You might think that Brexit meant the death of GDPR, but like a Zombie, it’s following us around waiting to bite. You see, it’s been killed off… but it’s still around, and still has teeth.
We all talk about GDPR, but actually, the UK’s data protection law is the Data Protection Act 2018 (DPA). GDPR is an EU Regulation. And, in case you missed it, the UK is no longer part of the EU.
So why does GDPR still matter? For one thing, the DPA imports GDPR into domestic law with some specific UK amendments. GDPR is largely incorporated – lock stock and barrel – into UK law.
However, changes made by the EU to GDPR will not automatically be part of UK law, as it was before Brexit. That means that the UK and EU law may diverge over time, although right now they are functionally on the same level. So should the UK care if GDPR is changed by the EU?
Well… yes. Because:
- GDPR will continue to apply to UK businesses that have an establishment in the EU. It will also apply to business who offer goods and services in the EU. When in Rome….
- EU clients and suppliers can only continue to send us personal data until the end of April 2021. The withdrawal agreement created a four month window for transferring data between the EU and the UK. This window can be extended by up to an additional two months if neither the UK nor the EU object.
What happens at the end of the transfer window will largely depend on whether the EU decides that the UK offers essentially the same protection as the GDPR. Someone in an EU country can transfer personal data outside the EU only if it’s to a non-EU country which the Commission approves (or if there is a special set of somewhat onerous “Standard Contract Clauses” used in a detailed agreement between sender and recipient, but as they’re still not ready for some cases then I am not dwelling on them here).
- The Commission’s approval is by way of a formal decision that a country offers “essentially equivalent” protection to GDPR. This is an “adequacy decision”. There is a draft decision to this effect for the UK. It still needs to be approved by the EU data protection authorities and the other member states.
- Adequacy decisions can be reviewed and challenged. Last year, the EU-US privacy shield was successfully challenged in the European Court of Justice. The court said this regime no longer allowed the transfer of data from the EU to the USA. The same thing could happen to any UK adequacy decision. The more the UK departs from GDPR, the more likely it is that the adequacy decision will not be renewed or will be challenged.
- EU member states still need to abide by GDPR. If they want to transfer personal data to us, it needs to be done in a GDPR compliant way. Even though GDPR no longer applies to the UK, if the EU says that the UK does not offer sufficient protection for data, the two easiest ways to transfer personal data are consent or standard contractual clauses (SCCs).
Whilst GDPR isn’t on our side of the wall, it’s only just on the other side… lying in wait.
If you would like further information on the topic discussed in this blog, please contact Lottie White by email: firstname.lastname@example.org or by phone: 0141 530 2038, Derek Hamill by email: email@example.com or by phone: 0141 530 2022 / 07973 924 333. You can also view Derek’s profile by clicking here.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.