I’ve encountered many different posts and opinions about how Data Protection law will work in the UK after December 31st. This is my take as things currently stand.
DP law in the UK
Data Protection law in the UK will comprise the UK GDPR (a version of the GDPR amended to remove redundant EU references) and the DPA 2018 (similarly updated) as well as PECR and other bits and pieces. If someone says that UK DP law is the DPA alone, they don’t know what they’re talking about, and you should ignore them. It is correct to say that ‘the GDPR’ will no longer apply in the UK, because ‘the GDPR’ is an EU regulation passed in 2016. The UK version is a clone called the ‘UK GDPR’.
If you’re a controller in the UK and you process data about people in the UK, the above UK DP regime applies. So far, so straightforward.
DP law in the EU
The 27 EU member states will continue to be covered by the GDPR (you can call it the ‘EU GDPR’ if you want but it’s called the GDPR). It applies to processing about people in the EU, no matter where that happens, and processing of any personal data by controllers established in the EU. So if you process personal data in the EU, the GDPR applies to you, no matter who it is about. If you process personal data about people in the EU, no matter where you are, the GDPR applies to you. My guess is that action against big US companies will continue to be taken in the EU because they have a big EU presence, and there won’t be that much of it because most of them are based in Ireland, and the DPC is the DPC. I’m not holding my breath for a torrent of action against companies in the US. Honestly, every time I meet a US-based organisation that doesn’t have a big presence in the EU and yet boasts of its GDPR compliance, I wonder what they’ve been smoking.
Controllers in the UK processing data about people in the EU
If you’re a controller in the UK and you process data about people in the EU in the context of offering them goods or services, or monitoring their behaviour, the GDPR applies, as does the UK GDPR. I have no idea whether EU regulators try to enforce the GDPR on data controllers established in the UK who don’t have a significant EU presence. I know it would help the business model of scaremongering GDPR consultants if they did, so there’s a part of me that hopes that they won’t. It’s entirely possible that some EU regulator will want to flex their muscles post-Brexit, but anyone who confidently predicts that they will is selling something.
Controllers in the EU processing data about people in the UK
If you’re a controller in the EU and you process data about people in the UK in the context of offering them goods or services, or monitoring their behaviour, UK GDPR applies, and so does EU GDPR. I doubt EU regulators would rush to protect the interests of UK data subjects, but who knows? In the meantime, US data controllers will probably continue to move UK subjects’ data out of the EU because there is literally no reason for them to keep it there. This isn’t a sinister plot to water down rights as some headline-hungry pressure groups would have you believe. By keeping UK data in the EU, US companies are subjecting themselves to multiple DP regimes for no reason. The UK voted to leave the EU, and it voted for a Government that promised to ‘Get Brexit Done’. People in the the UK don’t have GDPR rights any more and companies are within their rights to react to that. Get used to it.
Again: sarcastic face when you burble about the ICO enforcing UK GDPR on non-UK entities. You’re talking about the ICO. They issued an enforcement notice on the Metropolitan Police and did nothing when they failed to comply with it, so why anyone thinks they’re going to go after someone in France or Germany is beyond me. Unless you’re selling something, in which case, don’t you have any better way to sell what you’re selling?
Controllers outside the UK and the EU processing data about people in the UK
If you’re a controller outside Europe altogether and you process data about people in the UK in the context of offering them goods or services, or monitoring their behaviour, the UK DP regime is likely to apply to what you’re doing – in theory. Imagine how sarcastic a face I will pull when you try to explain to me how the ICO will enforce UK DP on non-UK controllers. They don’t do that with UK controllers.
HINT: it’s very sarcastic. ICO thought about doing something to the Washington Post and all they could manage was a letter saying that they were cross.
People with EU passports in the UK
From January 1st 2021, if you are from the EU, but you are in the UK, data processed about you in the UK by organisations in the UK is covered by UK DP law alone. GDPR rights do not extend to processing by UK-based data controllers if the subject is also in the UK. The same is true wherever you go; you don’t take your GDPR (either original or the UK clone) rights with you to the USA or China. Pretending otherwise is dumb.
Transfers from the UK to the EU (and vice versa)
Based on a promise from the UK not to change UK DP law in the period, we have four (possibly up to six) months of frictionless transfers of data between the UK and the EU. The May Government plan always intended to recognise the EU as adequate, and there is now a period of grace while the issue of UK adequacy is resolved. The UK could get an adequacy decision during this period which will allow data transfers to continue – it might not, and even if it does, it’ll be undeserved because of the same surveillance problems that caused Schrems II (and a useless regulator). Some would-be Schrems could come along and challenge it; they probably will. I think the idea of the UK getting and keeping an adequacy decision long term is massively optimistic.
The future
It is worth remembering that the arrangements for UK DP law were introduced by the May Government, and were inherited by Johnson’s outfit. Johnson seems also to have inherited an antipathy towards the GDPR from his erstwhile gag-writer Dominic Cummings. Johnson often includes data in the list of things he wants to change once the UK has its ‘sovereignty’ back. I think that a favourable adequacy decision would be a sham, but the EU might offer one to the UK with a straight face using the UK’s apparently identical DP regime as cover. I think it is worth keeping the UK GDPR solely to eke out this sham for as long as possible, but Johnson and his cronies are more likely to listen to flag-wavers and tech bro twerps who see European-style Data Protection as a barrier to innovation (without ever being able to explain how it does that). The introduction of a Patriotic Red White and Blue DPA, performatively different to the GDPR, would not remotely surprise me. Look at all the fanfare over the blue passports.
But the point is, we don’t know. The Trade Deal kicks the DP can down the road for a few more months. Adequacy recognition for the UK may be round the corner, or an impossible pipe dream. Changes to the UK DP regime may be imminent, or a confection made by a set of incompetent blowhards who mistake winding people up for political strategy. Anyone talking with any certainty is not paying attention or selling something.
So that’s what I think. I might be wrong. Nobody knows anything for sure. I had to check the calendar to see what day it was today.