brexit – Cyber Law Watch

UK consults on new data protection regime

Sep 14 2021

By Norin McFadden and Claude-Étienne Armingaud

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers.

Some of the changes to the UK GDPR proposed in the consultation document are:

Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
Removal of the right to human review of decisions made on the basis of solely automated data processing.
Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
Removing the requirement for websites to obtain consent before serving some analytics cookies.
Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

UK unveils plan to diverge from GDPR

Aug 30 2021

By Norin McFadden and Claude-Étienne Armingaud

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.”

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.”

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

Reminder for One-Month Deadline to Implement New SCCs in New Contracts

Aug 27 2021

By Jake Bernstein and Jane Petoskey

In early June 2021, the European Commission published a new set of standard contractual clauses (SCCs) effective June 27, 2021 for cross-border data transfers and between controllers and processors. The new SCCs cover changes in data protection laws, including the invalidation of the EU-US Privacy Shield and the fallout from the Court of Justice of the European Union’s (CJEU) Schrems II opinion (regarding US intelligence laws). The new cross-border data transfer SCCs also use a modular approach to allow for more accurate identification of roles and responsibilities of the contracting parties. In terms of timing, organizations may use the old SCCs in new contracts until September 27, 2021, and contracts existing before September 27, 2021 must change to the new SCCs by December 27, 2022. For additional information on the SCCs, read our K&L Gates EU Data Protection Alert here.

Please do not hesitate to contact the K&L Gates LLP Cybersecurity and Privacy team of attorneys if you need assistance updating new or existing contracts with the new SCCs by the above deadlines.

Post-Brexit data protection – where are we now?

Feb 04 2020

By Cameron Abbott and Michelle Aggromito

After years of political squabble and delays, Brexit day finally arrived on 31 January 2020. But what does it mean when we talk about the UK’s withdrawal from the EU and how will data protection regulation and compliance change?

There will be little change during the transition (also known as “implementation”) period that is expected to end on 31 December 2020. During this period, EU law will continue to apply in the UK, including the EU General Data Protection Regulation (GDPR), after which the GDPR will be converted into UK law.

Brexit: Deal or No-Deal? Data is the Question

Oct 24 2019

By Cameron Abbott and Max Evans

With the Brexit deadline looming as 31 October 2019, and no finalised deal in place, the prospects of an inconclusive Brexit are growing. Therefore, there remains significant uncertainty as to the actions and preparations of entities who are subject to the unpredictable tides of this political sea. So how should such companies prepare in these circumstances of a foreseeable no-deal? Our colleagues have tackled this challenging question in Volume 1 of The Privacist available at the K&L Gates Hub.

Brexit and Data Protection

Jul 20 2016

Linked article by Andrew W. Gilchrist, Arthur Artinian, Andrew R. Danson, Philip J. Morgan, Daniel L. Clyne

As part of K&L Gates continued coverage of the issues raised by Britain’s exit of the EU (see our dedicated Brexit Hub here), our European colleagues have made an assessment of the post-Brexit landscape with respect to UK’s data protection laws.

Although there will be no immediate impact (given it is expected that it will take at least 2 years before any Brexit is finalised), companies should begin to consider what legal framework may apply in the post-Brexit world. For more information, please see here.

Tag:brexit