As the UK leaves the EU, what does this mean for data protection and the GDPR?
With the expiry of the Brexit Transition Period on 31 December 2020, the UK is no longer subject to EU law. This includes, of course, the General Data Protection Regulation (‘GDPR’) and, even though the UK’s Data Protection Act 2018 directly mirrors the GDPR, the EU has not formally recognised the UK as having an ‘adequate’ domestic data protection regime.
This state of affairs would threaten serious consequences for UK and EU businesses needing to exchange personal data and therefore the Trade & Co-operation Agreement (‘TCA’, agreed by the UK and the EU just before the end of 2020 to address general ongoing relations between them) extends a grace period to buy time for mutual acknowledgements of adequacy. During this period (until May or July 2021 depending) the UK will continue to be treated as an EEA member state for GDPR purposes, provided it does not diverge further from the EU’s data protection regime.
Crucially, this would seem to preclude any closer data sharing between the UK and the USA. It also requires the UK to specifically maintain EU standards on individual consent for direct electronic marketing including email and SMS messaging.
It is not clear how quickly mutual adequacy could be established. The TCA allows 4-6 months which, all else being equal, ought to be sufficient. However, in the current political and economic climate, it is not inconceivable that either party might decide other issues should be given higher priority. While this situation may be of greatest direct concern to UK based data handlers, it also applies to any other business around the world with an interest in transferring data into and out of the UK, including here in Australia. It must be hoped that the UK applies for and is granted ‘adequacy’ as a matter of urgency.