits cross-border data transfers out of the EU. It also permits the onward transfer from or to a party outside of the EU without further authorisation from a supervisory authority.
To ensure the UK has adequate safeguards in place to protect data belonging to EEA citizens, an adequacy decision must be reached by the European Commission. The European Commission agreed to perform an adequacy assessment as part of the UK-EU Withdrawal Agreement.
In Chapter 5 of the GDPR, conditions are outlined to assess these adequacy decisions. Conditions include the country’s rules of law, respect for human rights and freedoms, relevant legislation, security measures and whether or not the country has an independent supervisory authority such as the UK’s Information Commissioner’s Office.
How will the adequacy decision affect UK businesses?
Great news for UK businesses, the European Commission’s adequacy decision was approved on 28th June 2021. This means the UK can continue to use UK GDPR to protect data received from the EEA as it was determined our data protection laws are robust enough to ensure the safe flows of data. The decision, published on 28th June 2021 states:
“The Commission has today adopted two adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.”
However, there are some areas of note in the European Commission’s decision:
- Transfers for the purposes of UK immigration control. These are excluded from the scope of the adequacy decision.
- Mass surveillance. UK law permits government agencies to access and retain bulk data on individuals who are not under any suspicion of criminal activity. EU GDPR doesn’t permit this. However, it is included in the adequacy decision. This is provided the collection of this intelligence is authorised by an independent judicial body.
- This decision includes a ‘sunset clause’, limiting the duration of the decision to just four years. After that, it will expire and must be renewed. This may mean every four years the UK’s data protection laws regarding EEC data transfers may change.
What should you do to maintain GDPR compliance now an adequacy decision is reached?
EU GDPR no longer applies in the UK and has been replaced by UK GDPR. However, all core principles remain the same. This means most businesses can operate in the same way they have been doing since 2018 when EU GDPR was introduced in UK law.
There are many things you can do to maintain GDPR compliance both before and after any future adequacy decision. When it comes to data, it’s always better to be safe than sorry. Think about the data your organisation processes, retains, shares, and what data needs to be destroyed.
The future of GDPR in the UK
Elizabeth Denham, Information Commissioner, said in regards to the adequacy decision:
“This is a positive result for UK businesses and organisations. Approved adequacy means that businesses can continue to receive data from the EU without having to make any changes to their data protection practices. Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.”
“The result is also a testament to the strength of the UK’s data protection regime.”
One thing to be mindful of is if your business operates in the EEA, offers goods or services in the EEA, or monitors the behaviour of individuals in the EEA, future adequacy decisions may affect your data processing. As adequacy decisions are reviewed every four years, it may be worth having a Plan B in place if your business will need to meet EU GDPR rules in the future.
To keep confidential information safe, only collect, process and share data that your organisation absolutely needs. Also, be sure not to keep any data longer than necessary “just in case”. Make sure you and your employees are controlling data in line with UK GDPR and data protection law.
It is also wise to securely destroy all personal information your business no longer needs. By using our shredding services for all data you no longer need, you will receive proof of destruction to demonstrate your organisation’s commitment to meeting data retention and destruction regulations.
For a more comprehensive look at the UK’s General Data Protection Regulations, we recommend looking through the ICO’s UK GDPR guide by clicking here. We would also highly recommend regularly visiting the Information Commissioner’s Office’s website for up-to-date information on data protection now the Brexit transition period has ended.
Sign up for our newsletter here to receive alerts about new blog articles, data protection advice, and Shred Station news. Thanks for reading!
All information is correct at the time of publication update on 29th June 2021. To stay up-to-date with data protection guidelines after the date of publication, please contact the Information Commissioner’s Office.