Full English Brexit or Continental Brexit?

If you want to start a social media war in three words or less, just post: “I love Brexit 😊” and you’ll be inundated with reactions and comments from supporters and detractors alike.

January 31^st 2020 saw the UK’s departure from the EU, leaving in its wake inevitable questions such as: “What happens to all of those lovely EU laws now that we have Brexited?”, “Do we still need to worry about the upcoming ePrivacy Regulation?” and… “Does the GDPR still apply?”

To answer these, let’s have a quick look of the different types of EU laws out there:

EU regulations bind member states and reign supreme over domestic laws.
EU directives set binding goals but offer member states flexibility in how to achieve them.
EU decisions bind those to whom they are addressed.
EU recommendations and EU opinions don’t bind.

So, since the UK is not an EU member state anymore, that means that these laws no longer apply to us, right?

Well… the answer is yes and no. To answer this accurately we need to have a look at the end result of THAT bill that recent prime ministers have battled to get through the House of Commons and the European Commission; THAT bill that saw off Theresa May’s premiership; shone a light on a backstop, and broke Boris’ promise to leave by October 31^st 2019 “…Come what may”. Of course, I’m talking about the recently royally assented European Union (Withdrawal Agreement) Act 2020. A version has been signed by the European Commission and Council, and been ratified by the European Parliament.

Admittedly, it’s not the most exciting read, but that’s only because it has been drafted in a way that leaves the reader referring numerously to its 2018 predecessor. BUT, and it is a big but, it spells out on more than one occasion, and unequivocally, that the Parliament of the United Kingdom is sovereign ‘notwithstanding directly applicable or directly effective EU law continuing to be recognised and available in domestic law’.

Further complexity is added because the government will have until 31^st December 2020 to negotiate the UK’s future relationship with the EU. Chances of this date being extended are high because the window for negotiation is comparatively short (Japan took two years to negotiate a deal with the EU).

Additionally, Theresa May promised to enshrine all EU legislation into local law within the UK. We started seeing this with the enactment of the Data Protection Act 2018 (DPA). This domestic law mirrors the GDPR, however there are some deviations (including the DPA stating that a child can consent to data processing at age 13, whilst the GDPR sets this at age 16).

Even more harmoniously, the DPA and the GDPR have been further merged by way of a UK statutory instrument: The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. (Picture a mass GDPR edit-replace of ‘Member State’ with ‘United Kingdom’ and ‘Supervisory authority’ with ‘Commissioner’.) This amends the DPA. It also amends the Privacy and Electronic Communications Regulation (PECR) with an almost throwaway line that consent in PECR must align with consent in the GDPR. These are all married with the GDPR to form a data protection framework for a post-Brexit UK called ‘the UK GDPR’, as distinct from the EU’s GDPR.

Finally, by Article 45 of the EU GDPR, in order to continue seamless international data flows from the EEA to the UK, the European Commission must conclude, by an adequacy decision, that the UK, as a third country, offers personal data an adequate level of protection. Failing this, UK organisations will have to rely on contracts or binding corporate rules to transfer personal data from organisations in the EEA.

So what does that all mean?

Well it means that the EU’s GDPR applies until the end of the transition period (December 31st 2020), and then the UK GDPR applies.

As EU data privacy rules become enshrined in one way or another in UK law, protection of the rights of individuals will be paramount. One thing is for sure, the rights offered by the GDPR and other EU laws will continue to be reflected in the national laws of the UK.

It is recommended that organisations:

Review the state of Data Privacy laws in the wake of Brexit
Assess the impact of these changes
Ensure compliance after 31 December 2020 in case no adequacy decision is reached

Compliance with post-Brexit data protection legislation is vital to reducing the risk of data breaches, and meeting the expectation of customers, regulators and the public alike.

For more information on how Bridewell’s Data Privacy services can support your organisation, get in touch with our team for a confidential conversation.