The UK Data Protection Act 2018 (DPA) created the applied GDPR by amending GDPR in a way that creates a similar, but standalone, regime for the UK. The DPA (Schedule 6) offers a series of modifications showing how applied GDPR alters GDPR. There are a range of possible new compliance challenges facing UK businesses and other organisations post-Brexit, some of which are explored below.
GDPR introduced higher penalties and regulatory sanctions. GDPR and applied GDPR provide data subjects a right to claim compensation from data controllers and processors whose breach results in "material or non-material damage" (eg financial loss or distress).
Post-Brexit, many UK organisations may remain within the scope of GDPR due to the nature of their personal data processing operations and will also be subject to the regime established by the DPA. Consequently, a data breach might well fall within the regulatory reach of both the ICO and of an EU member state regulator. It is possible, that the ICO could work together with EU regulators to avoid double exposure. While GDPR Article 50 requires the EU commission and data law regulators to cooperate with third countries, it does not preclude parallel enforcement proceedings. Indeed both GDPR and applied GDPR emphasise not only the data subject's right to effective regulatory and judicial remedies, but also the right to pursue remedies in a way most convenient to the data subject. Double exposure therefore represents a real risk.
Recovery of compensation
Under each regime, the data subject can seek compensation from the "closest, deepest pockets", leaving it to the controllers and processors to adjust liability amongst themselves. The separation of GDPR and applied GDPR may potentially undermine that adjustment mechanism.
Adjustment relates only to "full compensation" paid under the specific regime (GDPR or applied GDPR). Duplication of proceedings and complexity in attributing damage to the correct regime might well continue beyond the initial claim and into the process of adjustment between controllers and processors.
The adjustment mechanism in relation to each regime allows recovery of an appropriate proportion by the controller or processor who has paid "full compensation". It is arguable that "full compensation" is considered to have been paid only following an award made by the court. Whereas, a settlement between the parties, out of court may or may not amount to "full compensation". Parties may be discouraged from settling compensation claims if that would jeopardise their ability to recover from the other controllers and processors involved.
International transfers of personal data
GDPR Article 44 prohibits the transfer of personal data to non-EU/EEA countries. Under the conditions of GDPR Article 45 the transfer is allowed, if the receiving country proves it is capable of providing adequate data protection. The EU Commission makes adequacy decisions both under GDPR and applied GDPR. Post-Brexit, there is no separate power for the ICO to make an adequacy decision to permit transfers to third countries which are considered by the UK to provide adequate levels of protection.
Binding corporate rules (BCRs) provide a mechanism for transfers of personal data within corporate groups, where there is no adequacy decision in place. Applied GDPR provides for BCRs to be approved by the ICO rather than by a supervisory authority within an EU member state. Post-Brexit, BCRs will be valid only in relation to transfers from the UK to non-EU/EEA countries and not permit a transfer of data from the EU/EEA into the UK. It remains strongly advisable for organisations to rely on BCRs after Brexit to operate them from within an EU member state.
GDPR Article 46 contemplates Standard Contractual Clauses being adopted by the EU Commission and approved in accordance with Article 93(2).The UK's exclusion from such procedures after Brexit means that applied GDPR retains only the provision relating to Standard Contractual Clauses adopted by the ICO, which could not bind the EU regulators. In the absence of political agreement, the gap that emerges between GDPR Standard Contractual Clauses, and applied GDPR Standard Contractual Clauses, could present UK businesses with a risk of exposure to GDPR sanctions.
The ICO will not be part of the GDPR consistency mechanism. There is a possibility of regulatory divergence between GDPR and applied GDPR. Any adequacy decision made by the EU Commission and based on applied GDPR would be subject to periodic review and possible withdrawal. Even a small degree of divergence would involve cost and complexity for UK businesses. It is possible that the same data processing activities will fall within both GDPR and applied GDPR. Keeping track of regulatory divergence could be a costly and time-consuming task.
A special deal?
The UK government has recognised some of these issues in a Technical Note1 which calls for a legally binding data protection agreement between the EU and UK. This agreement would support GDPR Article 50, which requires the EU to develop new approaches and cooperate with third countries for better cross-border enforcement.
There has been no progress towards such an agreement (to date at least) since Michel Barnier's speech2 of 26 May, in which he was against the UK's proposals on data protection. On the current state of negotiations, an adequacy decision remains the likely outcome.
Article provided by:
- Malcolm Dowden, Legal Director at Womble Bond Dickinson (UK) LLP
- Supuni Perera, Legal research specialist at Womble Bond Dickinson (UK) LLP