This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.
Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.
The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.
Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.
The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.” In essence, the power of the Commission will transfer to the Secretary of State on exit day.
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.
These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).
If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.