Many companies have taken advantage of free movement between member states to enhance their business and grow their customer base. However, from 1st January 2021 as the UK leaves the EU, certain issues remain regarding the EU’s General Data Protection Regulation otherwise known as GDPR. The UK played a significant role in the development of the GDPR which was implemented in the EU in May 2018. Its function is to protect people’s personal data within the EU and the (EEA) as well as governing transfers of data elsewhere in the world.
The GDPR has remained in effect during the transition period out of the EU and will be preserved in national law post Brexit branded as UK GDPR. As most larger companies have offices or branches in EU countries, minimal changes will apply as it is likely that they have a department to manage all GDPR related matters. For smaller companies who continue to handle the personal data of EU and EEA nationals, it is important to appoint someone based in the EU to handle GDPR related matters. This is necessitated by Article 27 of the GDPR which mandates that all companies with an EU clientele have a GDPR representative in the EU. The same principle applies to EU companies that transfer personal data to the UK. The Information Commissioner’s Office (ICO) will remain the supervisory authority body for UK data protection legislation however will no longer fill the role on behalf of the EU. This is another reason why businesses should have an EU representative to oversee GDPR related matters.
The GDPR is accompanied by the Privacy and Electronic Communications Regulations (PECR) which sets out the regulations covering matters such as marketing communications, website cookies and customer data. The PECR, which was derived from the EU’s ePrivacy Directive, will remain in effect during the transition period and post Brexit as it is national law. The PECR effects both UK and non-UK website owners as it covers websites hosted outside the UK by a UK owner as well as non-UK owners with UK users. The EU ePrivacy Directive is set to be replaced by an ePrivacy Regulation and decision has yet to be made whether the UK will adopt the new regulation as domestic law.
Furthermore, the UK will be deemed a ‘third country’ to Europe which means data transfers from the EEA to the UK will be subject to restrictions unless we are granted ‘adequacy’ status by the European Commission. In the event the European Commission does not make an adequacy decision prior to 31st December 2020, it is important that businesses take the necessary steps to ensure they have data transfer solutions for importing data as well as for exporting data. On 6th October 2020, the Court of Justice of the European Union made a ruling finding issues with the UK’s Security and Intelligence Agencies collecting mass communications data including for national security purposes as it is fundamentally incompatible with EU principles. This casts further doubt that an adequacy decision will be made in the near future. An effective way to prepare, from a business perspective, is by imputing a Standard Contractual Clause into contracts, the European Commission has published a proposed Standard Contractual Clauses which companies may find helpful.
For detailed advice concerning GDPR policies and all related matters, call John Szepietowski at Audley Chaucer Solicitors on 01372 30344.
Larissa Bourgi
