On 31 January 2020, the United Kingdom left the European Union. For the first time since its creation, a member state has decided to leave the common market, and for now, it is uncertain what the future holds for current privacy legislation. The new relationship between the UK and the EU will be negotiated in the course of this year, with the agreed transition period ending on 31 December. During this period, GDPR will apply as if nothing has changed. But what will happen after?
This webinar will discuss the following topics:
-What does Brexit mean from a data protection perspective?
-What does it mean for the UK itself and for the position of the Information Commissioner’s Office?
-What will be the impact of Brexit for data flows to and from the remaining 27 EU Member States and the countries of the European Economic Area?
-And will there be any impact on the UK-US data flows?
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
Brexit Data Protection Update: The EU, US and UK Perspective
1. Thank you for joining the webinar Brexit Data Protection
Update
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording and slides sent out
later today
• Please use the GoToWebinar control panel on the right hand side
to submit any questions for the speakers
1
5. Outline
● Brexit: the current state of play
● What will happen next?
○ In the UK itself
○ EU – UK / UK – EU relations
○ EU – US / US – UK relations
● How to prepare for the various scenarios?
● Q&A
7. EU28 > EU27
● 31 January 2020 (midnight CET)
The United Kingdom has left the European
Union.
●
----
● Transition Period
----
● 31 December 2020 (midnight CET)
End of the transition period*
* Extension possible by joint EU – UK decision before 1 July 2020,
but ruled out by the European Union (Withdrawal Agreement) Act 2020.
8. Transition Period
Revised Political Declaration (19 October 2019) – Part I, Section I – B. Data Protection
8. In view of the importance of data flows and exchanges across the future relationship, the Parties are
committed to ensuring a high level of personal data protection to facilitate such flows between them.
9. The Union's data protection rules provide for a framework allowing the European Commission to
recognise a third country's data protection standards as providing an adequate level of protection,
thereby facilitating transfers of personal data to that third country. On the basis of this framework, the
European Commission will start the assessments with respect to the United Kingdom as soon as
possible after the United Kingdom's withdrawal, endeavouring to adopt decisions by the end of 2020,
if the applicable conditions are met. Noting that the United Kingdom will be establishing its own
international transfer regime, the United Kingdom will in the same timeframe take steps to ensure
the comparable facilitation of transfers of personal data to the Union, if the applicable conditions
are met. The future relationship will not affect the Parties' autonomy over their respective personal data
protection rules.
10. In this context, the Parties should also make arrangements for appropriate cooperation between
regulators.
10. UK Data Protection Act 2018
● GOAL 1:
○ Harmonise UK privacy law with GDPR – the “APPLIED EU GDPR”
○ Search “DPA Keeling schedule for the amended GDPR”
○ Repeal/alter some UK laws to align
● GOAL 2:
○ Harmonise UK law enforcement law with EU Law Enforcement Directive
● GOAL 3:
○ EU law cannot touch national security, so sets up privacy regime for UK security
services
● GOAL 4:
○ Set up UK supervisory Body as ICO
○ Powers and criminal offences
11. UK Data Protection Act 2018
Passed 24th May 2018: It is the current UK law, enacts the “applied EU GDPR”
DPA
18
Part 1
Schedules
Part 7
Part 6
Part 5
Part 4
Part 3
Part 2
Preliminary
1-18
Preliminary
supplement final
provisions
ICO Enforcement
Information
Commissioner
Intelligence
Service
Processing
Law
Enforcement
Processing
General Processing
GDPR etc.
12. The Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations
2019 S.I.419
● The EU’s GDPR has been amended into a new “UK-GDPR” (United Kingdom General Data
Protection Regulation) that took effect on January 31, 2020.
● The Data Protection Act 2018 has been amended to be read in conjunction with the new
UK-GDPR instead of the EU GDPR.
● The current ”EU GDPR” will apply to the UK in the transition period lasting from January
31, 2020 until December 31, 2020 (unless further extensions are agreed upon between the
UK and EU).
● It is likely that the UK government will move to consolidate the two amended laws (UK-
GDPR and DPA2018) into one, comprehensive piece of data protection law at a later point.
● https://www.legislation.gov.uk/uksi/2019/419/pdfs/uksiem_20190419_en.pdf
13. UK Data Protection Act 2018 - Criminal Offences (Personal!)
● Unlawfully obtaining, or disclosing, personal data without the consent of the data controller
● To retain personal data without the consent of the data controller
● The re-identification of de-identified personal data without consent of the data controller
● To require an individual to exercise their subject access rights to gain their personal information
in relation to their employment or for a contract for services or the provision of goods and
services
● Alteration of personal data to prevent disclosure to data subject
● Obstructing the Commissioner in inspecting personal data to discharge an international
obligation.
● Making a disclosure prohibited by the Regulation of Investigatory Powers Act 2016.
● ICO or ICO staff disclosing information obtained in the course of their role (which is not available
to the public).
● False statement made in response to an ICO information notice.
● Intentional obstruction of a warrant, or failure without reasonable excuse to assist in the
execution of a warrant.
● Not undertaking notification to the ICO when required (monetary penalty)
14. Brexit Impact on Data Protection
Now the UK has left the European Union:
● NOW: It stays a member of the Council of Europe;
○ It is still subject to the European Convention on Human Rights and the European
Court of Human Rights
○ It has signed Modernized Convention 108+ and is duty-bound to implement it
● NOW: ICO no longer an EU supervisory authority;
○ BCRs/Ad hoc clauses reapproved,
○ Do you need a new lead EU SA?
● NOW: It retains the “EU/UK GDPR” under the DPA 2018 – very similar laws to EU apply
● 31 Dec 2020: Review EU and UK representatives if no UK or EU establishment
● 31 Dec 2020: It may become a third party country, so no longer automatically adequate
for data transfers, will be applying for adequacy… Achievable? Time gap?
● Future: Any new ePrivacy Regulation will likely not apply in the UK,
○ current 2003 PECR applies.
● Future: It could diverge further from this however in the future…
17. Brexit Impact on EU - UK Data Flows
31 January 2020
Brexit with a Deal
Until
31 December 2020
Transition Period
Deal?
EU-UK Adequacy
Decision*
Data flows continue
unobstructed
No Deal?
UK becomes third
country
Data transfers
require transfer
mechanism
* A mutual adequacy decision is required to ensure the free flow of data from and to the UK and EU
Onward Transfers
Onward Transfers
18. EU-UK Mutual Adequacy Decision
● European Commission may decide that a third country ensures an adequate level of
protection (also possible for a territory, sector or international organisation) (Art. 45(1)
GDPR).
● Obligation for European Commission to monitor functioning of adequacy decisions:
○ Periodic review at least every four years (Art. 45(3) GDPR);
○ EC may repeal, amend or suspend decisions (Art. 45(5) GDPR).
● Negotiating Guidelines (adopted 25 February 2020): “The envisaged partnership should
affirm the Parties’ commitment to ensuring a high level of personal data protection, and fully
respect the Union’s personal data protection rules, including the Union’s decision-making
process as regards adequacy decisions”.
● UK Government still needs to announce criteria to assess third country adequacy.
19. EU-UK Mutual Adequacy Decision
The term adequate level of protection must be understood as requiring the third
country in fact to ensure, by reason of its domestic law or its international commitments, a level of
protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed
within the European Union (Schrems, §73).
During the assessment ALL relevant legislation needs to be assessed, including laws interfering
with the fundamental right to data protection. An interference is only allowed under four
guarantees:
A. Processing should be based on clear, precise and accessible rules
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be
demonstrated
C. An independent oversight mechanism should exist
D. Effective remedies need to be available to the individual
Source: WP237 - Working Document 01/2016 on the
justification of interferences with the fundamental
rights to privacy and data protection through surveillance
measures when transferring
personal data (European Essential Guarantees)
21. Privacy Shield
Guidance from US Department of Commerce
● Privacy Shield will continue to apply to the UK during the transition period
without change
● From 31 December 2020:
○ a Privacy Shield organization must update its public commitment to
comply with the Privacy Shield to include the UK.
○ organizations must maintain a current Privacy Shield certification,
recertifying annually as required by the Framework.
22. Steps to Take Now
22
• Review your EU “lead authority”1
• Review data transfers in/out of UK and onwards2
• Review legal basis for transfers3
• Review need for EU or UK representatives4
• Review risk (regulators have stated not an
enforcement priority in short term)5
• Amend privacy notices & records of processing6
7 • Amend breach notification protocols
23. Q&A
Ask your questions via the GoToWebinar Control Panel
TrustArc
PAUL
BREITBARTH
Director
EU Policy & Strategy
TrustArc
JOSH
HARRIS
Director
International
Regulatory Affairs
TrustArc
RALPH
O’BRIEN
Principal Consultant,
EU