The UK prepares for Data Protection after Brexit: Two New Regulations
When the UK leaves the EU, the General Data Protection Regulation (GDPR) will no longer be directly applicable in the UK. Two new sets of regulations have therefore been recently promulgated by the British Parliament to retain, as much as possible, the status quo and are meant to come into effect upon the UK's withdrawal from the EU. Both sets of regulations were issued pursuant to the UK's European Union (Withdrawal) Act 2018.
The purpose of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 is to ensure that current UK data protection law continues to be operable after exit and thus a number of the changes made by the regulations are minor or technical and replace EU-related terminology with UK equivalents (e.g. replacing "GDPR" with "EU GDPR" as distinguished from the "UK GDPR", the latter referring to the GDPR as it shall form part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 once it comes into effect). Among the more noteworthy changes are those relating to transfers of personal data from the UK and those regarding the extraterritorial application of the UK GDPR.
To ensure that established data flows from UK data controllers to organisations outside of the UK can continue after the UK leaves the EU, the regulations insert transitional provisions in the Data Protection Act 2018 in relation to adequacy decisions, standard contractual clauses and binding corporate rules. The Data Protection Act 2018 in its current (pre-Brexit) form supplements the GDPR within the UK by exercising areas for derogations within the UK. One such transitional provision in the regulations enables personal data to continue to flow from the UK to jurisdictions subject to an EU adequacy decision made before exit day. Similarly, Binding Corporate Rules authorised by the UK Information Commissioner prior to exit day will continue to be recognized.
As regards extraterritorial application of the UK GDPR, one of the requirements under the regulations is that, post Brexit, processors and controllers outside the UK will be required to designate a representative in the UK, except where the processing is occasional, does not involve large scale processing of special categories of personal data or of data relating to criminal convictions and offences and is unlikely to result in a risk to the rights and freedoms of natural persons.
The second set of regulations – the Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) (No.2) Regulations 2019 – relate to transfers to the US under the Privacy Shield Framework. Following the UK's withdrawal from the EU, to be able to continue receiving personal data from the UK in reliance on the Privacy Shield, US companies will be required to update their privacy policies by including a commitment to comply with the Privacy Shield Principles in relation to personal data transferred from the UK.
None of these changes should be particularly onerous for Norwegian businesses operating or doing business in the UK, but they do serve as a timely reminder to such businesses that policies and procedures should be reviewed generally in light of Brexit.