Updated February 3, 2020.
Brexit happened. The United Kingdom left the European Union on January 31, 2020.
Post Brexit, GDPR will come to mean several things in the UK, as new domestic data laws will take effect.
In this blogpost, we give you an overview of what is changing and what will remain the same with GDPR after Brexit.
The United Kingdom voted in favor of leaving the European Union in a referendum back in the summer of 2016, only a few months after the European GDPR (General Data Protection Regulation) was passed into law with a two-year grace period.
After the grace period, when the law finally came into effect in May 2018 in all twenty eight EU member states (including the UK), the country had been embroiled in paralyzing parliamentary procedures for nearly two years with no clear end in sight and Brexit still looming in the horizon like a hot summer day’s mirage.
During this grace period, the UK drafted and passed its own Data Protection Act 2018 (DPA2018) that took effect on the same day as the European GDPR (May 25, 2018).
This law integrated parts of the GDPR into domestic law and also expanded it to sectors outside the scope of the EU law, such as law enforcement and the intelligence services.
It also formulated the role of the ICO (Information Commissioner’s Office) as its primary data protection authority by defining the agency’s functions and powers.
However, since the UK left the EU with a deal, this effectively changes key areas of UK data law, since the EU regulation (GDPR) after Brexit will no longer be applicable inside the United Kingdom.
GDPR/Brexit: Upon independence from the EU, the UK has adopted the same data regulations as before its exit.
This means several things:
We will look at the changes made to the legal landscape of UK data law, but first let’s remind ourselves of what is the European General Data Protection Regulation (GDPR).
The European regulation known as GDPR (General Data Protection Regulation) is a law in all EU member states that govern the protection of personal data and the ways it is allowed to be collected and processed by websites, companies, organizations and more.
GDPR has extraterritorial scope, which means that no matter where in the world your company and website is located, it has to comply with the GDPR if it has visitors from inside the European Union.
GDPR sets up a data protection regime in the EU that requires companies and websites (known as “controllers” and “processors” in the law) to have a legal basis in order to process the personal data of individuals (“data subjects”) inside the EU.
The most common legal basis for processing is prior consent – this means that in order to collect and process personal data of an individual in the EU, websites must obtain their consent to do so before any collection or processing can take place.
The European Withdrawal Agreement that finally passed in Parliament on Friday December 20, 2019, includes specific provisions on the processing of personal data and the flow of information between the UK and EU.
In particular, Articles 70-73 of the Agreement state that the UK “shall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.”
Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed adequate by the EU and thus ensure the free, uninhibited flow of data between the two countries.
Article 45 of the GDPR rules that “a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country (…) ensures an adequate level of protection.”
GDPR after Brexit is fortified in UK law upon Exit Day.
This adequacy decision must be achieved before December 31, 2020. If it is not, the UK will be classified by the GDPR as a third country by the EU.
This means that personal data transfers are only allowed in the controller or processors has provided safeguards and enforceable data subject rights (GDPR Article 46).
But changes are already happening, now that Brexit Day has come and passed.
Let’s have a look at them now.
The changes made to UK data law after Exit Day are all contained in the government’s Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, also known as the DPPEC regulations.
They took effect on January 31, 2020 in accordance with the now-passed EU Withdrawal Agreement.
The DPPEC regulations do two major things:
In order to keep the promise in the Withdrawal Agreement’s Articles 70-73, the UK has decided to create a whole “new” domestic law known as the UK-GDPR (United Kingdom General Data Protection Regulation).
The new UK-GDPR is essentially the same as the European GDPR.
It is literally made from the same law text as the EU GDPR but amended so as to substitute the parts of text that read EU and Union law with UK and domestic law.
The UK-GDPR merge the two pre-existing regimes for personal data protection – namely that established by the European GDPR and that established by the Data Protection Act 2018 (specifically the parts of that law known as the “applied GDPR”).
The DPA2018’s “applied GDPR” section is the one that extended the GDPR’s standards to areas that were out of scope of EU law and the GDPR, namely that of law enforcement, intelligence services and immigration (among others).
Brexit means GDPR will become domestic law in the UK after December 31, 2020.
But let’s be clear: there are more things that don’t change than do change after Brexit with GDPR.
The UK-GDPR after Brexit will be the same as the EU GDPR with slight changes, most of which are of superficial nature.
The core provisions of the GDPR for which it has become known all over the world all remain the same under the new domestic UK-GDPR, including:
The changes made to the GDPR after Brexit in order to create the new domestic version are visible in the following Keeling Schedule, which is a document comprising all the changes of the DPPEC regulations made to the GDPR.
The new and amended Data Protection Act 2018 also took effect on Exit Day January 31, 2020.
The DPA2018 will no longer rely on the EU GDPR, but on the UK-GDPR instead. It will instead refer to the new domestic GDPR after Brexit.
This means that when the transition period ends on December 31, 2020, UK citizens will be protected by a comprehensive data protection regime that is made up of the UK-GDPR on the one hand that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018 on the other hand, supplementing the domestic GDPR and extending beyond it as well.
Here’s a short recap of what happened on Exit Day January 31, 2020:
According the UK government, “no, or no significant, impact on the private, voluntary or public sector is foreseen” as a consequence of the changes made to UK data protection law.
GDPR after Brexit means both old and new, as same things become different.
Now, with regards to the GDPR after Brexit in the EU – there are no changes.
If a website based in the UK has visitors from the EU, it still has to comply with the European GDPR after Brexit just as it did before.
That’s because the EU GDPR has extraterritorial scope and applies to any website, company or organization in the world that collects or processes data from inside Europe.
The biggest change here will be who is the supervisor and enforcer.
Since the EU GDPR won’t apply domestically to the UK after the transition period of Brexit, data law in the UK will not be supervised or enforced by the European Data Protection Board (EDPB), the main power of supervision and enforcement today.
Rather, it will be the Information Commissioner (ICO) that will supervise and enforce the domestic UK-GDPR and Data Protection Act 2018 on UK soil.
Since the European GDPR still applies to the UK for the entire transition period, no changes are due as to how you operate your website.
You still need the prior consent of your end-users before you are allowed to collect or process their personal data, e.g. with a cookie banner.
After the end of the transition period, when the EU GDPR no longer applies to the UK, the UK-GDPR and the DPA2018 will ensure the almost exact same protection and regulation of personal data, which means that after December 31, 2020, your website still needs to obtain the prior consent of your end-users.
Cookiebot scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary, and therefore compliant, until the user has given their consent as to which they want to activate.
This way, your website can be sure to be in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.
Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.
In short, before Brexit, under Brexit and after Brexit, Cookiebot ensures your website full EU and UK-GDPR compliance, as well as compliance with the Data Protection Act 2018.