UK data laws after Brexit: Your questions answered

A digital map of the UK in yellow on a dark green background
UK Digital map (Image credit: Shutterstock)

This article originally appeared in May's edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.

One of the most turbulent aspects of the Brexit debate was the uncertainty it created for businesses across the UK. While we now have a slightly better idea about what the regulatory landscape will look like after the transition period ends, questions remain about the future.

We pulled together some of the most common issues raised by businesses, both before and after Brexit day, and put them to legal experts. While we’ve sought to answer them as fully as possible, some have yet to be addressed by the UK government. In these instances, therefore, legal opinion often remains divided.

What laws will the UK use to protect data once we leave the EU?

Perhaps the biggest issue facing businesses and consumers is figuring out what the UK’s data laws will look like once we are beyond the remit of EU rules.

The UK currently operates under GDPR supported by its own Data Protection Act (DPA) 2018, which adds certain exemptions and derogations that help GDPR fit into the UK puzzle more cleanly – for example, in areas such as regulatory enforcement and issues of national security.

Emma Erskine-Fox, associate at UK law firm TLT, explains: “It’s a common misconception that the DPA 2018 incorporates the GDPR into UK law post-Brexit, but this isn’t the case; this will be done by the European Union (Withdrawal) Act. The DPA 2018 serves the important purpose of providing a data processing framework for law enforcement and intelligence services processing, in accordance with the EU Law Enforcement Directive.”

She adds that the Data Protection Act 2018 will continue to function in this regard and sit alongside GDPR even after the UK leaves the EU.

Ashley Winton, chairman of the Data Protection Forum and partner at law firm McDermott Will & Emery, explains that although the UK’s data protection position will seem relatively straightforward for the consumer, the legal position for organisations will be complicated by overlapping legislation.

“The DPA 2018 introduces the concept of the ‘Applied GDPR’,” says Winton. “This is a UK version of the GDPR which will apply as UK law, but only applies in very specialist circumstances: Primarily for certain national security or defence purposes. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will adapt the GDPR to form the ‘UK GDPR’, which will govern the majority of the data protection processing in the UK.”

He adds that this will be further complicated by the Withdrawal Agreement, which “provides that personal data received from individuals located in Europe before the end of the transition period must continue to be processed in accordance with the GDPR”.

Is the UK likely to change existing data laws after Brexit?

One of the core tenets of the Leave campaign was the idea that the UK could take back control of its laws, and so questions have surfaced over whether it would seek to change established EU laws once it leaves the bloc.

Aside from a number of small administrative amendments to GDPR – for example, the changing of references to ‘Union law’ to ‘domestic law’ – it’s likely that there will be more substantial changes to come.

“Recent indications from the government suggest that the UK may look to diverge from the GDPR, but we don’t yet have any clarity on exactly what that divergence might look like or what areas may change,” explains Erskine-Fox.

RELATED RESOURCE

The IT Pro Podcast: Happy birthday GDPR

As GDPR turns two, we look back on its impact and how it’s changed data protection - if at all

FREE DOWNLOAD

According to Hazel Grant, head of privacy at law firm Fieldfisher, it’s very unlikely that the UK will follow developments in EU law once the Brexit process is finally completed.

“Boris Johnson has previously stated that the UK will seek to create ‘separate and independent policies in areas such as data protection’,” says Grant. “However, the UK has also committed in the Political Declaration on the Future Relationship between the UK and the EU to ensure ‘a high level of personal data protection’.”

Both Grant and Erskine-Fox agree that if the UK hopes to continue a close relationship with the EU and secure an adequacy agreement, it needs to be careful that any plans to change UK data laws don’t deviate too far from the EU’s position.

How will my business in the UK transfer data to other countries?

The implementation of GDPR into UK law means that restrictions will still apply when agreeing data transfer arrangements to other countries – that is, if your business needs to transfer data to another country, that target country’s data laws need to be deemed ‘adequate’ by the UK.

The UK has already confirmed that it will recognise all countries in the European Economic Area (EEA) as having ‘adequate’ data laws, meaning data travelling from the UK to the EEA will likely remain intact after the transition period and businesses won’t be required to make any adjustments. This arrangement also extends to each of the twelve countries outside the EEA that the EU has already signed adequacy agreements with, although it’s likely that the UK will sign agreements with these countries after Brexit as a formality.

That means a UK business will be able to freely transfer data to Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the US (as part of Privacy Shield), as well as Canada for commercial purposes.

After the transition period ends, the UK is likely to start work on its own mechanisms for transferring data to those areas not already covered, however, as mentioned earlier, these will need to be in line with GDPR principles.

“Transfers to any other countries will still require a transfer mechanism to be in place, so data sharing between a post-Brexit UK and Brazil (a country not currently recognised as adequate by the EU) would need to be covered by one of these mechanisms,” says Erskine-Fox. “The UK will, in the short-term, retain the existing adequacy mechanisms approved by the [European] Commission; including model contract clauses and binding corporate rules.”

The UK government has already started discussions with countries elsewhere in the world to build arrangements that provide mutual recognition of data standards. However, it’s unclear if these will be established before the end of the transition period.

Will my data transfers from the EU be interrupted by the end of the transition period?

As mentioned earlier, the UK has already said it will deem EEA countries ‘adequate’ in order to maintain data flows after Brexit. So, there’s nothing to suggest that data flows out of the UK to the EU will be hampered in any way.

However, while there is every indication that this will be reciprocated, the EU has yet to confirm this. What’s more, it’s impossible to say how long the process of securing an adequacy agreement could take once the go-ahead is given.

“In the Political Declaration, the European Commission has committed to start the assessment of UK data protection law with a view to adopting a decision before the end of the transition period,” explains Alexander Milner-Smith, partner and co-head of the Data & Privacy Group at law firm Lewis Silkin. “However, these assessments have in the past taken much longer and with the current COVID-19 pandemic it is likely that this timeline will not be met.”

“There are other countries in the ‘queue’ for adequacy, but, according to the black letter of the law on adequacy, the UK is adequate and should be judged as so,” he adds.

The UK does have plenty of advantages to speed this process along. Unlike every other country currently in the ‘queue’, or indeed any country that has been judged adequate in the past, the UK already complies to GDPR. It has also functioned as a well-respected and well-resourced data supervisor within Europe.

However, there are concerns that the process could be frustrated by conflicts with existing UK national laws. As Milner-Smith explains: “The main worry is over the width of the Investigatory Powers Act – i.e. can security and police forces look too easily at our personal data in the UK?”

It’s possible these concerns may be overblown, as “a number of other countries who have been judged as adequate have similar, or much wider, powers of surveillance, for example Israel. Even Canada, another “adequate” third country, has wide powers,” he says.

Ultimately, how long it will take for the UK to secure an adequacy agreement is likely to be a matter of politics.

“Whilst the EU and the European Commission always talk about the rule of law and process being sacrosanct, one suspects this will be an example of creative interpretation and the adequacy decision will be held as a bargaining chip in more general negotiations. As such, one might expect to see the absurdity of ‘fish’ for ‘data’ entering into discussions.

“This is a perfectly valid negotiation tactic, but we should not pretend it has anything to do with whether the UK has adequate data protection standards or not.”

My UK business needs to share data with the US – will I need to use Privacy Shield?

It’s difficult to say for certain at this stage what the UK’s international data transfer system will look like after Brexit, but there appears to be a consensus that it will seek to retain Privacy Shield, at least in the short term.

“It may be that the UK decides that it would prefer to keep Privacy Shield as a method of transfer,” says Grant. “That was the intention before, when a no-deal Brexit was anticipated. Participants were going to be able to use the Privacy Shield to transfer data from the UK to the US provided that they updated their public commitments to say that those commitments extended to transfers of data from the UK.”

Claire Hall, a solicitor specialising in data protection at law firm VWV, agrees that Privacy Shield will still apply to transfers from the UK to the US after the transition period.

RELATED RESOURCE

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

FREE DOWNLOAD

“As for what will happen if the Privacy Shield is replaced, there are too many unknown factors at the moment to say,” explains Hall. “In some respects, it is in the UK's interest to have comparatively free data flows with the US but this has to be balanced against the need to maintain robust data protection laws so that we maintain our adequacy decision.”

According to the Data Protection Forum’s Winton, during early trade discussions between the UK and the US, “a more permissive regime was discussed but there aren’t any indications that the [current] situation will change in the future”.

Are we going to see more companies move their data to the US, as has been the case with Google? If we do, will UK laws still apply?

In early 2020, Google made the decision to move the data it held on UK citizens away from Ireland and store it instead in the US. According to the firm’s former global privacy lead, Lea Kissner, it was feared that the UK might water down its own data protection laws to the extent that it fails to reach an adequacy agreement with the EU, making it more difficult for the company to share data with the EU.

According to VWV’s Hall, there’s little the UK government will be able to do to prevent such decisions from organisations, however, she added that UK citizens have little to fear about their data moving to the US.

“It’s important to note that the personal data of people in the UK can still be protected by UK law when it's in the US – just as it's protected by the GDPR at the moment,” says Hall. “The GDPR has territorial provisions that place obligations on organisations outside of the EU in certain circumstances, for example when the organisation is offering goods or services to people in the EU.”

Will Brexit really give the UK independence when it comes to data laws?

Although independent law-making was considered one of the main arguments for voting to leave the EU, the European Union’s data regulations could continue to have an effect on the UK’s laws long after the transition period is over.

“If the UK wishes to maintain an EU adequacy decision then it will not be entirely free to decide its own data protection standards,” argues Grant. “[Laws] will need to remain essentially equivalent to those in the EU. The UK regime will not need, however, to be word-for-word the same as the EU regime.”

However, this might result in potential complications if the UK fails to secure an agreement with the EU. As Grant explains, the UK “has made commitments to the EU about the treatment of personal data from the EU which came to the UK before the end of the transition period”.

According to this, data will continue its obligations of having to be processed in accordance with the EU’s GDPR standards, regardless of any further decisions made by the UK and taking into account past and future case-law of the Court of Justice of the European Union.

“These commitments will be binding in international law and could constrain the positions which the UK takes in future international agreements on data protection,” says Grant.

Taking into account these obligations, it could become necessary for businesses to be able to adapt to and juggle multiple data laws at once. Even in the case of the UK creating its own, independent data regulations, businesses might want to keep a copy of EU data laws - especially when processing older datasets.

Despite the UK obtaining some level of independence with Brexit, the EU will continue to hold a great deal of leverage over its former member state. In a very possible scenario, the bloc will continue to exert influence over the type of data laws being adopted in the UK, even if it no longer has jurisdiction or direct involvement. Independence has a price, and that price might be the risk of undermining business processes.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.