Under the European Union (withdrawal Agreement) Act 2020, The UK is going through a transition period until the 31st of December 2020 to allow it to come up with acceptable vision of its future relationship with the EU, although this deadline can be extended.
During this transition period, EU laws, including The General Data Protection Regulations will continue to apply in the UK.
GDPR in the UK after Brexit:
All UK organizations that process personal data have two laws to comply to, The EU's General Data Protection Regulation, And, the UK's DPA (Data Protection Act) 2018, and both will continue to apply until the transition period ends.
Even though the EU GDPR will not be directly applied after the end of the transition period in the UK, All organizations that's handling EU citizen's personal data will need comply with its requirements.
But, anyways, the DPA 2018 enacts the EU GDPR’s requirements in UK law. And the UK government has issued – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection system that will work in a UK after Brexit.
The new regime will be known as The UK GDPR, however, There is insignificant differences between the EU GDPR and the awaited UK GDPR.
How does Brexit affect international data transfer?
Now as the UK is no longer an EU member, it has been reclassified as a ‘third country’. This shouldn’t make any difference to UK organizations until the end of the transition period.
Under the EU GDPR, the transfer of personal data from the EEA (European Economic Area) to third countries and international organizations is permitted only if:
· The European Commission issued a decision stating that there is a fully sufficient level of data protection.
· Accepted safeguard are in place, such as Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC)
· Based on approved codes of conduct, even though no such codes have set for transfers from the EEA (European Economic Area) to the UK so far.
Until now, the Commission has made 12 adequacy decisions:
The Faroe Islands
The Isle of Man
The EU-US Privacy Shield, which allowed certified US organisations to process EU residents’ personal data, was ruled invalid by European Court of Justice on 16th of July 2020 following legal action by the Austrian privacy campaigner Max Schrems.
All processors that process personal data of EU residents, should to rely on Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC) until a new code of conduct is approved or an adequacy decision is reached between the EU and US.
However, the ECJ noted in its decision that SCCs are only valid if the law in the receiving country ensures adequate protection. If the law in that country makes it impossible to meet the obligations (if the personal data is likely to be interfered with by state surveillance, for instance), they are not valid and there must be additional safeguards to provide the necessary protection. If such safeguards cannot be put in place, the processing must be suspended.
Potential penalties for non-compliance:
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater.
Therefore organizations that process EU residents’ personal data should make the necessary measures to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.