Confused about GDPR after BREXIT?

No! well in the words of a very famous Stars Wars character

…Or possibly, you should be.

In this blog we try and unravel what’s going on and more importantly what has been set in stone and what is still up in the air. We are going to answer some of the fundamental questions that organisations should be asking. We will answer these questions for UK organisations, EU and the non-EU/UK organisations.

Can I still process EU personal data?

Is the UK a 3rd country?

Do I need an EU representative?

Do I need a UK representative?

What should I be doing now?

What has Changed

On the 1st January 2021 the United Kingdom ceased to be part of the European Union (hoorah or boo depending on your own political stance).

The departure of the UK has meant a whole heap of changes in the way the UK interacts with the European Union, however not as many as was feared.

It was a nail biting close to the year and a no deal BREXIT was looking more and more likely, but on the 24the December 2020 the UK and EU came to an agreement, with a catchy title.

“TRADE AND COOPERATION AGREEMENT BETWEEN THE EUROPEAN UNION AND THE EUROPEAN ATOMIC ENERGY COMMUNITY, OF THE ONE PART, AND THE UNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELAND, OF THE OTHER PART”

If you are really interested in all of the relevant pages are here https://www.gov.uk/government/publications/agreements-reached-between-the-united-kingdom-of-great-britain-and-northern-ireland-and-the-european-union

The main agreement is 1246 pages long with a few annexes, and supplementary documents just to tag onto the end.

What does the Agreement say About Data Protection (GDPR)

In short, the agreement states that the UK can continue to process EU Personal Data as if it were a 3rd country with an adequacy agreement on the condition that certain designated powers are not exercised.

So, this means effectively NO CHANGE provided the UK does not exercise any of its powers set out in the Data Protection Act 2018 during the period.

How Long is the ‘PERIOD’?

The period or more accurately the “specified period” is initially set at 4 months with a possible (some would say almost certainly) another two months if both parties agree.

That is until the 30th of April …. Or the 30th June 2021.

For more information see page 406 of the Agreement, “Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom”.

The period ends at the earlier of:

  • an adequacy ruling being confirmed
  • an adequacy ruling being denied
  • the UK exercising the above designated powers
  • the end of the period (4 months or 6) assuming no more extensions are given

A ray of Hope for an Adequacy Ruling

There are a few articles and assumptions circulating inferring that this stay of execution along with the associated information provided on page 25 of the Declarations means that an adequacy ruling is imminent.

Buyer Beware

The only glimmer of light at the end of this tunnel is that the EU is going to start the process, and that they have 6 months in which to do it. This is 3 times as fast as any adequacy ruling has been given before.

The fact that we were GDPR ‘compliant’ before the 1st January is a very large red herring, since it has long been acknowledged that the UK’s DPA 2018 and its inclusion of designated powers is at odds with the GDPR.

There is also the spectre of the Schrems II ruling (see our other blogs) which is going to make it very difficult for the EU to grant an adequacy ruling to the UK whilst allowing security services the same access to data as the US do and why Privacy Shield was killed off.

In fact, the Agreement itself practically lays out all of the barriers to the UK gaining an adequacy agreement.

Principally if the UK exercises any of the below without agreement from the EU then it’s game over.

Can I still process EU personal data?

If you are a UK organisation you can continue to process EU personal data almost as if nothing has happened.

If you are outside of the UK or EU then you also may continue.

This may change considerably during or after the 6 months to the 30th June.

UK and or non-EU organisations processing EU data will need an EU representative

EU or non-EU organisations processing UK data will need a UK representative

Any organisation outside of the EU or the UK processing UK and EU data will need a representative in the EU AND a UK representative. This applies from January 1st 2021 regardless of the extension in the agreement.

Is the UK a 3rd country?

This is a tricky question and it subject to some technicalities.

The UK is no longer part of the EU and as such is technically a 3rd country.

Because the UK is a 3rd country it now technically speaking needs an adequacy ruling to enable personal data transfers to it from the EU. Which the UK does not have, or can satisfy the required elements of Chapter V of the GDPR

“CHAPTER V TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS”

 In reality the UK is for now in a halfway state, being a 3rd country without an adequacy ruling yet still able to process personal data as if it were a European country.

Do I need an EU representative?

This very much depends on what your status is as an organisation and what data you are processing and under what circumstances.

If you are processing EU data and you are not ‘established’ in the EU then yes more than likely you will need a EU representative.

If this was being fulfilled by an establishment in the UK prior to Brexit then you now need an EU representative as well, or instead of one in the UK

See above “Can I still process EU personal data?”

Do I need a UK representative? 

Again, this very much depends on what your status is as an organisation and what data you are processing and under what circumstances.

If you are processing UK data and you are not ‘established’ in the UK then yes more than likely you will need a UK representative.

If this was being fulfilled by an establishment in the EU but outside of the UK prior to Brexit then you now need a UK representative as well, or instead of one in the EU.

See above “Can I still process EU personal data?”

What should I be doing now?

Decide whether you need either a UK representative and or an EU representative. GDPR Auditing offer both services at very competitive rates – contact us for a quote. 

An adequacy ruling is not guaranteed, in fact in our opinion without the UK amending the DPA 2018 and possibly providing some guarantees around the level of access given to security services then it will be difficult for the EU to reconcile an adequacy decision against the backdrop of knows issues.

Therefore, UK organisations must prepare for the possibility of not getting an adequacy decision and start working on how to process EU personal data legally if the worst should happen. GDPR Auditing offer an International Transfers Service which is designed to check your exposure and recommend actions to take to protect your business.

If we get an Adequacy Ruling is that business as usual?

If the EU and the UK somehow work out an agreement that enabled the EU to provide the UK with an adequacy ruling then it will be business as usual…………… but for how long?

For the answer to this we need to look a little way back in history and how the EU has had an on-off personal data relationship with the US.

First there was Safe Harbour enabling personal data transfers to the US from Europe. This was the subject of a court case, colloquially known as Schrems (after Max Schrems who brough the case). After Safe Harbour was challenged it was ruled by the EU to be unfit for purpose and was essentially withdrawn.

This was followed by Privacy Shield, a new agreement which was always on shaky ground and after scraping through a couple of EU reviews and a second court case brough by Max dubbed Schrems II, it was eventually withdrawn.

What does Schrems I and II mean for the UK?

It is entirely possible that the EU may decide to provide the UK with an adequacy decision, with or without changes, guarantees etc. being provided by the UK. 

The UK for its own part put two fingers up to the GDPR by enacting certain elements into the DPA 2018 even whilst in Europe. Now the UK has sovereignty again is it likely that these elements will be removed or watered down so as to become impotent?

Will the EU seek to explain these issues away even though they were already an issue.

Even if for all of the above the UK does get an adequacy ruling, the big question will be, how long for?

Will the UK become Schrems III?

Contact Us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.