No-Deal Brexit and Two Versions of the GDPR
Union Jack and the European Flag - Wikimedia Commons

No-Deal Brexit and Two Versions of the GDPR

Peter Austin Peter Austin

Peter Austin

Retired Company Director

发布日期: 2019年9月19日
+ 关注

Note: this blog post is mainly for UK businesses, it’s not legal advice and there's still time for UK Government and ICO advice to change. There are extensive source references, with links indicated by the hash symbol and there's a full list of links at the end of the article.

Introduction

If the UK leaves the EU without a deal on October 31 2019, there will be two versions of the GDPR and many UK organizations will find themselves operating *both* of them. How will that work? These are the versions:

  1. EU GDPR (the original, for the EU27) #1
  2. UK GDPR which “means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018”. #10, #11

The UK GDPR differs from the EU GDPR in that it excludes aspects of EU law that are not directly relevant and applies an extensive list of amendments. #12

Transitional Provisions for Data Transfers

There will be transitional provision for the UK to recognise most EU adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs), with appropriate changes to show the UK as a third country if necessary. You may need to identify a new BCR lead authority. This means you can probably transfer data from the UK to any other organisation that you currently do, but you need to check.

The transitional provisions do not, at the time of writing, cover other aspects of GDPR compliance, such as Data Processing Addendums (DPAs). #9

What are these two versions of GDPR?

EU GDPR

This is the original General Data Protection Regulation (GDPR) #1, exactly as before, applying to all the original states, except the UK. (The EU plus Iceland, Liechtenstein, Norway and Switzerland - you can treat these other states as part of the EU for most purposes).

There are other regulations, such as the Privacy and Electronic Communications Regulations (PECR) #2, and related laws such as the UK Data Protection Act 2018 #3. For simplicity I’m going to concentrate on the GDPR and ignore these others.

If you are a small UK business or organisation that has no contacts or customers in the EEA, you are no longer affected by the original GDPR, but only by the UK version. #4

But if you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA:

a)      you will need to comply with both UK GDPR and EU GDPR after Brexit.

b)     You may need to designate a representative in the EU. #5

c)      You may need to sign EU SCCs (Standard Contractual Clauses governed by EU law), to receive data from your company contacts in the EU #6

d)     You need EU Data Processing Addendums (DPAs) between your organization and other Data Controllers or Data Processors that it integrates with.

e)     Legal documents required under the EU GDPR must use a corresponding governing law (in this case the law of an EU country – see GDPR Article 28.3. For example they could state, "Governing Law and Jurisdiction: This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of Netherlands". #1

UK GDPR

This is a revised GDPR, just for the UK, with references to EU law replaced. The changes: #12

If you are a small UK business or organisation that has no contacts or customers in the EEA, you are no longer affected by the original GDPR, but only by this UK version, which is near enough identical for SMEs, so keep calm and carry on. #4

But if you are a UK business or organisation with an office, branch or other established presence in the EEA, or if you have customers in the EEA:

  • You need to comply with both UK GDPR and EU GDPR after Brexit.
  • You need to designate a contact address in the UK #5
  • You can probably transfer data to any other organisation that you currently do, but you need to check. This is because there will be transitional provision for the UK to recognise most EU adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs), with appropriate changes to show the UK as a third country if necessary. You may need to identify a new BCR lead authority. #9
  • You need UK Data Processing Addendums (DPAs) governed by a UK law, between your organization and other Data Controllers or Data Processors that it integrates with. At the time of writing, there are no transitional arrangements for this. #12
  •  Legal documents required under the UK GDPR must be governed by domestic law (for example England and Wales – see GDPR Article 28.3 as amended. E.g. they could state, "Governing Law and Jurisdiction: This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales". This applies to DPAs immediately and will presumably apply to SCCs and BGRs after the transition provisions end. #1. #12

What Happens in Various Scenarios

Designated Representatives

  • If your business has no sales in the EU or UK (ignoring occasional sales by people who sought you out), you don’t need a GDPR contact address.
  • If your business has sales in the EU but not the UK, you need a contact address in an EU country under EU GDPR. If you don't have a presence there, you need to designate a representative based there (either a resident or a company).
  • If your business has sales in the UK but not the EU, you need a contact address in the UK under UK GDPR. If you don't have a presence there, you need to designate a representative based there (either a resident or a company).
  • If your business has sales in the UK and the EU, you need a contact address in the UK under UK GDPR and a contact address in the EU under EU GDPR. If you don't have a presence in either of these places, you need to designate representative(s) based there (either a resident or a company).

Subject Access Requests (SARs)

Here’s what happens when data subjects make SARs under EU GDPR or UK GDPR articles 15-22, to one of your contact addresses, such as the right of access to their data (asking for a copy). Unless the data subject names a specific GDPR version, it’s reasonable to assume that they are asking for their rights under the version of GDPR that corresponds to the contact details used.

There are three main categories of data subjects: in the EU, in the UK and Rest of the World (ROTW):

  • EU Data Subject makes SAR under EU GDPR: they get the same rights as before Brexit
  • EU Data Subject makes SAR under UK GDPR: they are treated like a ROTW data subject.
  • UK Data Subject makes SAR under EU GDPR: they are treated like a ROTW data subject.
  • UK Data Subject makes SAR under UK GDPR: they get the same rights as before Brexit.
  • ROTW Data Subject makes SAR under EU GDPR: they have no legal EU GDPR rights.
  • ROTW Data Subject makes SAR under UK GDPR: they have no legal UK GDPR rights.

The EU GDPR and UK GDPR start off almost identical and the actions that you take in response to a SAR will usually be the same in both cases. But no regulation exists in a vacuum – its meaning is affected by other local laws and the verdicts by courts and commissioners – so in the longer term you may have to respond quite differently depending on the version of GDPR used.

Note: GDPR regulators seem to be taking a relaxed view and ignoring unimportant actions that might infringe the GDPR (the legal term is “de minimus”). For example if you are a US company that makes occasional sales within the EU, or if you’re an EU company with support staff who take overseas holidays while retaining their passwords to access client data. So actions such as having contact addresses in two countries is not enough make you a multinational company for GDPR purposes.

Cookie and Privacy Pages

This includes all the legal information on your website that’s related to GDPR, such as cookie popups and privacy pages.

The information seen by each person should match the appropriate law for their location (see the section on Subject Access Requests above). But it’s even more complicated, as there are other privacy laws across the world, such as the California Privacy Act 2018. I suggest you could make what people see depend on their location, e.g. as calculated from their IP address, but details are beyond the scope of this document.


Data Processing Addendums (DPAs)

The GDPR specifies which law is to govern legal documents such as DPAs, with EU GDPR requiring an EU jurisdiction such as Netherlands, while the UK GDPR will require a UK jurisdiction such as England and Wales. There are also lots of other amendments made to EU GDPR to create UK GDPR. This results in slightly different requirements depending on the location of the parties. #12

  1. If either your company, or the Controller/Processor that you’re integrating with, has a presence in or targets data subjects in the EU, then you need a DPA between you under the EU GDPR, governed by the law of an EU country, for example Netherlands.
  2. If either your company, or the Controller/Processor that you’re integrating with, has a presence in or targets data subjects in the UK, then you need a DPA between you under the UK GDPR, governed by the law of a UK country, for example England and Wales.
  3. If neither “1” nor “2” is true, you don’t need a DPA.
  4. If both “1” and “2” are true, then you need two DPAs, or some kind of hybrid DPA, governed by two jurisdictions. I don’t know if a hybrid document is possible, so take legal advice. If you can’t manage this and must choose just one jurisdiction, I suggest that UK Information Commissioner’s Office (ICO) is likely to be less of a problem than an EU regulator, so maybe only use EU GDPR for your DPA, for now.

Personal Data Transfers

A data transfer can mean two things under GDPR, but in practice regulators seem to be only interested in the first:

  • moving data, for example copying from your database to a data processor database. All that matters are the start and end locations, not the path through which data flows.
  • making data available, for example via an admin website that that could be accessed from anywhere in the world.

After No Deal Brexit, the EU GDPR will restrict transfers of personal data outside of:

  1. the EEA (not including the UK),
  2. countries with an EU “adequacy decision” (which does not include the UK) #7
  3. the transfer is covered by appropriate safeguards controlled by the law of an EU country, such as Netherlands (legally binding and enforceable instrument between public authorities or bodies, binding corporate rules within a multinational, or standard data protection clauses between sender and receiver) #8

After No Deal Brexit, the UK GDPR will restrict transfers of personal data outside of:

  • the UK,
  • the EU27 and countries with a UK or EU “adequacy decision” (while the transitional provisions are active), then just countries with a UK adequacy decision #7
  • transfers covered by appropriate safeguards (SCCs or BCRs), either the UK versions or the EU versions (while transitional provisions are active), then just the UK versions. #8

Here’s what this means in practice when Brexit happens

  • If your company and the Controller/Processor that you are integrating with, both store your data anywhere but the UK, you do not need to do anything different from before Brexit.
  • If your company stores data in the EU and receives data from the UK, you also don’t do anything different until the UK government transitional provisions expires. When that happens, you need to check how the UK government views EU data protection.
  • If your company stores data in the EU and sends data to be stored in the UK, you need to sign the standard EU GDPR data protection clauses, governed by the law of an EU country.

Links

1.      General Data Protection Regulation (GDPR) guide: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ and source: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

2.      Privacy and Electronic Communications Regulations (PECR) source: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058

3.      Data Protection Act 2018 guide: https://ico.org.uk/for-organisations/data-protection-act-2018/ and source: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

4.       UK businesses and organisations who have no contacts or customers in Europe: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/uk-businesses-and-organisations-who-have-no-contacts-or-customers-in-europe/

5.      Designate a representative in the EU: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-if-there-s-no-brexit-deal-3/the-gdpr/european-representatives/

6.      UK businesses and organisations who send or receive data to or from Europe: https://ico.org.uk/for-organisations/data-protection-and-brexit/data-protection-and-brexit-for-small-organisations/uk-businesses-and-organisations-who-send-or-receive-data-to-or-from-europe/

7.      Countries with an EU adequacy decision: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#ib1

8.      Restricted transfer covered by appropriate safeguards: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/

9.      Transitional Decisions for data transfers. There will be transitional provision for the UK to recognise most EU adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs). With appropriate changes to show the UK as a third country. You may need to identify a new BCR lead authority. https://ico.org.uk/media/for-organisations/documents/2614365/leaving-the-eu-6-steps-to-take-final.pdf

10.  The provisions of the GDPR will be incorporated directly into UK law if we leave the EU without a deal, to sit alongside the DPA 2018. https://ico.org.uk/for-organisations/data-protection-and-brexit/information-rights-and-brexit-frequently-asked-questions/

11.  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. https://www.legislation.gov.uk/uksi/2019/419/introduction/made

12.  Amendments to the EU GDPR to create the UK GDPR. The following changes the governing law for DPAs from EU law to UK law: “Article 28 is amended as follows. (2) In paragraph 3— (a)in the opening words, for “Union or Member State law” substitute “domestic law”; “ https://www.legislation.gov.uk/uksi/2019/419/schedule/1/made

More From Me

Here are my other articles (including lots about the GDPR and Privacy)

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了