The UK, the European Union (EU), and the European Atomic Energy Community signed the Brexit Withdrawal Agreement on January 24, 2020 (Withdrawal Agreement) which took place on January 31, 2020. Thereafter the transition period has been implemented till December 31, 2020. During such a transition period or implementation period, the UK will continue to follow the EU laws, however, they will not have any voting rights in any matters of the European Union. The authorities at both the ends will continue to negotiate during this period in order to arrive at a “deal”.
During the transition period, if the companies in the UK are GDPR compliant, no further steps are required to be taken as of now. However, after the transition period, i.e. from January 1, 2021, the UK will be seen as a ‘third country’ for the purpose of GDPR and shall accordingly go under stricter scrutiny with respect to the data protection norms.
As per the withdrawal agreement, in order to ensure the uninterrupted and free flow of data transfer, the ‘adequacy decision’ will be taken by the EC by the end of the transition period. As per Article 45 of the GDPR, personal data may be transferred to third countries where there is an adequate level of protection in such a third country which is adjudged by taking into account the rule of law, fundamental freedoms, the existence of independent authorities, international commitments, etc. If the negotiations ultimately lead to a “deal”, ‘adequate’ status is likely to follow.
In the absence of meeting the requirement of ‘adequacy’ under the GDPR, the data controller, in order to transfer data from EU to the UK, must comply with Article 46 and Article 47 of the GDPR, which state the safeguards and corporate rules that must be in place. The list of recognized countries has been placed on the EC’s website, which includes Japan, Canada, New Zealand, Argentina, Israel, Switzerland, among others. Although it is unlikely that the UK will not be seen as an ‘adequate’ country considering the UK’s role in the drafting of GDPR. Currently, the UK has a Data Protection Act, 2018 in place, and has stated recently that while there will be no immediate change in the data protection law, it will incorporate GDPR alongside the European Union (Withdrawal) Act, 2018.
Further, another matter of consideration is the data protection arrangement with the United States under the EU-US Privacy Shield Framework, under which, if the organizations from the US self-certify to comply, data is allowed to transfer freely. Post the transition period of Brexit, the UK will also have to rework its arrangements with the US.
While the UK has been one of the key framers of the GDPR, it is known to have a strong interpretation of a crave out for the purposes of national security which does not necessarily align with the Article the European Convention on Human Rights. In 2014, the European Court of Justice rendered a Data Retention Directive to be unconstitutional on the grounds of not meeting the test of proportionality. Further, the Data Retention and Investigatory Powers Act, 2014, and the Investigatory Powers Act, 2016 have been heavily criticized by the European Union Court as well as the courts in the UK including the British Investigatory Powers Tribunal.
Commentaires