Essentially, the current GDPR rules still apply in the UK post Brexit and have been absorbed into and work hand in hand with the UK’s existing Data Protection Act of 2018. The Brexit transition period ended at 11pm on 31 December 2020. The post-Brexit Partnership Agreement with the European Union (EU), which provisionally came into force on 1 January 2021, ensures the free flow of data remain unchanged; initially on an interim basis and then on the basis of an EU adequacy decision. Adequacy decisions permit the free flow of personal date from the EU (and Norway, Liechtenstein and Iceland) to a third country under specific circumstances.
As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). The UK Government is currently seeking adequacy decisions from the European Commission. In the absence of adequacy decisions at the end of the bridge, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions.
If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April 20021, if you haven’t done so already. It will be necessary to keep this position under review and subject to how the European Commission recommend matters be dealt with.
The EU GDPR is now considered an EU Regulation and it no longer applies to the UK. However, if you operate inside the UK, you will need to comply with UK data protection law. The Data Protection Act 2018 (DPA 2018) (as amended), continues to apply.
As the provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period, the UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context. The GDPR has been incorporated into UK data protection law as the UK GDPR – so, in practice, there is little change to the core data protection principles, rights and obligations found in the UK GDPR.
At the end of the bridge, should the UK obtain necessary consent from the EU (and the expectation is that it will), then the UK GDPR adequately complies with the EU GDPR transfer restrictions and no further changes will need to be applied. However UK businesses and those UK businesses which also operate inside the European Economic Area (EEA) must be aware that they must continue to adhere to the EU GDPR in respect of personal data that flows from the EEA to the UK. For the time being this is permitted, as the EU has agreed to delay transfer restrictions for at least four months but this will be subject to the EU Commission adequacy decision for data transfer from the EEA into the UK.
The UK and EU are hopeful of completing the adequacy decision process within a reasonable period. However, the adequacy decision with Japan, the last third country to be stated by the EU as having an adequate lever of date protection took just over two years!
If you are in doubt of your obligations, please contact Nusrat Qureishi in our commercial department for further advice on email: email@example.com or tel: 01892 515022.
This blog is not intended as legal advice that can be relied upon and CooperBurnett does not accept any responsibility for the accuracy of its contents.