Brexit changes to the data protection regime
Following the end of the Brexit transition period (which ended on 31 December 2020), the GDPR no longer applies in the UK. However, in real terms, there are few substantive changes to UK data protection law.
The Data Protection Act 2018 (as now amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)), does now set up a separate regime under the ‘UK GDPR’ and makes certain administrative changes (for example, by substituting references to EU institutions with UK ones) to ensure the regime makes sense and remains functionally effective. However, the EU GDPR and the UK GDPR remain alike in substance.
Longer term, this will likely change. Whilst the UK government may not be considering any immediate legislative changes, the very fact that the UK courts and CJEU jurisprudence will inevitably diverge over time will have an impact. As such, businesses may wish to think carefully about how they define applicable data protection law in relevant contracts.
This is not to say that no immediate action is required and businesses should consider assessing how any changes uniquely affect them. For example, for multi-national businesses that currently rely upon Binding Corporate Rules, if the UK ICO was not the lead supervisory authority that issued their authorisation, an application to the UK ICO for a ‘UK BCR’ approval may be needed (by 31 June 2021). A review may also be needed to ensure that they meet UK (as well as EU) requirements.
One of the biggest potential impacts Brexit may have had to data protection law was that if a trade agreement had not been reached, the UK would no longer have automatically maintained uninterrupted data flows with the EU. Instead, the UK would have been a third country and businesses would have needed to consider relying upon SCCs (see our article above: Developments to the Standard Contractual Clauses) or some other lawful transfer mechanism. Thankfully, the announcement of the Brexit ‘Trade and Cooperation Agreement’ (the “Brexit Agreement”) has meant that this is not currently a concern. Under the Brexit Agreement the UK is given ‘pseudo’ adequacy for up to 4 months (extendable to 6 months unless one of the parties objects). If adequacy is not granted during this time, businesses may need to once again consider the need for SCCs etc. but this is, hopefully, unlikely.
For more information please contact Jonathan McDonald and Olivia Crane.
Our thinking
Paul Stone
Focus Antitrust - 14 April 2021
This week's competition update.
James Scott
ESG – Searching for substance behind the acronym
ESG is an acronym much used but perhaps less understood.
Caroline Swain
THE. PUB. IS. OPEN. but for how long?
Emma Humphreys
How will the commercial property market exit COVID-19 restrictions?
Paul Stone
Focus Antitrust - 7 April 2021
This week's competition update.
Rahim Hirji
No ticket, no merger: Viagogo and StubHub are one step closer to merging but must satisfy the CMA’s conditions
The £3.2bn acquisition of online ticketing company Stubhub by one of its competitors, Viagogo is one step closer to being finalised.
Paul Henty
Client alert: Construction under competition law spotlight
We outline the three investigations which have either recently concluded or are ongoing together with what this means for businesses.
Paul Stone
Focus Antitrust - 31 March 2021
This week's competition update.
Mark Bailey
CIS General Insurance Limited v IBM United Kingdom Limited - An analysis
Slow and chaotic – lessons from a digital transformation disaster in CIS General Insurance Limited v IBM United Kingdom Limited.
Paul Stone
Focus Antitrust - 24 March 2021
This week's competition update.
Adrian Mayer
Charles Russell Speechlys, Strategic Partners of the Asoko Insight West Africa's Family-Owned Business Report
The report is the most comprehensive study of Family-Owned Businesses throughout West Africa.
Paul Stone
Focus Antitrust - 17 March 2021
This week's competition update.
Anna Sowerby
Can linking to copyright material be restricted? Yes - clarity at last.
The Court of Justice of the European Union held that a copyright owner could indeed restrict linking to material.
Tanya Wilkie
Age Appropriate Design Code - Are You Ready?
The Age Appropriate Design Code aims to help ensure that children’s privacy is protected online.
Kerry Stares
Doing Business Responsibly: Food & Beverage
A return to growth will be a priority post-pandemic for F&B businesses, and doing business responsibly could help you to achieve it
Paul Stone
Focus Antitrust - 10 March 2021
This week's latest competition update.
Paul Stone
Focus Antitrust - 3 March 2021
This week's competition update.
Nia John
Ransomware: Proceed with Caution
It has been a busy few weeks for hackers and cybercrime specialists around the world.
Paul Stone
Focus Antitrust - 24 February 2021
Our weekly competition update.
Freddie Law
Advertising Standards: An Update
An update on advertising standards.