The GDPR will apply to the UK when it is effective on May 25, 2018, but the government will need to adopt domestic data privacy legislation upon the UK’s pending exit from the EU.
The United Kingdom’s data protection laws are derived from European Union legislation such as the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations, which implement European Directives. The EU’s new General Data Protection Regulation (GDPR), which will replace the DPA, will be in force on May 25, 2018. The GDPR will be effective in the UK immediately on this date, without any further UK laws being required. The UK government will need to enact domestic data privacy legislation to replace the GDPR when the UK exits the EU. The UK’s data protection authority, the Information Commissioner’s Office, has already advised the government that UK data protection standards will need to be equivalent to those in the GDPR if the UK wishes to trade with the European single market post-Brexit.
The GDPR has extraterritorial effect, in contrast to the current data protection directive. The GDPR applies to
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects.
Most UK businesses will almost certainly need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, while the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without the consent of the individual other than to certain “adequate” countries such as Canada or Switzerland, or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules.
When the UK exits from the EU—following up to two years of negotiations after the formal trigger of the exit procedure, which is now set to take place on March 29, 2017—the GDPR will continue to apply to a UK organization only to the extent that it falls within the extraterritorial scope summarized above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply, although it is highly likely that the UK will have a replacement data protection law at that stage for domestic processing activities. Therefore, the government will most likely need to pass UK data privacy legislation in place of the GDPR for UK data processing and, perhaps, processing of personal data of UK citizens by non–UK-based organizations. The scope and stringency of this new legislation will be critical to whether the UK is still deemed to have “adequate” data privacy standards when it leaves the EU. This is, of course, relevant to whether data transfers to the UK from the remaining EU member states are restricted or whether they are permissible without further obligations imposed by those EU-based data exporters.
Where the GDPR applies to the processing of personal data, a UK company should conduct an initial assessment as to whether it (or any of its affiliates) is acting as a data controller or a data processor in these processing activities. Different obligations will apply depending on the UK company’s role.
The data controller is ultimately responsible for compliance with the data protection principles, which state that personal data must be
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The privacy notice must be provided at the time of collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must be concise, transparent, intelligible, and easily accessible; written in clear and plain language; and provided free of charge. Ensuring that their privacy notices comply with the GDPR will likely be a complex process for many organizations.
There are also direct obligations on data processors under the GDPR (unlike the current DPA) regarding
The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify, without undue delay, the data protection authority within 72 hours of an organization’s becoming aware of a breach and, in certain circumstances, the individuals affected by the breach. The government will therefore need to decide if it will include a data breach notification obligation in the new UK data privacy legislation, either similar to the stringent GDPR requirement or as an alternate obligation, perhaps one with a longer notification period or that is triggered for significant data breaches only, which may be more pragmatic and more suited to the UK’s approach of business-friendly legal requirements.
Organizations can consider taking steps such as the following to prepare for the GDPR:
Although the UK was one of the dissenting voices in negotiations about the GDPR and was particularly vocal about its onerous impact on UK businesses, it seems unlikely that the UK will now reduce the extent of data protection obligations on UK businesses after it exits from the EU. To do so would necessarily reduce the current level of data privacy protections afforded to individuals.
The UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. The EU-US Privacy Shield will no longer apply to the UK post-Brexit, nor will the protections afforded to EU citizens under the Umbrella Agreement or the Judicial Redress Act to enforce privacy breaches in US courts. The UK will need to decide if it will adopt a similar model to the Privacy Shield for data transfers from the UK to the United States if the current restriction on such data transfers is retained.
Additionally, the UK is likely to apply to the European Commission for a decision of “adequacy” allowing European countries to transfer personal data to the UK without restrictions. Obtaining an “adequacy” decision of course depends on whether the government has passed laws that are materially similar to the GDPR.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: