According to the UK Information Commissioner’s Office (ICO), the British government intends to incorporate the GDPR into UK law from the end of the transition period.
However, the UK’s adoption of the “UK GDPR” will not necessitate that it will be deemed adequate.
Default
The ICO’s current default position is that at the end of the transition period the GDPR will be brought into UK law as the “UK GDPR” and will operate alongside the existing legislative rules contained in the Data Protection Act 2018.
Therefore, the rules set out in the GDPR for the protection of personal data, the rights of data subjects and the principle of consent will continue to apply in the UK.
However, while there may be initial legal alignment at the end of the transition period, a divergence in data protection rules seems inevitable as the UK will no longer be subject to decisions of the two primary harmonising EU authorities on data protection:
- Court of Justice of the EU,
- the European Data Protection Board (EDPB).
“Divergence on data protection principles and interpretations of the GDPR seems inevitable as different cases are heard in the different jurisdictions and the different courts are guided by different constitutional frameworks,” Dr Quinn writes.
For example, post-Brexit, there will no longer be a fundamental right to data protection in the UK as provided for in Article Eight of the EU Charter of Fundamental Rights of the European Union.
This will prove important when data protection principles must be balanced against other interests such as commercial interests or rights to freedom of expression and access to information, Dr Quinn writes.
The most likely obstruction to an adequacy finding is the UK’s Investigatory Powers Act 2016, which allows for broad interception and communications acquisition powers, greatly limiting the privacy rights of individuals.
Bulk data
The bulk-data collection allowed by the Act was deemed unlawful by Advocate General Campos Sánchez-Bordona on 15 January 2020, in his Opinion in Case C-623/17 Privacy International and Joined Cases C-511/18 and C-512/18.
In addition to state surveillance concerns, future regulatory divergence between the UK and the EU will be an important consideration for the European Commission.
If no adequacy decision is arrived at, data transfers to the UK could become significantly more problematic.
When the UK courts become the final arbiter of data protection law in the UK, it may result in a very different interpretation of the content of the GDPR compared to what emerges from Luxembourg.
Similarly, the EDPB and the ICO are likely to diverge in their supervisory and enforcement capacities as they respond to the different needs of their relative jurisdictions and as lines of communication between the bodies are greatly reduced.
Quasi-judicial function
Under EU law, the EDPB can issue binding decisions where conflicts arise between supervisory authorities.
Thus, the EDPB possesses a quasi-judicial function serving to harmonise the approach to data protection across the EU.
Post-Brexit, the ICO will become the sole supervisory authority and is likely to diverge, in at least some contexts, from the decisions of the EDPB.
Several years
The key point will be the consequences for data transfers.
The EU currently operates an adequacy framework which allows data to be freely transferred to jurisdictions outside the EU that have been deemed to have adequate levels of data protection by the European Commission.
An adequacy decision may be reached as part of the negotiations during the transition period.
However, the fastest time the Commission has adopted an adequacy decision is 18 months with the process sometimes taking several years.
In its absence, data can only be transferred from the EU to the UK if appropriate safeguards are adopted by the data exporter or if specific derogations exist.
Safeguards
The different safeguards outlined in the GDPR are:
- Standard contractual clauses,
- Binding corporate rules,
- a code of conduct.
While these safeguards allow for data to be transferred without an adequacy decision, it will generate an additional burden for enterprise.