Given that the Conservatives are forming a majority Government for the next five years, it is clear that the UK will leave the European Union and implement an expected New Withdrawal Agreement by January 31st in 2020. This means Exit Day is January 31st 2020, and the “Data Protection, Privacy and Electronic Communications (EU Exit) Regulations” SI 419/ 2019 will come into effect.
Note added in Feb 2020: when I wrote the blog, there was no finalised New Withdrawal Agreement between the EU and UK Government. Because of this Agreement, Exit Day remains January 31st but the impact of SI 419/2019 is postponed until when the Agreement ends (expected end of December this year). It also means that the transfer of personal data issues relating to "hard Brexit" are posponed to when the New Withdrawal Agreement ends.
These Regulations redefine the General Data Protection Regulation (GDPR) as the “EU_GDPR” and generates an “UK_GDPR” by making hundreds of changes to the “EU_GDPR” text. To accommodate the reference to the new “UK_GDPR”, hundreds of changes are also made to the Data Protection Act 2018 (“DPA2018”). Fortunately, the Government has made available a “Keeling Schedule” for both the UK_GDPR and the DPA2018.
A Keeling Schedule is an unofficial document which identifies the amendments made by legislation that modifies legislation; the two Keeling Schedules (one each for the UK_GDPR and DPA2018) identifies in a single consolidated text which shows where the text of the GDPR and DPA2018 legislation has been deleted, changed or amended.
In other words, the Keeling Schedule for the UK_GDPR and revised DPA2018 will become the main text which you should use (see references below); your New Year’s resolution is to familiarise yourself with these Keeling texts. We will be using this revised text in all our DP courses.
These Keeling Schedules will be the main texts you are likely to use until the Government moves a Data Protection Consolidation Act. (A Consolidation Act brings together a number of existing pieces of legislation on the same subject into one consolidated Act of Parliament without changing the law in any way; it is a Parliamentary device used to tidy-up areas of statute law that have become fragmented over time).
In summary, the Regulations preserve all GDPR standards in domestic law via the UK_GDPR. In relation to transfers of personal data to and from the UK, the UK_GDPR and revised DPA2018:
- recognises all EEA/EU countries (and Gibraltar) as ‘adequate’;
- preserves all existing EU adequacy decisions (e.g. Privacy Shield);
- recognises EU Standard Contractual Clauses as valid for transfers and gives the ICO or the Secretary of State has the power to issue contract clauses;
- recognises all Binding Corporate Rules authorised before Exit Day;
- gives powers to the Secretary of State to determine or revoke adequacy (via negative resolution with no input from the ICO);
- introduces an extraterritoriality into the UK data protection framework (e.g. EU controllers offering services into the UK need to appoint a representative – and vice-versa);
- removes the “Applied GDPR” in favour of the “UK_GDPR” (this is important for FOI Public Authority as the DP/FOI/FOISA and DP/EIR/EIRS documentation that refers to the “Applied GDPR” will need to be revised).
However, it is clear that, in future, the UK_GDPR can diverge quite significantly from the EU_GDPR in future. This divergence is via the powers in the European Union (Withdrawal) Act 2017.
I finish this blog with the relevant part of the Conservative Manifesto which now become a focus of its legislative program. The Manifesto points to:
- modifying Human Rights Act: “We will update the Human Rights Act and administrative law to ensure that there is a proper balance between the rights of individuals, our vital national security and effective government”. This could impact on the application of Article 8 cases by the Courts as appeal to the European Court of Human Rights might not be available.
- restricting Judicial Review: “We will ensure that judicial review is available to protect the rights of the individuals against an overbearing state, while ensuring that it is not abused to conduct politics by another means or to create needless delays.” This could limit appeals taken by Privacy NGOs in future (like those taken already against the security services (bulk personal data collection) and the Home Office (immigration exemption)).
- ditching any remnant of the Leveson inquiry: “We will not proceed with the second stage of the Leveson Inquiry”.
Finally, can I wish readers a good end of year celebration and a Happy New Year.
New Year Data Protection Courses (in London); updated for the UK_GDPR
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: January 14-16, 28-30 (6 days)
- Data Protection Foundation: February 11-13 (3 days)
- Data Protection Upgrade Practitioner: February 19-20 (2 days)
- Data Protection Practitioner: February 25-27, March 10-12 (6 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 No. 419: https://www.legislation.gov.uk/uksi/2019/419/contents/made
Keeling schedules for the DPA2018 and the UK_GDPR: https://www.gov.uk/government/publications/data-protection-law-eu-exit