EACCNY "Brexit, What's Next?" Series | EU-UK Data Protection Law Divergence: Impact On Data Flows

• Published date: 01 November 2021
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: ELVINGER HOSS PRUSSEN, société anonyme
• Author: Mr Gary Cywie

First published on www.eacny.com

1. Post-Brexit UK regime

Following the end of the Brexit transition period, the United Kingdom has retained the General Data Protection Regulation (Regulation 2016/679) ("EU GDPR") as part of its national laws, as the "UK GDPR", under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (as amended) ("Regulations").

The UK GDPR sits alongside the Data Protection Act 2018 ("DPA") and the Privacy and Electronic Communications Regulations ("PECR") as the backbone of the UK's post-Brexit data protection regime. The Regulations amended the UK GDPR, DPA and PECR to make them work properly as domestic law through relatively functional changes, under which the key substance of the EU GDPR remained. However, the UK now could diverge from EU data protection law through domestic statutory reform and the UK Government is considering steps in that direction.

2. Adequacy Decisions adopted

On 28 June 2021, just before the interim bridging mechanism enshrined in the EU-UK Trade and Cooperation Agreement expired on 30 June 2021, the European Commission ("Commission") adopted two adequacy decisions for the UK ("Adequacy Decisions"). The first decision concerned the EU GDPR and the second Law Enforcement Directive.

The adoption of the Adequacy Decisions, after months of negotiation, provided a degree of long-awaited legal certainty concerning the ongoing flow of personal data from the EU to the UK, including data exchanges in the law enforcement sector. Under this regime, businesses located in the EU can continue exporting personal data to the UK as current UK national laws have been recognised as offering a level of protection that is essentially equivalent to that under the EU GDPR.

The Adequacy Decisions are the first of their kind to have a sunset clause limiting their duration. The Adequacy Decisions expire four years from their entry into force, after which they can be further extended. This sunset clause has been introduced to ensure that UK data protection law remains essentially equivalent to that of the EU while the UK is covered by adequacy decisions. This is a strong safeguard in case there is future divergence in UK data protection law away from the essentially equivalent level of protection which existed at the time of the assessment.

UK Consultation on Data Protection Reform

On 10 September 2021, the UK's Department for Digital, Culture, Media & Sport ("DCMS") released a consultation "Data: A new direction" (the "Consultation") with suggested reforms to the UK's data protection regime. The aim of the Consultation is to "create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data". The Consultation's proposals represent significant divergence from the EU regime and trend towards a risk-based approach.

The key points are:

• Accountability and governance. Revoking existing obligations to perform data protection impact assessments maintain records of processing, and appoint a data protection officer. These would be replaced by a privacy management program ("PMP"), which is intended to be a less rigid approach to accountability although the substance is relatively similar to the UK GDPR requirements. The proposed PMP demands clear responsibilities for compliance, policies and risk assessment tools and operational plans to monitor and revise the PMP.
• Adequacy decisions. Amending the framework for the UK's own adequacy decisions for data transfers, to be "risk-based and focused on outcomes" rather than a "largely textual comparison of another country's legislation" focussing on "academic or immaterial" risks. Adequacy decisions may also be included as a part of trade agreements with other countries. We observe the announcement from the DCMS that "adequacy partnerships" are already being progressed with many jurisdictions, including the US. That would represent a...