Brexit and data protection. A regulatory framework with implications for the financial sector finally revealed.
Brexit and data protection are two separate topics. Nevertheless, the discussion surrounding Brexit’s implications for data protection echoed in the regulated sector for quite a while. The uncertainty of the UK divorce from the EU has finally ended, and here we have the long-awaited Brexit. Although, is the uncertainty really over and is the navigation of the regulatory landscape finally straightforward once again?
If you are in compliance or legal practice, you probably understand that it is not true even at this time. Just try visiting legislation.gov.uk and opening the latest available consolidated version of any legislative act- you will get a notice (as one in the screenshot below) stating that “Due to a high volume of changes being made to legislation for EU exit, we have not been able to research and record them all.”
Amazing right? The government itself cannot follow with all of the changes but it still expects you to do so. Knowing about and accounting for Brexit’s legal implications is especially important for participants of the financial services sector. One of the important changes that came into force and affects all payment service providers (PSPs) offering their services on a cross-border basis relates to the data protection. Specifically, it is essential to consider the interrelation of Brexit and data protection and what must be done to remain compliant.
Brexit has changed data protection rules not only for the firms that operate from within the UK and process personal data of EU data subjects but as well for those that operate from within the EU and process personal data of UK data subjects. However, how can you stay on top of all recent developments and comply with your obligations if the government itself cannot consistently outline them?
Moreover, there are some contradictory statements even on the EU level (explained a bit further in this article). Thankfully, you’re in the right place and PSP Lab has got you covered. In this article, we will outline what is of the essence to consider as a consequence of Brexit and data protection framework’s changes being brought in by the UK’s departure from the EU.
Data protection framework before Brexit
It is not a secret that before Brexit, data protection rules were established for all EU member states on a supranational level and codified within the General Data Protection Regulation (GDPR). Let’s go through the main topics that are covered under the GDPR to find out what is different in the UK data protection regulatory framework in the post-EU era. The main areas covered in the GDPR are:
- Data protection principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, accountability);
- Lawful basis for data protection (consent, contract, legal obligations, vital interests, public task, legitimate interests);
- International transfers of data (adequacy decisions, appropriate safeguards);
- Rights of data subjects (right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision making);
- Accountability and governance (data protection by design and by default, DPIAs, policies and procedures, registration with national authorities, DPOs);
- Security (encryption, access controls, use of data);
- Personal data breaches (timelines for reporting, when and who must be notified)
- Remedies, liability and penalties;
- Cooperation of national data protection authorities.
Only minor clarifications on certain points that were left to the discretion of the member states could be found in the national legislation. In the UK, the GDPR was accompanied by the Data Protection Act 2018 (DPA) which tailored the GDPR to the national legal framework and provided rules on such topics as functions and powers of the Information Commissioner, certain exemptions (as the one not to tip-off in case of data subject access request), age constituting a child’s consent, exercising of data subject’s rights, rights and obligations of public authorities, etc.
Together, the GDPR and DPA formed a unified framework that oversaw the matters related to the data protection in the UK and the latter is conditional upon the rules contained within the former.
Brexit and data protection
After Brexit, the GDPR lost its direct applicability in the UK and hence the UK-based controllers/processors are not subject to the GDPR per se. However, let’s not forget about the extraterritorial reach of the GDPR. Plainly speaking, it applies to the processors/controllers who process the data of the data subjects based within the EU even when they are located outside of the EU. In this regard, it is important to note that you still must follow the GDPR rules post-Brexit if you have clients based in the EU.
In addition to that, you will need to have a local representative registered with one of the national data protection authorities based in the EU to have the benefit of a One-Stop-Shop (OSS) mechanism. This requirement arises from the change of the UK status to that one of a third country and the ICO no longer satisfying the definition of “supervisory authority” present within the GDPR.
Moreover, on a national level in the UK, thanks to the European Union (Withdrawal) Act 2018 (EUWA) and transposition of directly applicable EU legislation into the national framework, we currently have the UK GDPR, with amendments brought in by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DPPECR).
The UK GDPR contains mostly the same rules as those that are incorporated within the GDPR (as briefly discussed above) with minor amendments such as restriction of the scope solely to the UK. In general, it mimics the provisions of the GDPR and even recognises from the onset adequacy of the EU legislative framework, EU agencies, adequacy decisions for third countries made by the European Commission (so much for the independence in the decision making…).
Furthermore, the DPPECR made some amendments to the DPA in order to represent the changes to the scope of the applicability of the implemented UK GDPR. Mainly, if your firm was compliant with the GDPR before Brexit you will remain compliant. Even the standard contractual clauses (which still, after two and a half years after the entry of the GDPR into force, refer to the old directive repealed with the adoption of the GDPR) adopted by the Commission satisfy adequate safeguards for international transfers to third countries by the UK controllers/processors.
Overall, the same rules currently apply vice-versa to the EU-based processors/controllers and if they process the data of the UK data subjects they must comply with the UK GDPR, which as explained above mostly represents the same obligations only as emanating from different legal order. Therefore, Brexit and data protection framework’s changes created a duality of some same obligations applicable in different instances.
So, did Brexit change the data protection framework?
As can be seen from the above, the UK data protection framework did not have any drastic changes due to Brexit on a national level. However, for the firms that process data of EU-based data subjects or are transferring such data across the borders, Brexit resulted in higher compliance costs. Currently, controllers/processors processing data of UK and EU data subjects must ensure that they comply with both the GDPR and UK GDPR, which although impose mostly the same obligations are two distinct frameworks established within two different legislative orders.
Notably, as of the beginning of January 2021, there is no reciprocal adequacy decision made by the Commission towards the UK as the one contained within the DPPECR. The Commission is currently assessing the UK’s compliance with the standards and legislation of the EU and this process will take some time (sounds fun when you think that the UK literally transposed EU legislation into the national framework with minor twists and even made reference to the EU bodies, decisions, etc).
However, the good news is that, regardless of Brexit, data protection considerations related to transfers from the EU to the UK will not change for at least six months while the adequacy decision is being contemplated. Controversially, the European Data Protection Board (EDPB) has already expressed concerns that the UK data protection framework may diverge from that of the EU and hence will not be considered adequate, mainly due to transfer of data from the UK to the USA. Thus, prompting a possibility of consideration that something similar to Schrems II (annulment of EU-US privacy-shield) may happen with the UK and even if granted adequacy it may lose it at any time.
Brexit and data protection implications for the financial sector
Even though Brexit and data protection are two separate topics the former significantly affects the later. The implication of Brexit in terms of data protection for the financial sector (whether in the UK or EU) is quite simply the requirement to comply with mimicked legislation and obligations emanating from different legislative orders. Processors/controllers from the EU must comply with the data protection rules of the UK, while the relevant UK processors/controllers must comply with the rules of the EU.
This creates a duality in need to have specifically tailored measures such as- separate privacy notices, dual mechanisms for transfers of data, and appointed representatives in the UK or EU depending on the location of such controller/processor. If you still think that you’re unsure regarding your obligations I strongly advise you to contact us and we’ll gladly assist you with questions related to your data protection obligations.