While the Data Protection Act (2018) is the current law of the UK and will remain so after Brexit, it is necessarily incomplete and must be interpreted in conjunction with the text of the GDPR.
Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP
Where there are no specific provisions or derogations contained within the DPA18, the GDPR’s text applies. For example, Article 37(1) specifies the conditions under which it is necessary to appoint a DPO, a matter on which the DPA remains silent.
The DPA18 is thus lex specialis, ie the specializing law for the UK in respect to personal data protection.
Note that at the time of writing (June 2018), there is some debate about the final shape of the UK’s participation in EU institutions relating to the GDPR.
The following are some key points:
- When the UK leaves the EU in April 2019, its membership of the European Data Protection Board (EDPB, the successor to the Article 29 Working Party established by the 2002 Directive) will automatically lapse. There is some doubt as to whether the U.K. Information Commissioner can retain a “seat at the table” in respect to the work of the EDPB.
- A second concern is whether the UK will automatically be granted “adequacy” status after Brexit. Adequacy is conferred on countries with an “adequate level of data protection”, however, this is a slow process. Both Japan and Korea are in the queue for recognition of their adequacy status, a process which has taken more than one year. It’s even possible that the adequacy status will not be granted, given some of the special derogations made for law enforcement and immigration control purposes.
- Thirdly, there is a concern about enforcement and judgements. The E.U. wants the European Court of Justice (CJEU) to represent the court of final appeal for all decisions on data protection. The U.K. rejects this court’s authority, which may lead to a conflict.
- Another implication of Brexit is the lack of clarity over EU Representation (Article 27), which requires controllers and processors in 3rd countries with high risk processing activities to appoint a local representative in the EU. When Britain leaves the EU, it’s not clear whether all of its controllers with substantial EU customers will also need to appoint EU representatives, and whether existing EU Representative contracts already in place can continue after Brexit, or whether they need to be relocated, eg to Ireland.
- Another concern of EU lawmakers is how the GDPR may develop and change over time, as laws are often amended. There is no mechanism built into the UK Data Protection Act (2018) to automatically include such changes as they occur, so there is a concern that the two laws may drift apart over time.
- The UK has long had a special relationship with US, especially in the areas of intelligence sharing and law enforcement purposes. The introduction of laws such as the US CLOUD Act may undermine provisions of GDPR in the minds of EU regulators, leading to potential conflicts about the lawful basis for 3rd country transfer mechanisms, especially in light of the legal challenges of the EU/US Privacy Shield — a mechanism that in any case will no longer apply to the UK after Brexit, requiring the establishment of a new UK/US Privacy Shield at the least.
- The Article 29 Working Party issued advice in 2016 about one-stop shopping — the ability for controllers in the EEA to benefit from the understanding that interactions with the supervisory authorities could potentially be limited to countries where the controller has its main establishment within the EU. When Brexit occurs, the UK will no longer be part of the EEA, and thus will be unable to benefit from one-stop shopping.