The UK is a major data hub accounting for 11.5% of global cross-border data flows compared to its 0.9 per cent of the global population. Within Northern Ireland, the tech sector is flourishing thanks to its highly experienced workforce and cost-competitive location. The smooth transfer of data between the EU and the UK is vital for businesses on both sides. Indeed, this may affect the tech sector more than the transfer of goods that has received the majority of the media's attention throughout the Brexit process. This article will review what the position is for the tech sector in Northern Ireland and the rest of the UK post-Brexit in respect of data protection.
During the Transition Period most EU law, including the General Data Protection Regulation ("GDPR"), continued to apply to the UK. However, since Brexit completed on 31 December 2020, EU Regulations are no longer directly effective in the UK. Anyone hoping that this will bring us back to pre-GDPR times will be disappointed. The UK continues to be subject to strict data protection legislation. The regulatory position has actually become more complex post-Brexit.
GDPR now forms part of a new body of retained EU law converted by the European Union (Withdrawal) Act 2018. The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 have amended both GDPR and the Data Protection Act 2018 to make the necessary changes to reflect that the UK is no longer a member of the European Union.
This has effectively created a new UK GDPR which applies in the UK. However, it is worth remembering that the old GDPR (EU GDPR) still applies in the EU and has an extraterritorial effect. Therefore, UK businesses that have an establishment in the EU offer goods or services to data subjects in the EU, or monitor their behaviour as far as it takes place within the EU will now find themselves subject to dual data protection regulatory regimes under UK GDPR and EU GDPR.
In most instances, the UK GDPR is identical to the EU GDPR, but some changes have been made. However, there are a number of changes that businesses should be aware of.
International Data Transfers
The UK is no longer bound by adequacy decisions made by the EU, meaning that the UK will have the power to decide for itself what countries provide an adequate level of protection for data subjects. Currently, the UK has chosen to follow the lead of the EU in this respect, but we could see a divergence in the future.
This also means that the UK will now need an adequacy decision from the EU to allow transfers of data from the EU to the UK to continue in the way that they did while the UK was a member state of the EU. While it is hoped that this adequacy decision will be confirmed, it is not yet in place. The Brexit deal has put in place a four-month bridging mechanism which can be extended by two months unless one of the parties objects, or, if earlier until there is an adequacy finding for the UK. Therefore, far from being an all-encompassing deal, for the purposes of data protection at least, it is essentially yet another deal to agree a deal in the future.
Until we have this adequacy decision there is a degree of uncertainty for businesses. It also creates on-going uncertainty as either the UK or the EU could revoke its adequacy decision at any time. In the absence of an adequacy decision data controllers would need another lawful basis to transfer the personal data. This could include adopting contracts with standard contractual clauses or obtaining the specific and informed consent of the data subject (which could be revoked at any time).
Another notable change is the requirement for certain UK controllers and processors to appoint representatives. Where a UK based organisation (other than public sector) offers goods or services or monitors data subjects' behaviour in the EU other than occasional processing that does not include sensitive special category data, it is required to appoint an EU representative. This will likely involve setting up a group company in the EU or appointing a professional organisation to provide this service.
The same requirement applies for EU based organisations to appoint UK representatives and these requirements will continue to apply indefinitely whether or not there is an adequacy decision. This may be another aspect of Brexit which will harm small businesses, which are less able to comply with this legal burden than larger corporate entities that likely already have offices either side of the EU border. This will also particularly affect businesses in Northern Ireland where cross border data processing of customers based in the Republic of Ireland is inevitable for many businesses. Northern Ireland will remain fully part of the UK's data protection regime and the Northern Ireland Protocol, which is largely concerned with physical goods, does not affect this.
What should businesses in Northern Ireland do?
Businesses should review what data they process and the extent to which they may remain subject to the EU GDPR as well as the UK GDPR. While businesses can continue to transfer data to and from the EU in much the same way they did prior to Brexit, there is a potential that this could suddenly change as the UK will require an adequacy decision that could be revoked at any time. Therefore, businesses should consider the extent to which data is transferred outside of the UK at all and not just outside of the EU. Preparatory work can be done now to ensure that businesses can plan for what they would do if international transfers of data to and/or from the EU became more difficult.
Businesses should review their contracts, policies, procedures and impact assessments on data protection to ensure that they have the correct legislative references and consider any necessary changes. Businesses should ensure that they have a European representative if they are required to have one and that details of this are included in the relevant privacy notices.
As far as possible, the UK is trying to maintain the status quo in relation to data protection. However, already it seems an unavoidable consequence of Brexit that data protection compliance is more complicated for businesses than it was before (and it was not simple to begin with). In the future we may see divergence in this and other areas, but for now, it seems, in the short term at least, that the UK will be unlikely to what to change anything. The tech sector has been highlighting the importance of an agreement on data for some time and will hope that the UK and EU use the bridging period to finalise the necessary arrangements and give businesses some clarity on this issue at least. However, given how previous agreements have come at the last minute, businesses would be best advised to prepare now.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. For advice or information, please contact our Data Protection team at Cleaver Fulton Rankin.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.