Data Protection law in the UK post-Brexit consists mainly of the UK GDPR and the Data Protection Act 2018 as revised by the Brexit legislation. Below we explain how Brexit changed the situation in the UK, what it means for different countries, and provide a brief overview of the two main pieces of legislation now in place.
Prior to Brexit, the UK was a member state of the European Union and so was subject to its laws. In 1995 the EU created the Data Protection Directive which, rather than becoming law directly in all member states, instead provided what was effectively a specification for each member state to introduce their own law concerning data protection. Accordingly, the UK brought in the Data Protection Act in 1998 as its implementation of the Directive, and other EU countries enacted their equivalents. Many years passed and technology moved on relentlessly, blurring the lines of data protection as it went. To catch up (and to simplify the situation where each member state had slightly differing laws), the EU created the General Data Protection Regulation (GDPR) in 2016 and this became law within the EU on 25 May 2018. The GDPR, being a Regulation rather than a Directive, directly applied to all of the EU without needing a separate local law to be passed in each member state. However, the GDPR did allow for some variations within each country, such as the age of a child for data protection purposes (default 16, but this could be as low as 13). Partly to specify what these were in the UK, the government introduced an update to the Data Protection Act in 2018. So, prior to Brexit, data protection law in the UK was defined mainly by a combination of the GDPR and the Data Protection Act 2018 (there are also laws called the PECR and NIS, but we won’t be discussing these here). The combination of the GDPR and the changes to it introduced by the Data Protection Act 2018 are sometimes referred to as the “applied GDPR”.
Once Brexit was decided upon, the UK started the preparations for the UK to leave the EU. From a data protection point of view, the main piece of legislation they passed was called “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”. These regulations set out the changes that would be made to current UK laws to adapt them to the fact that the UK was leaving the EU. In basic terms, what they did was to create the “UK GDPR” (as distinct from the “EU GDPR”) and make changes to the DPA 2018. The intention is that UK data protection law remains the same as EU law, at least in the short term, so most of the changes are simply replacing references to the EU and its institutions with their UK equivalents. So, after Brexit, data protection law in the UK is defined mainly by a combination of the UK GDPR and the (revised) Data Protection Act 2018.
So what does this mean for organisations in the UK, the EU and elsewhere that need to comply with relevant data protection law? The first thing to say is that the original EU GDPR is still very much alive and must still be complied with by all organisations that process the personal data of EU citizens, wherever they are based. The second point is that the situation is still evolving, and political changes may be made, sometimes at short notice, that affect what needs to be done to stay compliant with data protection law. The general guidance depends mainly on where your organisation is based, and the personal data it processes.
If you’re an organisation based in the UK, and you’re processing the personal data of UK citizens only, then you will just need to comply with the UK GDPR and DPA 2018. If you transfer the personal data of UK citizens outside the UK, including to the EU, then you will need to look at the basis used for the transfer. The good news is that the UK trusts the EU data protection regime, so transfers to the EU are covered by a UK adequacy decision, which means that little additional justification is required. If you do process the personal data of EU citizens, then the EU GDPR will continue to apply to you in addition to UK law, and you may need to nominate a representative within the EU. In this case, you will also need to look at any transfers of EU personal data you perform to the UK. Under the treaty negotiated between the EU and the UK at the end of 2020, a six-month period was agreed during which personal data may flow freely from the EEA (The European Economic Area, which consists of the EU member states plus Norway, Iceland and Liechtenstein) to the UK, as before Brexit. After this period expires however, if there is no new EU adequacy decision in favour of the UK, you will need to look at how these transfers will be legally covered.
For organisations based in the EU, and processing the personal data of EU citizens only, largely nothing changes. The EU GDPR still applies; the main aspect such organisations may need to review is in the situation where they transfer personal data to the UK, perhaps for processing. If this will continue then they will need to look at the basis that covers the transfer. Previously the UK was part of the EU, so it wasn’t a problem. After Brexit however, a number of situations may arise, once the previously-stated six-month grace period for transfers has expired. The simplest of these is that the EU grants an adequacy decision in favour of the UK which means that it considers UK data protection law to be “good enough”, and transfers can continue. If this doesn’t happen, then appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be appropriate or an organisation may be able to apply an exception to the transfer. Each of these options will need to be looked at, with their relevant pros and cons. If your organisation not only processes the personal data of EU citizens, but also of UK citizens, then you will need to comply not only with the EU GDPR, but also with UK data protection laws. The main one of these is the UK GDPR which, as the name suggests, is (deliberately) very heavily based on the EU GDPR. You may need to appoint a representative in the UK who will act for you in interfacing with the UK Information Commissioner’s Office (ICO) which wasn’t needed previously.
If your organisation is neither in the EU or the UK then the main change will be that you will need to start to consider the two as separate entities, potentially appointing representatives in both (assuming you process the personal data of both UK and EU citizens). If you don’t operate in the UK, then there will be little change, unless you transfer EU data to a processor in the UK perhaps (in which case you may need to cover that transfer with appropriate safeguards, such as SCCs, or an exception). Similarly, if your organisation targets customers only in the UK then you will need to keep track of any divergence between UK and EU data protection law as time goes by (initially they may be considered to be the same).
The data protection laws in the USA are not currently seen by the EU or the UK as adequate and, up until recently, a special scheme called the EU-US Privacy Shield was in place to allow the transfer of personal data to the USA. However, in July 2020 the Court of Justice of the European Union (CJEU) made a judgement on a case brought by an Austrian privacy activist called Schrems that meant that the EU-US Privacy Shield scheme was no longer available to US organisations wishing to accept transfers of EU personal data. As a result, organisations making transfers to the US under the scheme must find an alternative way to make such transfers legal under both the EU and (post Brexit) the UK GDPR. The most common way to do this is using standard contractual clauses, although this approach must be accompanied with a risk assessment to show that the level of protection provided by the SCCs is adequate. Within the UK it’s possible that the EU-US Privacy Shield may be replaced with a revised mechanism at some point, subject to negotiations between the UK and the US government. However, the reason that this case is referred to as “Schrems II” is because Maximillian Schrems also had a hand in the demise of the Privacy Shield’s predecessor which was called “Safe Harbor”, so any new schemes are likely to have a similarly uncertain and controversial future.
The first thing to say about the UK GDPR is that it doesn’t actually exist as a separate document that is published by the UK government. This may seem strange, but it’s due to the way that such amendments work in the UK legal system; laws remain in their original form and must be considered in conjunction with changes to them until they are “consolidated”.
According to published guidance, at the moment there are no plans to consolidate either the UK GDPR or the Data Protection Act. To see the contents of the UK GDPR, it is necessary to start with the EU GDPR and then look at the changes made to it by the read.
To make referencing the UK GDPR easier, CertiKit has produced a more readable version that shows the revised document, with the changes incorporated but not marked up, and this is included in the Toolkit (along with the originals).
The original EU GDPR 2016 document is eighty-eight pages long and consists of two main parts:
In comparison, the UK GDPR does without the recitals completely and removes many of the articles that deal with the workings of the EU data protection mechanisms, so it’s much shorter, with a total of thirty-two articles removed for just one added, making a total of sixty-eight.
The UK GDPR establishes several principles that underpin the legislation and are outlined using the following terms (with our quick summary given after each):
If you always keep these principles in mind, you’re unlikely to fall foul of the UK GDPR.
The Data Protection Act 2018, as it is revised by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, adds a layer of additional clarification to various points stated in the UK GDPR. These largely revolve around the definition of terms such as “public body” or “public authority” in a UK context, how UK law applies to the articles, powers of the Secretary of State (including regarding international transfers), and various other specific issues. All of these points can be found in Part 2, Chapters 1 and 2 of the Act. The rest of the Act, which is lengthy (7 Parts in all, with a further twenty Schedules), largely covers areas not generally relevant to a non-public sector organisation looking to remain compliant, such as law enforcement processing, intelligence services processing, the Information Commissioner and enforcement.
For a fuller understanding, we’d advise reading the UK GDPR in conjunction with our UK Data Protection Implementation Guide (downloadable for free below), with the revised Data Protection Act 2018 on hand too. The revised text of the DPA 2018 Part 1 and 2 (chapters 1 and 2) is also included in the CertiKit Toolkit
Learn more about complying to UK Data Protection with our free implementation guide: