Guest writer and all round Data Protection guru, Paul Ticher explains what happens when the UK leaves the European Union.
This Data Protection Update January 2020 is available as a download at the end of this page.
Given recent history it is perhaps unwise to assume that things will happen, just because someone says they will. But it now looks as certain as can be that the UK will leave the EU at 11.00pm on 31January and enter a transition phase that finishes on 31 December 2020.
So, how will this affect data protection?
The answer is not much – at least for the time being – but here is a run down of how I understand things will work.
The original legislation
As we know, the current data protection regime is derived from GDPR, the EU’s General Data Protection Regulation (Regulation (EU) 2016/679).
This came into force on 25th May 2018 and, since the UK was then a member of the EU, it applied directly to the UK. (EU regulations apply as legislation; directives tell national governments to make their own legislation in line with the directive.)
Although GDPR applies across the EU, there were certain areas where it was necessary for national governments to make provisions in their domestic law, or where GDPR gave scope for national variations. In the UK this was largely accomplished through the Data Protection Act 2018 (DPA 2018) which came into force simultaneously with GDPR.
DPA 2018:
- made the necessary provisions in UK law for GDPR to work, including minor UK-specific variations;
- re-established the role and powers of the Information Commissioner;
- extended provisions similar to GDPR to law enforcement and national security, which are explicitly omitted from GDPR itself.
Alongside this there is a small piece of legislation, the Data Protection (Charges and Information) Regulations 2018 which sets up the obligation on controllers to pay an annual fee that partially funds the Information Commissioner’s Office.
So far so good. That’s where we have been up to now.
Leaving the EU
In preparation for leaving the EU, the UK passed the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which comes into force on “exit day”.
The main effect of these regulations is to replace GDPR with a ‘UK GDPR’. This keeps most of the content of GDPR but removes references to EU institutions and EU legislation. A document (known as a Keeling Schedule) is available showing what the UK GDPR will look when the changes are made.
There are also minor changes to the Data Protection Act 2018.
But the question is, when will these changes take place? When is “exit day”?Originally, as we know, it was to be 31st March 2019, but several postponements later it is now 31st January 2020.
However, that is not the end of the story.
I am indebted to an online post by Jon Baines, Chair of the National Association of Data Protection Officers for the following abridged elucidation.
The European Union (Withdrawal) Act 2018 (as subsequently amended) defines "Exit Day" as 31 January 2020.
However Article 126 of the withdrawal agreement agreed between the UK and EU on 17 October 2019 says that there shall be a “transition or implementation period” which ends on 31 December 2020.
During the Implementation Period EU laws continue to apply in the UK.
Final preparations for leaving the EU are made in the European Union (Withdrawal Agreement) Act 2020, which received royal assent on 23rd January 2020.
Paragraph 1(1) of Schedule 5 to the Act provides that "Any provision in subordinate legislation …which provides … for … legislation to come into force immediately … on exit day ... is to be read instead as providing for the subordinate legislation … to come into force … on IP completion day".
This all means that the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – remember that, from the beginning of this section? – now comes into effect on 31st December 2020, and we operate under the UK GDPR from 1st January 2021.
So, after all that, nothing really changes at all until the end of 2020.
And after that, in practice, most UK organisations will see very little change, if any, from the transition to the UK GDPR.
Transferring personal data between the UK, the EU and other countries
The one area where there may be some change is trans-border data transfers.
Under GDPR there is no restriction on transferring personal data between EU countries, because they all have equivalent data protection legislation. Transfers to Norway, Iceland and Liechtenstein which, together with the EU, make up the European Economic Area, can also be made without restriction.
In addition, the EU has determined that a number of other jurisdictions have ‘adequate’ data protection legislation and therefore no restriction is required.
Those for which there is currently a full adequacy decision are: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
The European Commission has made partial findings of adequacy about Japan (private sector only), Canada (commercial organisations only) and the USA (if the recipient is signed up to the Privacy Shield arrangement).
For any other country, transfers can be made only if alternative protection is in place (such as a contract that meets specific requirements) or if one of the exceptions applies (such as consent from each individual whose data is being transferred).
The UK has already decided to accept all the current EU decisions, so the rules about transferring information from the UK won’t change, at least for now.
However, the EU has not yet made an adequacy decision about the UK itself, because there has been no need until now.
Presumably the eventual decision will be in the UK’s favour, since its legislation so closely mirrors the EU’s, but there is no guarantee that the decision will be made during the Implementation Period.
If we get to December 2020 without a decision this could pose problems for any organisation transferring personal data from the UK to a partner organisation, a subsidiary or a supplier (such as a web host) within the European Economic Area but, as they say, sufficient unto the day is the evil thereof.
Let’s wait and see.
I’m an independent specialist, with over 30 years' experience of Data Protection in the voluntary sector. However, I’m not a lawyer. This paper may not be a complete or accurate statement of the law, and it is not intended to be legal advice.
Please see my upcoming Data Protection webinars in February and March 2020.