There is no doubt that we are living in times of great uncertainty. Uncertainty about the long term effects of Coronavirus, uncertainty about the ecology of our planet, and, if you live and work in the UK, there’s the worrying uncertainty concerning Brexit – leaving the European Union.
Let’s face it. We are hardwired to hate uncertainty.
A new study shows that uncertainty is even more stressful than knowing something bad is definitely going to happen. But we can all get over it, according to neuroscientist and developmental psychologist Marc Lewis.
Now, we’re not about to get into the science behind our feelings of uncertainty. What we are going to do is deal with the uncertainty posed by Brexit and hopefully, provide a clearer understanding of what the data privacy landscape will look like once the UK has fully left the European Union.
What privacy laws will the UK apply to protect personal data after 31 December 2020?
The subject of what data privacy law will apply once the UK leaves the EU remains a mystery to many businesses across the nation.
At present, the UK operates under the GDPR supported by the Data Protection Act (DPA) 2018, which adds various exemptions which enable the GDPR to fit neatly into the UK puzzle; E.g. in situations where issues of national security apply.
There is a common misconception that the UK’s Data Protection Act (DPA) 2018 incorporates the General Data Protection Regulation (GDPR) into UK law after Brexit. However, this is a false assumption, according to the majority of privacy lawyers; this will be managed by the EU (Withdrawal Agreement) Act. The DPA serves the vital purpose of administering a data processing framework for law enforcement and intelligence services processing. This is done in accordance with the EU Law Enforcement Directive.
At this point, the Data Protection Act (DPA) 2018 will continue to function in parallel with the GDPR. According to Ashley Winton, partner at international law firm McDermott Will & Emery, and chairman of the Data Protection Forum, although the UK’s data protection position will seem relatively straightforward as far as the consumer is concerned, the legal position for organisations will be complicated by overlapping legislation. Winton says:
The DPA 2018 introduces the concept of the ‘Applied GDPR’. This is a UK version of the GDPR which will apply as UK law, but only applies in very specialist circumstances: Primarily for certain national security or defence purposes. The Data Protection, Privacy and Electronic Communications [Amendments etc] [EU Exit] Regulations 2019 will adapt the GDPR to form the ‘UK GDPR’, which will govern the majority of the data protection processing in the UK.
One of the central principles of the Leave campaign was the conception that the UK could take back control of its laws. This has since prompted numerous questions over whether the UK would seek amendments to established EU laws after leaving the bloc.
Apart from some minor administrative amendments to the GDPR, such as changing references to ‘Union law’ to ‘domestic law’, it is quite possible that more significant changes could follow.
UK Prime Minister Boris Johnson has previously stated that the UK will seek to create ‘separate and independent policies in areas such as data protection’. Yet, on the other hand, the UK Government has also committed in the Political Declaration on future UK-EU relationship to ensure ‘a high level of personal data protection’.
How will UK business transfer data to other countries?
The GDPR has been grafted into UK law and therefore certain restrictions will still apply when agreeing transfers of personal data to other countries. The UK Government has already confirmed that it will deem all European Economic Area (EEA) countries as having ‘adequate’ data laws. Personal data transferred from the UK to the EEA is likely to remain intact following the transition period and businesses will not be required to make any adjustments. The same arrangement is also extended to the 12 countries outside the EEA, which the EU has already signed adequacy agreements with.
Once the transition period has ended, the UK is expected to begin building its own processes for the transfer of data to countries not already covered. Such processes will still need to be compliant with GDPR principles.
For data transfers to other countries, a transfer mechanism needs to be in place. This means data sharing between a post-Brexit UK and Brazil — not currently recognised as adequate by the EU — will need to be covered by one of these mechanisms. In the short terms, the UK will retain the existing European Commission-approved adequacy mechanisms, including model contract clauses and legally binding rules.
Are data transfers from the EU likely to be disrupted when the transition period ends?
As mentioned above, the UK has already made clear that it will deem EEA countries as being ‘adequate’, ensuring that the flow of data after Brexit can be maintained. There is therefore nothing to indicate that data flowing from the UK to the EU will be hampered.
Although at the present time there is every indication that this will be reciprocated, the EU has yet to confirm this. Moreover, no one can say how long it could take to secure an adequacy agreement once the go-ahead is given.
The UK is not alone in this situation, as there are a number of other countries awaiting adequacy. However, “according to the black letter of the law on adequacy, the UK is adequate and should be judged as so,” says Alexander Milner-Smith, partner and co-head of the Data & Privacy Group at law firm Lewis Silkin.
Will UK business that need to share data with the US need to use Privacy Shield?
As of July this year, mechanisms to transfer data out of the EU are stuck in a legal quagmire. Europe’s top court handed down a blistering verdict on US surveillance powers, ruling that EU data would not be safe from snooping under a transatlantic data protection agreement.
The court’s ruling cancels the Privacy Shield agreement, and in the process, throws billions of dollars in digital trade into legal limbo, reigniting a five-year argument over surveillance resulting from whistle-blower Edward Snowden’s revelations concerning American spying.
The Court of Justice of the European Union ruled that Privacy Shield — which replaced an earlier data transfer agreement called Safe Harbor — did not offer adequate protection for EU data when it was shipped overseas because U.S. surveillance law were too intrusive.
And so the question arises — What will replace the Privacy Shield? …Who knows?
One thing is for sure. It is in the UK’s interest to free-flow of data with the US. However, this must be weighed against the need to maintain strong data protection laws in order for the UK to maintain its adequacy status.
According to an article by Politico last month, ‘So far, both sides have struck conciliatory notes. A senior U.S. official told POLITICO that Washington was ready to revisit privacy protection for EU data if Privacy Shield was struck down. And Didier Reynders, the European commissioner in charge of data protection, said after the ruling that he would discuss it with U.S. counterparts with an eye to finding a new deal.
For the European Commission, which backed Privacy Shield as a workable mechanism, the ruling amounts to a powerful new rebuke just one day after the EU court shot down a €13 billion tax ruling against Apple.
Officials are scrambling to keep data flows free with the EU after Brexit. But campaigners have long questioned whether intrusive surveillance laws in the U.K. are acceptable for the EU, and the Privacy Shield judgment today raises the bar for any deal between London and Brussels.’
Will the UK be Free to Create its Own Privacy Laws Post-Brexit?
The Brexit transition period will last until 31 December 2020, when the new EU-UK relationship will begin. The deadline for extending the transition has now passed.
When this transition period ends, the UK will automatically drop out of the EU’s main trading arrangements – the single market and the customs union. And while this will also signal the beginning of a new period of independent law-making, legal experts agree that the EU’s presence will continue to be felt in UK data privacy regulations.
If the UK wants to maintain its EU adequacy status it may not be completely free to decide its own regulations. It is extremely likely that its data privacy laws will need to remain in parity with those of the EU, albeit not to the extent of being word-for-word.
Some legal experts are of the opinion that if the UK tries to create purely domestic data privacy regulations that are detached from the EU, it is possible that businesses may find themselves juggling multiple data privacy laws when processing older datasets.
Such a scenario would give the EU the upper hand, making it possible for the bloc to continue applying pressure over what privacy laws are adopted in the UK.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner as well as legal counsel when seeking to comply with data privacy laws.