Brexit has finally been ‘done’ but what can we data protection lawyers look forward to? Can we bin the EU General Data Protection Regulation (GDPR) along with our red EU passports?
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made in February last year to deal with post-Brexit data protection in the UK. Some of the 61 pages of regulations, which deal mainly with consequential amendments, came into force on 29 March 2019. The main provisions came into force on ‘exit day’ (31 January 2020). The implications of the regulations will not be felt until the end of the Brexit transition period (currently 31 December 2020). Until then, EU GDPR will apply as though the UK was still part of the EU. Unless the transition period is extended (which at present seems unlikely) a revision of GDPR, known as the ‘UK GDPR’, will come into force on 1 January 2021.
The EU version of GDPR contains many references to EU laws, institutions, currency and powers (among other things) which will cease to be relevant in the UK after Brexit. The regulations amend GDPR to remove these references and replace them with British equivalents where applicable. The functions that are assigned to the European Commission will be transferred to the secretary of state or the information commissioner.
The regulations also deal with post-Brexit international data transfers from the UK by amending the GDPR and adding additional provisions to the Data Protection Act 2018 (DPA 2018). Broadly, these mirror the current GDPR arrangements so that the UK will:
- Recognise all EEA/EU countries (and Gibraltar) as ‘adequate’ as well as those countries subject to an EU adequacy decision;
- Give powers to the secretary of state to determine or revoke adequacy;
- Recognise current EU Standard Contractual Clauses as valid for international transfers, but the Information Commissioner’s Office(ICO) will have the power to issue more clauses;
- Recognise all Binding Corporate Rules authorised before exit day; and
- Introduce an extraterritoriality into the UK data protection regime.