The UK is leaving the EU on January 31, 2020.
After its exit from the Union, the UK will no longer be regulated domestically by the European General Data Protection Regulation (GDPR).
Instead, the UK is passing its own version into law, known as the UK-GDPR (United Kingdom General Data Protection Regulation).
It will take effect on Exit Day January 31, 2020.
In this blogpost, we take a look at the “new” UK data law.
So, you might be wondering: are there two GDPRs now? What’s up with that?!
Well, the United Kingdom is leaving the European Union on January 31, 2020 and by that time, the Withdrawal Agreement passed in the Parliament in December 2019 will take effect and run until December 31, 2020.
After the Withdrawal Agreement ends, the UK will formally be independent from the EU and the EU’s General Data Protection Regulation (GDPR) that has governed the processing of personal data in all member states since May 2018 will cease to apply domestically in the UK.
To avoid being classified by the European Union as a third country (i.e. a nation with a less than adequate level of data protection that disqualifies it to enjoy free flow of data with the EU), the new UK-GDPR will take effect on Exit Day January 31, 2020.
The new UK-GDPR will then sit alongside the European GDPR, which will still apply just as before to the UK up until December 31, 2020.
All of this meaning that yes, there will be two GDPRs in effect that apply domestically to the UK in 2020, in addition to the Data Protection Act 2018, of which an amended version also takes effect January 31, 2020.
Let’s have a look at the substance and scope of the new UK-GDPR.
The United Kingdom General Data Protection Regulation (UK-GDPR) is essentially the same law as the European GDPR, only changed to accommodate domestic areas of law.
It was drafted from the EU GDPR law text and revised so as to read United Kingdom instead of Union and domestic law rather than EU law.
European data law will become domestic UK-GDPR on January 31, 2020.
This means that the core definitions and legal terminology now famous from the European GDPR, such as personal data and the rights of data subjects, controller and processor and their need for legal bases for processing like prior consent are all to be found in the UK-GDPR.
However, the UK-GDPR does expand on -and deviate from- the EU GDPR in significant ways that will make changes to the legal landscape of data protection in the UK.
These changes are found in the UK government’s Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC regulation).
This regulation changes and shapes the European GDPR into the domestic UK-GDPR, as well as revising the Data Protection Act 2018.
A Keeling Schedule is an unofficial document highlighting what has been changed in legislation. It is very helpful for getting a precise picture of how Britain is amending the European GDPR into the UK-GDPR – where it deviates and where it stays the same.
The areas expanded on by the UK-GDPR are:
These areas are per definition outside the scope of the European GDPR, since it is an extra-national regulation from the EU without powers to govern matters of national security in member states.
However, the UK-GDPR sets out certain exceptions by which the regular protection of personal data can be bypassed, e.g. when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services.
Another big change in the UK-GDPR is that the Information Commissioner, the leading data protection authority in the UK today, will become the leading supervisor, regulator and enforcer of the UK-GDPR.
The “Commissioner”, as the ICO is known in the new UK-GDPR, will have all responsibility of enforcement.
It means that where before under EU GDPR, the European Data Protection Board would have been the highest supervisory authority, the ICO now takes over all matters relating to regulation and enforcement of the UK-GDPR.
Additionally, the Secretary of State is being endowed with powers to determine or revoke adequacy decisions on behalf of the UK-GDPR.
In fact, the Secretary can make these decisions without the consultation of the ICO.
Because of the extraterritorial scope of the UK-GDPR, any website or company in the world that collects or processes the personal data of individuals inside the UK, are bound to comply with the UK-GDPR.
This also means that e.g. EU companies offering services in the UK need to appoint a representative, as has been the case in reverse from the European GPDR.
A representative is defined in the UK-GDPR as “a natural or legal person established in the United Kingdom who represents the controller or processor.”
Furthermore, when taking effect on Exit Day January 31, 2020, the UK-GDPR will automatically recognize all EU countries as adequate, along with recognizing all existing EU adequacy decisions as UK adequate as well (e.g. the US Privacy Shield).
And lastly, a notable difference from the European GDPR to the new domestic UK-GDPR is that the age of valid consent is lowered to 13 years in the UK (16 years in the EU).
Okay, so what does this mean for your company in the UK, or your website in the EU offering services to and collecting personal data of individuals in the United Kingdom?
Well, it means that leaving the European Union does not mean that you will see a lessening of requirements as to how you process personal data.
In fact, the global standard set by the European GDPR is now literally becoming the domestic standard of the United Kingdom. Protecting the privacy and personal data of your end-users and customers is the new law of the land.
It means that you will need to meet the same high GDPR standards as before, only these will be enforced by the ICO in UK and are subject to their audits.
Cookiebot offers the leading consent management solution on the market today. We have built our patent-pending technology on the basis of the GDPR even before it became European law, and much before it would eventually seep into domestic British law.
Cookiebot scans your website and finds all cookies and similar trackers, then blocks everything until the end-users have given their consent to which data they will allow to be collected on your platform.
Today, Cookiebot ensures complete compliance with the European GDPR, just as we will with the UK-GDPR, once the UK has conclusively left the Union December 31, 2020.