News
GDPR in a Post-Brexit Era: Some New Challenges?
The General Data Protection Regulation (GDPR) came into full operation on 25 May 2018 and was described by the Information Commissioner's Office (ICO) as the "new normal". However, the "new normal" expires on Brexit day when the UK moves to a separate data protection regime known as applied GDPR.
The UK Data Protection Act 2018 (DPA) created the applied GDPR by amending GDPR in a way that creates a similar, but standalone, regime for the UK. The DPA (Schedule 6) offers a series of modifications showing how applied GDPR alters GDPR. There are a range of possible new compliance challenges facing UK businesses and other organisations post-Brexit, some of which are explored below.
Double exposure?
GDPR introduced higher penalties and regulatory sanctions. GDPR and applied GDPR provide data subjects a right to claim compensation from data controllers and processors whose breach results in "material or non-material damage" (eg financial loss or distress).
Post-Brexit, many UK organisations may remain within the scope of GDPR due to the nature of their personal data processing operations and will also be subject to the regime established by the DPA. Consequently, a data breach might well fall within the regulatory reach of both the ICO and of an EU member state regulator. It is possible, that the ICO could work together with EU regulators to avoid double exposure. While GDPR Article 50 requires the EU commission and data law regulators to cooperate with third countries, it does not preclude parallel enforcement proceedings. Indeed both GDPR and applied GDPR emphasise not only the data subject's right to effective regulatory and judicial remedies, but also the right to pursue remedies in a way most convenient to the data subject. Double exposure therefore represents a real risk.
Recovery of compensation
Under each regime, the data subject can seek compensation from the "closest, deepest pockets", leaving it to the controllers and processors to adjust liability amongst themselves. The separation of GDPR and applied GDPR may potentially undermine that adjustment mechanism.
Adjustment relates only to "full compensation" paid under the specific regime (GDPR or applied GDPR). Duplication of proceedings and complexity in attributing damage to the correct regime might well continue beyond the initial claim and into the process of adjustment between controllers and processors.
The adjustment mechanism in relation to each regime allows recovery of an appropriate proportion by the controller or processor who has paid "full compensation". It is arguable that "full compensation" is considered to have been paid only following an award made by the court. Whereas, a settlement between the parties, out of court may or may not amount to "full compensation". Parties may be discouraged from settling compensation claims if that would jeopardise their ability to recover from the other controllers and processors involved.
International transfers of personal data
GDPR Article 44 prohibits the transfer of personal data to non-EU/EEA countries. Under the conditions of GDPR Article 45 the transfer is allowed, if the receiving country proves it is capable of providing adequate data protection. The EU Commission makes adequacy decisions both under GDPR and applied GDPR. Post-Brexit, there is no separate power for the ICO to make an adequacy decision to permit transfers to third countries which are considered by the UK to provide adequate levels of protection.
Binding corporate rules (BCRs) provide a mechanism for transfers of personal data within corporate groups, where there is no adequacy decision in place. Applied GDPR provides for BCRs to be approved by the ICO rather than by a supervisory authority within an EU member state. Post-Brexit, BCRs will be valid only in relation to transfers from the UK to non-EU/EEA countries and not permit a transfer of data from the EU/EEA into the UK. It remains strongly advisable for organisations to rely on BCRs after Brexit to operate them from within an EU member state.
GDPR Article 46 contemplates Standard Contractual Clauses being adopted by the EU Commission and approved in accordance with Article 93(2).The UK's exclusion from such procedures after Brexit means that applied GDPR retains only the provision relating to Standard Contractual Clauses adopted by the ICO, which could not bind the EU regulators. In the absence of political agreement, the gap that emerges between GDPR Standard Contractual Clauses, and applied GDPR Standard Contractual Clauses, could present UK businesses with a risk of exposure to GDPR sanctions.
Regulatory divergence
The ICO will not be part of the GDPR consistency mechanism. There is a possibility of regulatory divergence between GDPR and applied GDPR. Any adequacy decision made by the EU Commission and based on applied GDPR would be subject to periodic review and possible withdrawal. Even a small degree of divergence would involve cost and complexity for UK businesses. It is possible that the same data processing activities will fall within both GDPR and applied GDPR. Keeping track of regulatory divergence could be a costly and time-consuming task.
A special deal?
The UK government has recognised some of these issues in a Technical Note1 which calls for a legally binding data protection agreement between the EU and UK. This agreement would support GDPR Article 50, which requires the EU to develop new approaches and cooperate with third countries for better cross-border enforcement.
There has been no progress towards such an agreement (to date at least) since Michel Barnier's speech2 of 26 May, in which he was against the UK's proposals on data protection. On the current state of negotiations, an adequacy decision remains the likely outcome.
References:
- www.gov.uk/government/publications/technical-note-on-data-protection.
- europa.eu/rapid/press-release_SPEECH-18-3962_en.htm.
Article provided by:
- Malcolm Dowden, Legal Director at Womble Bond Dickinson (UK) LLP
- Supuni Perera, Legal research specialist at Womble Bond Dickinson (UK) LLP
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010