It’s been a while since GDPR dominated business magazines and technology websites, but important changes have happened to make the topic worth revisiting.
There was a time when we really could not have escaped the headlines about GDPR. But after the May deadline passed in 2018, GDPR seemed to disappear from our collective consciousness without trace – unless you happened to be the data protection officer for your organisation, of course.
The EU General Data Protection Regulation (EU GDPR)(1) began life as a regulation in EU law that sets rules for data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
One of the provisions under GDPR that grabbed the most headlines before the May 2018 deadline was the value of fines that organisations could be levied if they failed to adequately protect the personal data they hold. Organisations that suffered such breaches could be subject to fines of up to £17.5 million or four percent of annual global turnover (whichever is greater).
At the time, few countries had legislated to give their citizens the data privacy protections that the GDPR affords EU citizens. The regulation came to be seen as setting the gold standard in data privacy legislation. Following it, a number of non-EU countries and US states implemented similar data protection measures which reflected the provisions made under EU GDPR.
In the UK, the GDPR passed into law in May 2018, following the standard transition of EU regulations at that time.
The Brexit vote and the UK’s subsequent departure from the EU raised question marks over whether the GDPR would remain in its existent state.
However, the GDPR was one of the many EU laws that was incorporated directly into UK law when the UK formally left the EU on January 31, 2020.
Data that concerns EU citizens will continue to be subject to EU GDPR(2), but data that concerns only UK citizens will be subject to the UK GDPR. Both fall under the remit of the UK Information Commissioner’s Office (ICO).
When, following Brexit, the provisions of the EU GDPR were incorporated directly into UK law as the UK GDPR, very little changed at that time. What small changes were made were simply to ensure the law reflected the changing constitutional arrangements, rather than making any major amendments to data protection provisions.
As a result, for the moment, the responsibilities under UK GDPR and EU GDPR remain aligned.
Because of the alignment between UK GDPR and EU GDPR, on 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED)(3). This confirms that data can continue to flow as it did before, in the majority of circumstances.
However, as part of its decision, the EU specified a sunset clause in case UK law deviates from EU GDPR. As a result, these decisions last only until 27 June 2025.
The UK Government welcomed the EU’s adequacy decisions, which it says, “rightly recognises the country’s high data protection standards.”
The UK Government(4) confirmed that “the decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts.”
In other words, UK businesses, already dealing with multiple challenges in logistics, staffing, and increased paperwork resulting from the fallout from Brexit, are protected from additionally having to deal with complex data protection changes – at least until June 2025.
However, as we’ve come to learn from Brexit-related news, things aren’t always that simple. And, perhaps, UK businesses shouldn’t expect such plain sailing.
Since the adequacy decision in June 2021, UK Culture Secretary Oliver Dowden has announced that the UK Government plans to overhaul privacy rules.
In August 2021, Dowden said(5), “Now that we have left the EU, I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK.”
Such statements raise a red flag over the continuance of any adequacy decision. While the sunset clause may come into effect in 2025, with sufficient provocation the EU might feel it necessary to review adequacy earlier or overturn its decision.
Any changes made by the UK will need to offer a new regime that the EU deems adequate – otherwise data transfers between the UK and EU could be frozen. Far from being a Brexit dividend, this could cause additional work for UK businesses operating in Europe.
For the moment, only time will tell. The appointment of a new UK information commissioner when Elizabeth Denham leaves the post on 31 October 2021 will be significant. John Edwards, currently the privacy commissioner of New Zealand, has been named as the UK Government’s preferred candidate for the role. As such, he would oversee any transformation of UK data privacy rules. It isn’t clear yet what direction that may mean. We should know more later this year.
Unfortunately, this means that – however weary we are of them – neither we nor the headlines are yet free of those two challenging topics: GDPR or Brexit.
Need help understanding the rules on data privacy in the post-Brexit world? The ICO guide to post Brexit changes can be found here(6).
What is the right level of cyber security for your business? The Grant McGregor team can help on this and other data, information system and cyber security matters.