Following the UK leaving the EU and now concluding a trade agreement with it, there are some changes to data protection law applicable in the UK.
What is the data protection law that will be applied in the UK from 1 January 2021?
The main source of data protection law is now the 'UK GDPR'. This is a version of the GDPR preserved by and given effect under s. 3 of the European Union (Withdrawal) Act 2018, and which takes in amendments set out in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Most of the content from the GDPR, and therefore obligations on data controllers, remain unchanged.
These Regulations also amend the Data Protection Act 2018, which (as before) covers:
- data protection law for circumstances outside the scope of GDPR;
- puts 'gloss' on certain provisions of the GDPR (for instance exemptions from subject access rights, etc.); and
- provides for the powers of the ICO, addresses enforcement of legal rights, and creates offences.
The government has published a copy of the 'UK GDPR' as a Keeling Schedule (that is, showing the changes in track from the original GDPR), here.
International data transfers
The terms of the Free Trade Agreement between the UK and EU also include interim arrangements that allow for data to be transferred from the EU to the UK without further measures in place for (at a minimum) the next four months - see article finprov.10a. A copy of the FTA is published here. A 'data protection adequacy' decision for the UK is envisaged by the FTA in due course, and the FTA and accompanying documents contain a number of other provisions addressing data protection issues.
For the time being, it therefore is not necessary to use the standard contractual clauses (or other safeguards under Chapter V of the GDPR) to cover EU to UK data flows. The UK had previously said that it is happy for personal data to continue to flow to the EU without further safeguards in any event. For data flows to non-EU, non adequate countries, the existing (EU) standard contractual clauses can still be used.
What's the ICO's position?
The ICO have put out a position statement here and plan to amend their guidance in due course.
For advice on data protection issues please let us know.