This post relates to Cooley’s Privacy Talks series – a webinar program featuring Cooley practitioners discussing practical guidance and best practices around managing data protection-related issues. Sessions range from the European General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) – and all the other new data protection frameworks arising in the US, Asia and Latin America. Sessions will occur on a monthly basis in 2022.
Post-Brexit, the UK is no longer a member state of the European Union, meaning that the data protection regime that applies to UK-related processing is separate from – but currently remains similar to – that which applies to EU-related processing.
There are certain impactful consequences of this separate regime, as well as some further changes to the UK privacy landscape as a result of the UK having become a ‘third country’ and no longer being a member state of the EU. Below, we detail the 10 key things we think you need to know about UK privacy.
#1: The UK GDPR is a stand-alone, parallel data protection regime.
After Brexit, the UK has retained the EU General Data Protection Regulation, commonly known as the EU GDPR, in UK law as the so-called UK GDPR.
In essence, the UK GDPR is the EU GDPR adapted to reflect that the UK is no longer a member state of the EU, and that the EU GDPR no longer has direct effect in the UK.
However, as the UK is no longer a member state of the EU, the UK now has the independence to review and revise the UK data protection regime. Therefore, the UK GDPR and the EU GDPR sit alongside each other as parallel regimes – each creating their own obligations which, although often highly similar, need to be considered and addressed separately.
#2: When does the UK GDPR apply?
The UK GDPR applies to processing of personal data carried out by controllers or processors in the context of the activities of an establishment in the UK. It also applies to controllers or processors who are not based in the UK, where that processing relates to either of the following:
- The offering of goods or services to individuals in the UK.
- The monitoring of the behaviour of individuals taking place in the UK.
#3: How do UK and EU adequacy decisions affect data transfers?
An ‘adequacy decision’ issued under the EU GDPR or the UK GDPR means transfers may be effected under that regime to recipients in countries, territories or sectors that benefit from that adequacy decision.
In effect, it is an acknowledgment that the data protection regime to which the recipient is subject creates an ‘essentially equivalent’ level of data protection to that which exists in the EU or UK.
Transfers to recipients who benefit from an adequacy decision are much easier than those made to recipients who do not, because no specific ‘transfer mechanism’, such as approved-form Standard Contractual Clauses (see #4 – #6 below), needs to be used to validate the transfer in question.
As things stand:
- Under the revised UK Data Protection Act 2018, the European Economic Area states were confirmed as ‘adequate’ for the purposes of the UK GDPR.
- On June 28, 2021, the European Commission issued an adequacy decision in respect of the UK, but it is time-limited, subject to ongoing review and expires June 27, 2025.
- The commission will be looking for signs of impactful deviation from the EU GDPR that might undermine its conclusion that the UK data protection regime creates an ‘essentially equivalent’ level of data protection to that which exists in the EU.
#4: How do current UK Standard Contractual Clauses (SCCs) apply to data transfers?
As we discussed in an earlier blog post, the commission published new SCCs in June 2021 for use under the EU GDPR to replace the ‘old directive’ SCCs. However, these new EU SCCs have not been approved for use under the UK GDPR.
In the context of the UK GDPR:
- The old directive SCCs are still needed as UK SCCs.
- However, they can (and, in our view, should) be adapted to reflect the UK GDPR and the UK not being an EU member state.
#5: New UK SCCs are coming, and a UK international data transfer agreement has been proposed.
In August 2021, the UK data protection regulator launched a consultation on a proposed UK international data transfer agreement. If approved, as is likely in some form, this will be the UK’s version of the SCCs.
Our understanding of the current proposal is that:
- This new UK international data transfer agreement would come into effect around April 2022 and will need to be used in contracts entered into thereafter.
- Old UK SCCs could no longer be used in any circumstances (i.e., in new or old contracts) from around January 2024.
#6: The proposed UK international data transfer agreement differs relatively significantly from the new EU SCCs.
The proposed UK international data transfer agreement:
- Is structurally very different from the new EU SCCs, with a mix of mandatory and nonmandatory clauses, and clear interoperations with ‘linked agreement(s)’, such as commercial terms and associated data processing terms.
- Covers many different transfer scenarios, and in some cases creates a delta with the new EU SCCs (e.g., it does not anticipate transfers from a processor back to its own third-country controller, which is the scenario covered by Module 4 of the new EU SCCs).
However, the UK data protection regulator also issued an ‘Annex’ to the new EU SCCs, which could be used to supplement new or existing implementations of those EU SCCs to ensure that they are extended to cover relevant transfers effected under the UK GDPR. In other words, you could just rely on the EU SCCs as supplemented with this Annex – you would not need to apply the full UK international data transfer agreement and the new EU SCCs for linked transfers.
#7: What about future divergence from the EU GDPR?
As noted above, because the UK is no longer a member state of the EU, the UK has the independence to review and revise the UK data protection regime.
Recent indications are that the UK wants to exercise its newfound independence and move away from the EU GDPR in some areas. Here are some key examples:
- The UK Department for Digital, Culture, Media & Sport (DCMS) has announced that it is investigating striking independent data adequacy decisions with key countries, including the US.
- The DCMS has also issued a public consultation in which it identified key areas of potential reform, notably in relation to:
- Reduction of ‘accountability’ obligations, including removing the requirements to designate data protection officers, maintain records of processing activities and undertake data protection impact assessments.
- Reform and relaxation of cookie consent rules.
- Introduction of ‘white-listed’ legitimate interests for which no legitimate interests assessment would be required.
#8: Could any future divergence prejudice the UK’s adequacy decision?
In a word: Yes.
As noted above, the UK’s adequacy decision is under ongoing review, and the commission could conclude that these changes, if made, mean that the UK regime no longer creates an ‘essentially equivalent’ level of data protection to that which exists in the EU.
Alternatively, it could cause the commission to determine it needs to ‘re-assess’ the UK’s adequacy, effectively ‘suspending’ the adequacy decision.
We believe the commission will likely be most concerned about potential future adequacy decisions issued under the UK GDPR. Such decisions, if issued, could allow for onward transfers of data transferred to the UK under the EU GDPR to countries that the EU does not consider to have adequate regimes, such as the US.
The commission might well conclude that any such onward transfers via the UK to ‘EU GDPR inadequate’ regimes would puncture the protective bubble that the commission is at pains to maintain for personal data processed subject to the EU GDPR.
#9: What about new UK and EU representatives?
Many organisations will need to consider whether they are now obliged to appoint a UK representative under the UK GDPR. For example:
- This will be relevant for non-UK organisations (including EU organisations) whose processing relates to the offering of goods or services to, or monitoring the behaviours of, data subjects in the UK.
Organisations also will need to consider whether they are now obliged to appoint an EU representative under the EU GDPR. For example:
- This will be relevant to UK organisations whose processing relates to the offering of goods or services to, or monitoring the behaviours of, data subjects in the EU.
- It might also be relevant to other non-EU organisations that had previously appointed a UK person as their EU representative pre-Brexit, and now need an EU representative in the EU.
#10: Some housekeeping may be needed in data protection documentation.
Organisations may have to make several updates to data protection‑related documentation, most notably in privacy notices, data processing addenda and similar contractual arrangements, as well as internal policies and records. For example:
- Changes may be needed in such documentation to address that the UK is no longer a member state of the EU, and that the EU GDPR no longer has direct effect in the UK and has been replaced by the UK GDPR.