Recent news that Google is moving its UK accounts from its current EU jurisdiction in Ireland to the USA has caused concern amongst users who fear they will lose the protection of the EU’s General Data Protection Regulation (GDPR). Are the concerns justified and what does “data protection” mean in general for post Brexit Britain?
Data transfers under GDPR for EU countries
GDPR sets high standards to protect personal data and privacy and it is being vigorously enforced; GDPR also restricts the transfer of personal data outside the EEA. Personal data may only be transferred to a third country or an international organisation if the European Commission approves that country or organisation as safe, if the data controller or processor has provided appropriate safeguards, and if enforceable rights and effective legal remedies are available for data subjects.
Data transfers from the EU to the US has been a longstanding controversial topic. There have been various different framework agreements, but some were revoked or amended, and the adequacy of US protection continues to be challenged by numerous privacy advocacy groups.
Data protection post Brexit
On Brexit day (31 January 2020) the European Union (Withdrawal Agreement) Act 2020 converted most EU law into UK law, including the GDPR. The Data Protection Act 2018 continues to implement the GDPR requirements and standards, and the two pieces of legislation must be read together. GDPR will continue to apply in its current form until the end of the transition period (31 December 2020), and the UK is still treated as if it was an EU member state for data protection purposes.
Once the transition period expires, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI: 2019/419) (DP Brexit Regulations) will take effect. The DP Brexit Regulations will introduce a new UK GDPR, whilst the current GDPR will be known as the EU GDPR in the UK. EU and UK organisations that provide services or offer goods to UK customers will be subject to the UK GDPR, and organisations that deal with EU customers will be subject to the EU GDPR. That means that businesses with EU and UK customers will have to apply the two legal frameworks in parallel.
The UK GDPR will replicate many features of the EU GDPR, but the UK will be in a position to amend the GDPR provisions, carve out specific exemptions or introduce new provisions as with any domestic law. For example, the UK can change how personal data is processed by law enforcement authorities and intelligence services.
After the transition period expires, the UK will become a third country for the purposes of data protection and no longer the subject of the EU’s data transfer restrictions as set out above. For instance, the DP Brexit Regulations give new powers to the UK to determine whether a third country or international organisation provide adequate levels of protection of personal data – powers previously reserved for EU bodies. That means that the UK can potentially allow data transfers to countries that would be seen as inadequate by the EU. However, if the UK itself wants to be recognised as adequate, it needs to evaluate any changes very carefully and avoid controversial deviations from EU standards.
The European Commission can examine and decide if a non-EU country is adequate for data protection purposes. It is currently in the process of examining if the UK is adequate and aims to conclude the examination by the end of 2020 to coincide with the end of the Brexit transition period. The EU has already expressed concerns about the UK’s use of mass surveillance techniques, and it is unclear what its adequacy decision will be.
If the UK is found to be adequate: this would mean business as usual and the least disruption for the international flow of personal data: not only does current data flow from and to the EU continue, but data flow from the rest of the world to the UK would be secured, too.
If the UK is not recognised as adequate: this would have immediate implications for both UK and EU businesses. The flow of personal data from the EU to the UK would stop in its current format. Data flow from other non-EU countries would be subject to the individual country’s assessment and might also be disrupted. The UK would need to assess and set up a new framework for data flow to the EU as well as to the rest of the world.
If no adequacy decision is made by the end of the transition period, UK and EU businesses will need to make adjustments. EU businesses will need to implement “safeguards” for dealing with UK customers, which could be as simple as introducing new EU standard contractual clauses for data protection; UK businesses will need to implement the new requirements in the UK GDPR and similarly make adjustments.
It is too early to judge the UK’s post Brexit data protection regime as too many factors are still outstanding. The UK will be free to adopt new provisions in terms of mass surveillance and law enforcement, but these provisions have not yet been drafted. On the other hand, the UK will also be able to adopt improvements as it sees fit, which could theoretically result in more stringent data protection. Any amendments to the UK’s current data protection laws will need to be carefully evaluated in light of the EU’s pending decision over the UK’s adequacy. The one thing that is clear is that there will be more - not less - red tape for businesses which deal with UK as well as EU customers as they will have to comply with two different sets of regulations.
Google’s move of UK user accounts from EU jurisdiction in Ireland to the US creates a risk that access to personal data by authorities is facilitated. This is not possible under EU legislation. However it is worth noting that if Google had chosen to move the data from Ireland to the UK itself, similar risks might arise under the new UK regime.
If you are concerned about data protection or how your business will need to adjust to pending legislative changes, please do get in touch.