Brexit and GDPR: Do the companies in the UK still need to comply?
On January 1, 2021 as the UK formally left the European Union, The UK is now a “Third World Country” under the EU’s GDPR, hence the EU-GDPR is a European regulation and does no longer apply to the UK. The general data protection regime under UK law has been modified to address the EU-GDPR's removal from domestic applicability. The regulations amended the Data Protection Act (DPA) 2018 and merged it with the EU GDPR requirements to form a new, UK-specific data protection regime that works in a UK context after Brexit. This new regulatory framework for UK data protection is known as UK-GDPR.
Are the EU-GDPR and the UK-GDPR same? Is there now a difference between these two laws?
The new UK-GDPR is nearly identical to the EU-GDPR. However, it is independent UK legislation governed and enforced by the UK data protection agencies and does not influence EU authorities.
It is based on the same legal language as the EU GDPR, but with the parts of the text that read EU and Union law replaced with the UK and domestic law. The UK-GDPR merges the two pre-existing regimes for personal data protection, namely, EU-GDPR and the DPA 2018. One important thing to note is that ICO remains the independent supervisory body governing UK data protection legislation. But it will no longer be an EU supervisory authority. Another important aspect under this setting is that The UK operates a fee payment system for controllers under the Data Protection (Charges and Information) Regulations 2018, known as the Data Protection Charge. All controllers must pay the data protection fee to the ICO each year, unless they are exempt from doing so.
The UK-GDPR took core provisions from EU-GDPR in terms of:
1. Principles related to the lawfulness of data processing. (Article 5)
2. Rules around the processing of special categories of personal data. (Article 9)
3. Conditions for consent. (Article 7)
4. Exception of the valid age of consent (Article 8) that is lowered to 13 years in the UK-GDPR from 16 years in the EU-GDPR.
5. The rights of the data subject (Articles 15-22)
The DPA 2018 has also been incorporated into the UK-GDPR, and it addresses the areas of law enforcement, intelligence services and immigration that EU-GDPR did not cover.
What Will Be the Impact of the Transition From EU-GDPR to UK-GDPR on UK Businesses?
While transiting from EU-GDPR into the UK-GDPR, organizations based in the UK will need to address the following areas in their DPAs and privacy policies:
- International transfer of data from the UK to other countries:
a) The transfer of data from the UK to the EEA is permitted.
b) Transfers of data from the EU to the UK are also permitted following the UK adequacy decision from June 2021, ensuring unrestricted personal data flow between the EU and UK for four years (till June 2025).
c) Transfers of data from the UK to third countries (i.e., the US, Canada, etc.) are addressed by the UK government, who confirmed UK organizations can rely on the same transfer mechanisms as under the EU GDPR, i.e., adequacy decision, appropriate safeguards, standard contractual clauses and exceptions.
- The Possible need to appoint a representative in the EEA
EU Representatives act as a point of contact for Lead Supervisory Authorities and data subjects. They need to be established in an EEA member state where the data subjects are based. UK businesses may now need to appoint an EU representative if:
a) They are offering goods and services or monitoring behavior of EU residents.
b) They do not have any offices or establishments in the EEA
How can companies in the UK comply efficiently with the UK GDPR?
The UK-GDPR, like the EU-GDPR, requires websites to get users' prior consent before processing any of their personal data through cookies and third-party trackers. Also, website privacy policies must be updated to reflect that the company is fully aware of the UK-GDPR regulations and has applied them in their business activities.
Additional EU GDPR Regulations that still apply to the UK after Brexit
In addition to the EU GDPR, the following regulations still apply to the businesses in UK:
1) PECR: Yes, it applies. PECR (Privacy and Electronic Communications Regulations) is UK legislation derived from the EU’s law e-privacy directive.
2) NIS: Yes, it applies. NIS (Network and Information Systems) is based on EU legislation but is incorporated into UK law.
3) eIDAS: Yes, but The UK eIDAS (electronic identification and trust services) regulations are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation but are tailored for use within the UK.
4) FOIA: The Freedom of Information Act 2000 forms part of UK law and will continue to apply.
5) EIR: The Environmental Information Regulations will continue to apply unless specifically repealed or amended. They derive from EU law but are set out in UK law.
The Road Ahead
Although the UK has exited the EU, the GDPR will still have an impact. This demonstrates the reach of this EU Regulation beyond the EU. International companies across the globe with any EU citizens as customers will need to be aware of their new legal obligations and comply to avoid fines. With the high level of international business involving the EU, the GDPR may influence stronger data protection procedures around the world. Whatever the pace of this transition might be, the GDPR is here to stay, and to expand worldwide.