Brexit changes to the data protection regime
Following the end of the Brexit transition period (which ended on 31 December 2020), the GDPR no longer applies in the UK. However, in real terms, there are few substantive changes to UK data protection law.
The Data Protection Act 2018 (as now amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)), does now set up a separate regime under the ‘UK GDPR’ and makes certain administrative changes (for example, by substituting references to EU institutions with UK ones) to ensure the regime makes sense and remains functionally effective. However, the EU GDPR and the UK GDPR remain alike in substance.
Longer term, this will likely change. Whilst the UK government may not be considering any immediate legislative changes, the very fact that the UK courts and CJEU jurisprudence will inevitably diverge over time will have an impact. As such, businesses may wish to think carefully about how they define applicable data protection law in relevant contracts.
This is not to say that no immediate action is required and businesses should consider assessing how any changes uniquely affect them. For example, for multi-national businesses that currently rely upon Binding Corporate Rules, if the UK ICO was not the lead supervisory authority that issued their authorisation, an application to the UK ICO for a ‘UK BCR’ approval may be needed (by 31 June 2021). A review may also be needed to ensure that they meet UK (as well as EU) requirements.
One of the biggest potential impacts Brexit may have had to data protection law was that if a trade agreement had not been reached, the UK would no longer have automatically maintained uninterrupted data flows with the EU. Instead, the UK would have been a third country and businesses would have needed to consider relying upon SCCs (see our article above: Developments to the Standard Contractual Clauses) or some other lawful transfer mechanism. Thankfully, the announcement of the Brexit ‘Trade and Cooperation Agreement’ (the “Brexit Agreement”) has meant that this is not currently a concern. Under the Brexit Agreement the UK is given ‘pseudo’ adequacy for up to 4 months (extendable to 6 months unless one of the parties objects). If adequacy is not granted during this time, businesses may need to once again consider the need for SCCs etc. but this is, hopefully, unlikely.
For more information please contact Jonathan McDonald and Olivia Crane.
2020: Influencer, 2021: Creative Director – what could go wrong?
ICO's new Age Appropriate Design Code: The impact on business
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Olivia Crane writes for The Grocer on the importance of robust data protection policies for checkout-less stores
The ‘personal data footprint’ created by this type of service and technology isn’t something that should be overlooked.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Food Sector steps up on climate goals
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
Top 7 Data Protection Tips for Employers
Here are our top 7 data protection tips for employers.
There has been an increase in online phising attacks over the past year - but why?
UK and EU launch two-pronged attack into whether Facebook is abusing a dominant market position
The CMA and the European Commission have said that they intend to work together closely as their respective investigations develop.
Jason Saiban and Caroline Swain among contributors to the ICLG Guide on Digital Business Laws and Regulations in the UK
An overview of the laws and regulations for digital businesses operating in the UK.
Draft Online Safety Bill: Regulating the online world
On 12 May 2021, the UK government published the draft Online Safety Bill...