Privacy regulations such as the EU’s General Data Protection Regulation (GDPR) and, more recently, Dubai’s Data Processing Law (DPL 2020) make it mandatory for organizations to appoint a Data Protection Officer (DPO). Under GDPR, a DPO is required for any organization that consistently monitors EU-based data subjects on a large scale. This might exclude smaller…
The long-awaited Brexit agreement is here. The EU-UK Trade and Cooperation Agreement, which details the conditions of the UK’s relationship with the EU, took provisional effect on January 1, 2021. The agreement’s free trade and security frameworks have many data privacy implications--here’s what you need to know.
Not Many Changes…For Now
When Brexit was voted into law, the idea was for the UK to depart from the data protection regime of the EU’s General Data Protection Regulation (GDPR). However, in the negotiations that followed, the UK could not reach an agreement with the EU on data protection standards.
For that reason, the agreement states that personal data can flow freely between the EU and the UK for a temporary period of 4-6 months. There is talk of an additional six month period after that.
However, this interim period is conditional on the UK making no changes to its current data regulations without EU approval–meaning that the UK cannot approve new binding corporate rules or standard contractual clauses.
Even after the free-flow period expires, the agreement prohibits either party from restricting cross-border data transfers for at least three years, including localization requirements and customs duties. Furthermore, citizens in both jurisdictions will keep their current right to consent and protection against unsolicited marketing.
It All Depends on an Adequacy Decision
Regardless of the current state of free-flowing transfers, the UK is still considered a “third country” under GDPR. It is expected that the EU and the UK will reach a decision regarding the UK’s adequacy for GDPR-compliant data transfers at some point this year. Businesses should be on the lookout for the decision, as its implications are massive.
If the UK is deemed inadequate, EU data exporters will need to go out of their way to ensure that UK data transfers are handled with the care required by GDPR. Certain safeguards will need to be put in place to make this happen, which must then be approved by an EU enforcement authority.
Businesses can’t rule out this potential scenario, especially in light of the Schrems II decision, which set the precedent that certain national security laws are incompatible with GDPR. Nevertheless, if the UK is deemed adequate, expect more of the same regarding data transfers.
Companies Should Regroup
The most obvious change for companies is in personnel. Any data protection employee hired to represent the EU no longer has the UK under their jurisdiction. To account for this, companies may need to hire an additional representative for the UK if they hope to remain in compliance. This applies to companies established in the UK and those that process data from UK citizens for the purposes of selling goods or services–or monitoring their behavior.
Under GDPR, companies could rely on the International Commissioner’s Office (ICO) as their EU data privacy authority. The useful one-stop-shop is no longer valid under GDPR, meaning that the UK will need to establish a new authority.
This rule can be enforced in reverse. Any binding corporate rules or standard contractual clauses previously approved by the ICO must be approved by another EU authority to remain in compliance with GDPR. Unfortunately, it can’t just be any authority. To start the application process, companies must present a case as to why the selected authority is an appropriate alternative to the ICO.