At the moment, as we are still a member state of the EU, we abide legally to the rules of the EU. The General Data Protection Regulation (GDPR) is one law that the UK must abide by as a member state if it wishes to conduct business on the world stage. The law also regulates the transfer of personal data in and out of the EU and EEA areas.
In the event of a No Deal Brexit (and potentially any Brexit), the UK will have removed itself from all legal process in the EU, including the GDPR. The UK is perfectly happy for everyone to continue transferring personal data to the EU, because the EU is covered by the GDPR (and possibly because the government doesn’t care whether your data becomes public or not). However, the UK will have become a ‘Third Country’ in the eyes of the EU. We operate under the UK’s Data Protection Act… but also currently abide by GDPR. What has never been tested is whether our Data Protection Act is sufficient or ‘adequate’ on its own to protect personal data (of EU citizens) to the level that the GDPR covers privacy and personal data. The EU must protect the data of its member states.
Thus, this puts every organisation that stores and transfers data, into a legal quandary.
If companies operating in the EU or EU agencies transfer personal information to the UK, and the UK misuses or makes that data public, there is no legal action that can be taken against the UK. The ramifications are wide ranging and complex. Read on.
Organisations thus may choose to stop transferring any personal data to the UK until there is clarification on the legal process.
Whilst we are here, snitch on your MP for breaking international law. Use our snitching tool.
This is the ‘adequacy decision‘. Every ‘third country’ has to go through a review process to determine whether there is an adequate level of protection within the third country’s legal system that will protect the privacy of personal data. The last adequacy decision that I know about took over 1 year. And a recent EU-US privacy shield case fell through.
“If there’s a failure to agree on any data protection arrangements, UK organisations which receive personal data from the EU (and EU organisations transferring data to the UK) will need to ensure they have additional appropriate safeguards in place. For example, Standard Contractual Clauses or Binding Corporate Rules. This poses the risk that UK companies could potentially lose business to other companies across the EU.”
It’s kind of obvious really. We want to be alone, so we are alone.
Other than adequacy decisions, data can be transferred if certain standard contractual clauses (SCCs) are added to contracts to cover the protection of personal data. But these are being tested now (see below with Facebook throwing toys out of pram about pulling out of Europe – and perhaps vital to watch how this progresses …).
Examples of who should be concerned:
- A hairdresser in Cheshire has a client database which it uses for bookings and marketing. It stores this database on its office computer. It has never sent any of its client data outside the UK and has no intention of doing so. The hairdresser does not need to consider this section on international transfers.
- A hotel in Cornwall takes direct bookings from individuals across the EEA, which includes their names, addresses and other personal information. It receives personal data from those individuals and sends personal data back to them. Neither transfer is restricted under the GDPR nor UK GDPR, as it is made directly with a consumer. The hotel does not need to consider this section on international transfers.
- However, if either business uses a cloud IT service which stores and/or processes their data (including personal data) anywhere outside the UK (including in the EEA), it should read this section on international transfers.
Boris Johnson announced that the UK would be pushing forth with world class data sharing … This is a swipe at EU GDPR and regulations. He mentioned very little about whether big data would or wouldn’t suddenly become public data. That’s a bit scary on its own. We know that Johnson and Cummings are planning a massive dig into private data with their proposed Verify Identity scheme … See 2019 July 2020 9 Sep 2020 : National Data Strategy and Pandemic Data Sharing.
This is taken from Computer Weekly article:
1. You signed a petition to revoke Article 50 and remain in EU (data is kept on the e-petitions for 12 months with your contact details).
2. You signed a petition against proroguing Parliament.
Currently Whitehall doesn’t have access to Parliament e-petition systems and Parliament would NOT give Whitehall your personal details.
Once we leave the GDPR system … “it’s technically feasible. The only question is how far any prime minister or their government is willing to push the boundaries of political convention and legality to get access to all that data.” Editor’s note : We know that the Government is willing to break international law so anything is possible.
So, hypothetically, you may receive an email … “You signed a petition to revoke Article 50 and remain in the EU… here’s how Brexit will serve you ….” (or worse).
What does it all mean? Whilst it’s hard to know what will actually happen or what individual organisations will do, here’s what we should be aware of …
- DropBox stores your data on German servers.
- Zoom recordings could be stored on German servers. Facebook information in Ireland.
- It is unclear as to what extent Google Education servers, Spotify etc. are affected.
Oliver Slay has worked in IT for over 20 years (with 8 years at management level). He is a Member of the Institution of Analysts and Programmers (MIAP for 13 yrs) and currently a PhD student in Bioinformatics/Genomics at Sheffield Hallam University. His views may not represent those of these organisations.
Useful additional reading
Brexit No Deal Data Protection Guide This contains up-to-date Government advice.. (which may have limited information in a constantly changing and backtracking environment).
“If the EU has not made an adequacy decision in respect of the UK before the end of the transition period, you should act if you want to ensure you can continue to receive personal data from EU/EEA countries in the future. The ICO also provides more detailed guidance on what actions might be necessary.”
Data Protection at the end of the transition period – worth checking for updates… Though the fact they have a link on the right “What’s new” suggests that this page won’t keep you updated. ?
Keeping data flowing – From the ICO
- Any Person or Business, processing personal data concerning EU persons has to do so according to the EU’s GDPR Law.
- GDPR is different to the Data Protection Act (and in my opinion, much stricter; particularly as it covers all data, not just data held on a computer).
- “All Data” includes Video Images, Voice recordings, telephone answer messages; as well as the usual web-site registrations, blogs and log-ins.
- Leaving the EU does not absolve one of this responsibility, as it falls under the authority of “International Public Common Law”
- It therefore does not matter if the EU person is living or visiting here or elsewhere; nor does it matter if they don’t have full EU Citizen’s rights..
- It is not permitted to do independent analysis of personal data about EU persons, gathered by any EU based, or other organisation.
- Even if one processes personal data (or works on such systems) on behalf of an EU based entity; one has to have a Branch Office inside the EU.
This rules out a lot of business prospects for data processing, campaign management, and marketing organizations; and completely eliminates the independent free-lancer from the data market (or knowledge industry as it is also known).
The independent free-lancer or invisible service provider makes up a sizeable part of our trade with the EU. – If there are about 3 Million going each way, and earning say €66,666 p.a. each – that’s a €200,000,000,000 trade (only a proportion of which work in remote data, the rest are dependent on Freedom of Movement, or the Right to Establishment in order to ply their trade).