THE PARTING IS MORE SORROW THAN SWEET: ARE YOU READY FOR POST-EU DATA PRIVACY LAW?
The UK is scheduled to leave the EU at the end of January under Boris Johnson’s withdrawal agreement, under which the GDPR will continue to apply during the transition period until 31 December 2020.
So far, so good: the data privacy law which affects you is not fundamentally changing this year.
However, you should consider preparing for what might happen afterwards. The withdrawal agreement only requires the UK and EU to try to agree mutual data privacy law. The prospects for agreement within a year look bleak:
– A key requirement is “adequacy”: a formal recognition by the EU that domestic UK data privacy law gives individuals adequately similar protection as under the GDPR. While the UK can validly argue that it is the only non-Member State to have implemented the GDPR, the EU has concerns about the reach of UK surveillance and investigation legislation and has said it will follow the usual assessment procedure (the quickest on record is 18 months).
– However, the UK wants more than adequacy: it wants a formal treaty recognising the equivalence of UK and EU data privacy law. This is important because an adequacy decision can easily be revoked by the EU or invalidated by the European Court of Justice, unlike a treaty.
– The UK wants to continue to enjoy certain benefits of EU membership, such as membership of the “one-stop-shop” mechanism which would prevent UK businesses that interact with the EU suffering dual regulatory exposure (i.e. to both UK and EU data privacy law regimes). The EU has publicly stated that this benefit is only for Member States.
The transition period can be extended (once, by either one year or two), but this seems unlikely given the government’s public commitment to the swiftest possible exit.
If no, or only partial, agreement is reached, the GDPR will be incorporated into UK law to create a UK-specific GDPR. While its provisions would largely mirror the GDPR, it would be legally separated. UK organisations carrying out business in the EU which involves using personal data (such as selling goods or services, having a branch office or regular interaction with contacts there) may then suffer dual regulatory exposure to obligations under both UK and EU data privacy law.
Currently, UK organisations are only exposed to the EU regime (as complemented, in very limited areas, by related UK law) and only have to answer to the ICO for contraventions of data privacy law affecting individuals anywhere in the EU. Dual exposure would mean answering to other EU data privacy authorities as well as the ICO, some of which are significantly more conservative than the ICO, and potentially facing regulatory action in both the UK and EU in respect of the same contravention of data privacy law.
As a result, such UK organisations may have to take action such as:
– formally and publicly appointing an EU data privacy representative;
– implementing considerable additional contractual provisions for arrangements involving the transfer of personal data from the EU to the UK (transfers from the UK to EU will not be affected). Do not underestimate the impact of this on daily working life. For example, certain basic functions of Microsoft Outlook work by transferring personal data from Microsoft’s servers in Ireland to yours in the UK, and most international banks nominate one central data storage hub within the EU for European operations;
– nominating a lead data privacy authority (if you conduct business in more than one Member State). This could expose you to harsher domestic regulatory environments than the UK;
– updating privacy notices;
– revising legitimate interests assessments or data protection impact assessments; and
– amending e-privacy compliance measures where your online operations reach both the UK and EU.
If you conduct business in the EU or even have regular contact with people there; please contact Priya Thapar on +44 (0)20 3691 2063 or email firstname.lastname@example.org if you have any questions about the impact of leaving the EU on your data privacy obligations.
If you enjoyed this edition of Essentials, please subscribe to our new update: Big Data
Big Data will keep you up to date with all relevant developments in data privacy law, including the UK’s future relationship with the GDPR, ICO decisions and guidance and its impact on technological developments.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: email@example.com