Due to the uncertainty created by the worldwide Covid pandemic and Brexit, there are many challenges ahead in relation to data protection.
The General Data Protection Regulation (GDPR) was introduced on 14 April 2016 and came in to force all over the European Union on 25 May 2018. It regulates data protection all over the EU and has an extraterritorial reach, in the sense that companies outside the EU that provide services to people based in the EU, will need to comply with the provisions of the GDPR. Furthermore, the General Data Protection Regulation make provisions for the transfer of personal data outside the EU, allowing it only in specific case and requiring appropriate safeguards.
Although this legislation has been an imperative step towards protecting the freedoms of individuals (specifically privacy), it has gained enormous attention due to the corrective powers that the legislation provides.
In fact, the Information Commissioner’s Office (which is the UK Supervisory Authority in regard to Data Protection) has corrective powers, including but not limited to the power to impose an administrative fine pursuant to Article 83 of the GDPR:
“[…] Infringements […] shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
The power is further confirmed under national legislation, specifically under Section 157 of the Data Protection Act 2018:
“(1)In relation to an infringement of a provision of the GDPR, the maximum amount of the penalty that may be imposed by a penalty notice is—
(a)the amount specified in Article 83 of the GDPR, or
(b)if an amount is not specified there, the standard maximum amount.”
Nonetheless, the GDPR it is an EU regulation, thus only directly applicable to EU member stated, which the UK is not effectively 11.00 pm (UK time) on 31 January 2020.
However, the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period until adequacy decisions come into effect, for up to 6 months. EU adequacy decisions for the UK would allow for the ongoing free flow of data from the EEA to the UK.
It is highly likely that the EU will issue a favourable decision, confirming the adequacy of the UK, thus creating a mechanism for free flow of data between the EU and UK.
Unfortunately, this is in no way a certain outcome. Therefore, it is advisable that business take precautions in order to be prepared for when the transition period ends.
If an adequacy decision is not in place either way after the transition period, the UK will be considered a third country, resulting in important implications for the data flow to and from the EU. The GDPR provides under Article 44:
“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.”.
For business, one of the options available would be to put in place Standard Contractual Clauses. Other options include developing binding corporate rules or using other mechanisms or derogations to be able to receive personal data from the EU.
In the meantime, under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (DP Brexit Regulations), the GDPR and the applied GDPR will merge to form the UK GDPR, increasing the chance of a favourable adequacy decision from the EU.
It is extremely important to be ready in case of a negative decision in regard to the adequacy decision. In fact, as mentioned above, the GDPR provides for a harsh fines up to 20 000 000 EUR [or] up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
We can help you to better understand what the implications of Brexit are in regard to your data protection obligation and assist you in drafting the required documentation so that you can continue trading without unnecessary interruptions.