We’ve previously documented the Brexit and GDPR issues facing the UK once the transition period is out of the way by the end of 2020.
The key issue is that, whilst we’re still in the transition period EU GDPR still applies, but post-transition the UK will essentially be a “third-country” meaning that any EU to UK data transfers will become restricted under GDPR. This will be true even with the UK having in place the UK GDPR, just by the nature of what the GDPR says about transferring data outside the EU (which of course the UK will be).
During this transition period we can only hope that the EU and UK reach some kind of agreement. The obvious agreement would be to acknowledge that the UK’s data protection law (post-transition), i.e. UK GDPR and Data Protection Act 2018 are equivalent and therefore the EU gives the UK an adequacy decision, which would mean that any EU to UK data transfers would be lawful under EU GDPR.
However, hopes of an adequacy decision are not looking as hopeful as you might expect. At it’s “Proposed mandate for negotiations for a new partnership with the United Kingdom of Great Britain and Northern Ireland” discussions on 12th February 2020, the EU Parliament declared that it is not sure the EU could grant it an adequacy decision because:
- there are exemptions in DPA2018 relating to data processed for immigration purposes which could mean non-UK data subjects data won’t necessarily be processed according to EU standards
- the UK’s data retention provisions for electronic telecommunications data are not compatible with the EU’s expectation of implementation of the relevant EU regulation (the “EU acquis” which means it should be implemented the same across all EU member states)
- of questions around mass surveillance and the UK’s data protection framework relating to national security and processing by law enforcement agencies
In the EU Parliament resolution they therefore instructs the EU Commission to “carefully assess UK’s data protection legal framework and ensure that the UK has resolved the problems identified in this resolution prior to considering UK data protection law adequate in line with EU law as interpreted by the CJEU(12), and to seek the advice of the European Data Protection Board and the European Data Protection Supervisor providing them with all the relevant information and appropriate timelines to fulfil their role”
More to come on this in 2020 for sure.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR