Brexit changes to the data protection regime
Following the end of the Brexit transition period (which ended on 31 December 2020), the GDPR no longer applies in the UK. However, in real terms, there are few substantive changes to UK data protection law.
The Data Protection Act 2018 (as now amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)), does now set up a separate regime under the ‘UK GDPR’ and makes certain administrative changes (for example, by substituting references to EU institutions with UK ones) to ensure the regime makes sense and remains functionally effective. However, the EU GDPR and the UK GDPR remain alike in substance.
Longer term, this will likely change. Whilst the UK government may not be considering any immediate legislative changes, the very fact that the UK courts and CJEU jurisprudence will inevitably diverge over time will have an impact. As such, businesses may wish to think carefully about how they define applicable data protection law in relevant contracts.
This is not to say that no immediate action is required and businesses should consider assessing how any changes uniquely affect them. For example, for multi-national businesses that currently rely upon Binding Corporate Rules, if the UK ICO was not the lead supervisory authority that issued their authorisation, an application to the UK ICO for a ‘UK BCR’ approval may be needed (by 31 June 2021). A review may also be needed to ensure that they meet UK (as well as EU) requirements.
One of the biggest potential impacts Brexit may have had to data protection law was that if a trade agreement had not been reached, the UK would no longer have automatically maintained uninterrupted data flows with the EU. Instead, the UK would have been a third country and businesses would have needed to consider relying upon SCCs or some other lawful transfer mechanism. Thankfully, the announcement of the Brexit ‘Trade and Cooperation Agreement’ (the “Brexit Agreement”) has meant that this is not currently a concern. Under the Brexit Agreement the UK is given ‘pseudo’ adequacy for up to 4 months (extendable to 6 months unless one of the parties objects). If adequacy is not granted during this time, businesses may need to once again consider the need for SCCs etc. but this is, hopefully, unlikely.