It all happened quite quietly in the end. The legislation that governs the UK’s exit from the EU became law and the UK left the EU at 11 p.m. UK time/midnight CET on January 31, 2020.
In truth, despite the political wrangling, the Withdrawal Agreement itself did not change a great deal from the original draft tabled by (then-Prime Minister) Theresa May in November 2018. From a data protection perspective, in fact, there have been no changes. Here are the key things to remember:
Perhaps the most significant change introduced by Boris Johnson’s deal is the (effective) removal of the option for the UK to ask the EU for an extension of the Transition Period. It is theoretically possible to make such a request, but it would require the UK Parliament to amend legislation. So, come what may, and whether or not there is a free-trade deal (or indeed an adequacy decision) in place on December 31, 2020, it is more likely than not that the Transition Period will come to an end after that date, and all EU law will cease to apply directly in the UK.
Transfers Between the EU and the UK: The Transition Period will be crucial in determining whether the UK can obtain an adequacy decision from the EU Commission. Obtaining such a decision will ensure that data can continue to flow freely from the EU to the UK (i.e., without the need for any specific transfer mechanisms such as standard contractual clauses or BCRs). The Political Declaration accompanying the New Withdrawal Agreement (which was prepared by both the EU and the UK, but which is not legally binding) provides that, as far as an adequacy decision goes: “the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met.”
The EU has already set up a Task Force and has committed to beginning the EU’s adequacy assessment “as soon as possible,” and the UK will reciprocate in terms of its assessment of EU adequacy. See https://ec.europa.eu/commission/sites/beta-political/files/seminar_20200110_-_data_protection_adequacy_-_financial_services_en.pdf.
The UK has already written the GDPR into UK law (in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (also known as the “UK GDPR”)). The UK GDPR essentially mirrors the GDPR, but also makes some necessary changes to the GDPR and Data Protection 2018 (mainly for the sake of coherence in light of the fact that UK will no longer be an EU Member State). The UK GDPR will apply as soon as the Transition Period comes to an end.
These measures, in theory, should help to ensure that the UK continues to provide a standard of protection that is sufficient for the purposes of obtaining an adequacy finding from the EU Commission. The EU will no doubt be keen to understand what the UK intends to do in relation to other aspects of data privacy, such as e-privacy, whistleblower protection laws, and monitoring/surveillance laws.
In the meantime, the Withdrawal Agreement allows for data transfers to continue as normal during the Transition Period, while the parties make their adequacy assessments; businesses can continue to transfer personal data between the EU and the UK without the need for implementing other measures, such as the use of standard contractual clauses.
Transfers from the UK to Non-EU Countries: The UK has made arrangements so that personal data transfers between the UK and countries that are already covered by an EU adequacy decision (Andorra, Argentina, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland, and Uruguay) will also continue to be permitted. Japan’s Privacy Commission has explicitly confirmed that free data flow between Japan and the UK will continue even after the Transition Period ends.
Privacy Shield: As for data transfers from the UK to the USA under the Privacy Shield mechanism, early indications are that little will change after the Transition Period, though US organizations relying on the Privacy Shield to receive personal data from the UK will likely have to make small updates. In particular, the US Department of Commerce has noted on its Privacy Shield FAQs page that Privacy Shield participants seeking to receive personal data from the UK will need to update their public commitments to comply with the Privacy Shield to refer to the UK (they will likely refer only to the EU and/or Switzerland at present). The Department of Commerce also notes that “[a]fter December 31 2020, an organization that has publicly committed to comply with the Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on the Privacy Shield”.
You can read the Department of Commerce’s FAQs in full.
Of course, while Brexit will dominate some of the landscape in 2020, the cogs of the EU wheel will continue to turn. In particular, we wait to see whether the European Commission can agree on the form of an e-Privacy Regulation, with the most recent draft rejected by the European Council’s Committee of Personal Representatives (you can read the Committee’s progress report). In 2020, the European Commission will have an opportunity to withdraw the draft in its entirety, or to re-draft it.
Even if a draft is agreed on in 2020, it is extremely unlikely to take effect in the UK. It will be interesting to see whether (and to what extent) the UK chooses to mirror the EU’s eventual approach.
The ICO has issued a statement making clear that it will remain the independent supervisory body regarding the UK’s data protection legislation. During the Transition Period, the ICO will continue to be a lead supervisory authority and to co-operate with EU data protection regulators.
However, the ICO’s role after the Transition Period is less certain; it depends on the terms of the new partnership between the UK and the EU. The ICO has historically been a key regulator in the EU and has made no secret of wanting a continued role. For now, however, its position is that “the UK government will continue to work towards maintaining close working relationships between the ICO and the EU supervisory authorities once the UK has left the EU.” See https://ico.org.uk/media/for-organisations/documents/brexit/2617110/information-rights-and-brexit-faqs-v2_3.pdf.
For now, the key message for businesses is to track the developments in the adequacy assessments taking place between the UK and the EU, and for those certified under the Privacy Shield, prepare to update public commitments to refer to the UK separately from the EU. UK businesses without a branch in the EU who offer goods and services to individuals in the EU—or monitor their behavior—should keep under review this year whether they will need to appoint an EU representative after the Transition Period. Equally, all businesses without a branch in the UK who offer goods and services to individuals in the UK—or monitor their behavior— should consider whether they will need to appoint a UK representative.