08 January 2019
Many organisations spent a considerable amount of time and money in the lead up to May 2018 ensuring that their business models would comply with the General Data Protection Regulation - a European piece of legislation which has direct effect in the EU member states. However, as we began to creep closer to 29th March 2019, many of the same organisations sought clarification on the extent to which GDPR would continue to apply post-Brexit.
Even at a very early stage it seemed inevitable that there would be a “UK GDPR” if only from a practical perspective to allow the UK to continue to do business with, and transfer personal data to and from, the remaining EU member states.
Lynn Richmond, Partner
The European Union (Withdrawal) Act 2018 subsequently made clear that all EU legislation which had direct effect (including the GDPR) would continue to apply in the UK after Brexit. Then, in December 2018, the UK government produced a draft set of regulations (The Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU exit) Regulations 2019) which set out the changes proposed to the GDPR text when it becomes the “UK GDPR” and to the Data Protection Act 2018.
For those who spent hours (and longer) getting to grips with GDPR it will be a relief that these Regulations contain no real substantive departures from the principles of the GDPR and it is unlikely that much further work will be required by organisations who operate and process personal data within the UK.
However, the position is not quite so clear cut for organisations who transfer data to, and more importantly, receive data from the EU. Organisations that transfer data internationally will be aware that certain safeguards must be in place before personal data may be transferred outwith the EU. At present, UK based organisations can transfer personal data freely within the EU but after Brexit the UK will become a “third country” and appropriate safeguards will be required before data from the remaining EU states may be transferred to the UK. Several third countries already receive personal data from the EU where the European Commission has made an adequacy finding in respect of the country. In practice, this means that the Commission assesses that third country’s data protection laws as sufficiently robust to ensure protection of personal data and data subjects. Ironically, while the UK currently enjoys the data transfer benefits of being part of the EU, there are some question marks over if and when the UK will benefit from an adequacy finding post-Brexit. If an adequacy finding cannot be achieved in the short term, other safeguards will need to be put in place.
To keep matters interesting, 2019 is also likely to see the final version of the new ePrivacy Regulation. Originally intended to coincide with the implementation of GDPR, the ePrivacy Regulation will, somewhat later than planned, replace and update the existing Privacy and Electronic Communications Regulations. The changes will be of particular importance to organisations which carry out direct marketing. The new regulation will revise and restrict the soft opt-in rules and will also remove some of the exemptions which are currently in place for business to business marketing.
The ePrivacy Regulation is, of course, a European piece of the legislation but would automatically become law in the UK if the UK remained part of the EU. The status of the ePrivacy Regulation in the UK after Brexit will largely depend on the timing of the final version of the Regulation. However, it seems likely that regardless of the timing and irrespective of the terms of the final deal with the EU (or lack thereof), the ePrivacy Regulation will make its way into UK domestic law in one form or another. Watch this space.
Lynn Richmond is a Partner in BTO’s Data Protection Team.
Contact: Lynn Richmond, Partner lyr@bto.co.uk T: 0131 222 2939