GDPR and Brexit – 2021 update
On January 1, 2021, the United Kingdom formally and effectively left the European Union.
Although the UK is now “a third country” under the EU’s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs.
On June 28, 2021, the EU adopted an adequacy decision for the UK, ensuring the free flow of personal data between the two blocs for a four-year period (until June 2025).
For UK websites, companies and organizations processing personal data from individuals inside the EU, this UK adequacy decision means unrestricted business-as-usual for the next four years.
After June 2025, the EU will have to engage in a new adequacy process to determine whether the UK still ensures an equivalent level of data protection for the adequacy decision to be renewed.
See the UK adequacy decision from June 2021
See the ICO’s consultation on data transfers to and from the U.K. from August 2021
What happens to GDPR after Brexit in the UK?
- UK adequacy from June 2021 ensures unrestricted personal data flow between EU and UK for four years (till June 2025),
- The general data protection regime in UK data law has been changed to accommodate the disappearance of the EU GDPR’s domestic applicability, including new domestic data privacy laws such as the new UK-GDPR and an updated Data Protection Act,
- After January 1, 2021, the EU’s GDPR will still apply inside the EU for UK websites and companies that process personal data from inside the EU.
We will look at the changes made to the legal landscape of UK data law, but first let’s recap the European General Data Protection Regulation (GDPR).
Compliance with GDPR after Brexit
Our consent management platform (CMP) is a world-leading solution for achieving full data privacy compliance on your website.
With a powerful scanner that detects all cookies, trackers and trojan horses on your domain and maps exactly where in the world you send data to, Cookiebot CMP takes the hard and difficult part out of privacy protection and compliance.
Cookiebot CMP offers plug-and-play compliance with the EU’s GDPR, UK-GDPR, California’s CCPA/CPRA, South Africa’s POPIA, Brazil’s LGPD, Singapore’s PDPA and many other data privacy laws.
Learn more about GDPR and consent
Reminder: what is the GDPR?
The European regulation known as GDPR (General Data Protection Regulation) is a law in all EU member states that govern the protection of personal data and the ways it is allowed to be collected and processed by websites, companies, organizations and more.
GDPR has extraterritorial scope, which means that no matter where in the world your company and website is located, it has to comply with the GDPR if it has visitors from inside the European Union.
GDPR sets up a data protection regime in the EU that requires companies and websites (known as “controllers” and “processors” in the law) to have a legal basis in order to process the personal data of individuals (“data subjects”) inside the EU.
The most common legal basis for processing is prior consent – this means that in order to collect and process personal data of an individual in the EU, websites must obtain their consent to do so before any collection or processing can take place.
Learn more about GDPR and cookie consent
GDPR after Brexit in the UK
The European Withdrawal Agreement signed by the UK and EU includes specific provisions on the processing of personal data and the flow of information between the UK and EU.
In particular, Articles 70-73 of the Agreement state that the UK “shall ensure a level of protection of personal data essentially equivalent to that under [European] Union law.”
Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed adequate by the EU and thus ensure the free, uninhibited flow of data between the two countries.
Article 45 of the GDPR rules that “a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country (…) ensures an adequate level of protection.”
In December 2020, a provision for an interim six month-period of free personal data flow between UK and EU was agreed to, which means that for websites, businesses and organizations in the UK, all remains the same as it was before Brexit when it comes to the processing of personal data from inside the EU.
On June 28, 2021, an adequacy decision was given by the EU to the UK, acknowledging the country’s data protection level as equivalent as the bloc’s own and thereby ensuring free flow of data for a period of four years (until June 2025).
See the UK adequacy decision from June 2021
Brexit, GDPR and the DPPEC regulations
The GDPR/Brexit changes made to UK data privacy law are all contained in the government’s Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, also known as the DPPEC regulations.
They took effect on January 31, 2020, in accordance with the now-passed EU Withdrawal Agreement.
The DPPEC regulations do two major things:
- create a whole “new” domestic law known as UK-GDPR.
- revise the Data Protection Act 2018.
In order to keep the promise in the Withdrawal Agreement’s Articles 70-73, the UK has decided to create a whole “new” domestic law known as the UK-GDPR (United Kingdom General Data Protection Regulation).
The new UK-GDPR is essentially the same as the European GDPR.
It is literally made from the same law text as the EU GDPR but amended so as to substitute the parts of text that read EU and Union law with UK and domestic law.
The UK-GDPR merge the two pre-existing regimes for personal data protection – namely that established by the European GDPR and that established by the Data Protection Act 2018 (specifically the parts of that law known as the “applied GDPR”).
The DPA2018’s “applied GDPR” section is the one that extended the GDPR’s standards to areas that were out of scope of EU law and the GDPR, namely that of law enforcement, intelligence services and immigration (among others).
But let’s be clear: there are more things that don’t change than do change after Brexit with GDPR.
The UK-GDPR after Brexit will be the same as the EU’s GDPR with slight changes, most of which are of superficial nature.
The core provisions of the GDPR for which it has become known all over the world all remain the same under the new domestic UK-GDPR, including:
- The principles relating to the processing of personal data and the lawfulness of processing (Article 5), the rules around processing of special categories of personal data (Article 9), also known as sensitive personal data such as data on race, political opinions, religious or philosophical beliefs, biometric data, sexual orientation and more.
- The conditions for consent (Article 7), with the exception of the valid age of consent (Article 8) that is lowered to 13 years in the UK-GDPR from 16 years in the EU GDPR.
- The rights of the data subject (Articles 15-22), including the right to access, right to be forgotten, right to data portability and the right to rectification etc.
Check out more on the new UK-GDPR after Brexit.
The changes made to the GDPR after Brexit in order to create the new domestic version are visible in the following Keeling Schedule, which is a document comprising all the changes of the DPPEC regulations made to the GDPR.
Keeling Schedule for the new domestic post-Brexit GDPR.
The amended Data Protection Act 2018
The new and amended Data Protection Act 2018 also took effect on January 31, 2020.
The DPA2018 will no longer rely on the EU GDPR, but on the UK-GDPR instead. It will instead refer to the new domestic GDPR after Brexit.
UK citizens will now be protected by a comprehensive data protection regime that is made up of the UK-GDPR on the one hand that defines (just as the EU GDPR does today) what personal data is and how it is allowed to be processed, and the Data Protection Act 2018 on the other hand, supplementing the domestic GDPR and extending beyond it as well.
More on the new and amended Data Protection Act 2018 here.
Keeling Schedule for the Data Protection Act 2018.
Brexit and GDPR in short
Here’s a short recap of what happened on January 1, 2021:
- Six months interim period secures free personal data flow between UK and EU.
- The new UK-GDPR is in effect.
- An amended version of the Data Protection Act 2018 is in effect.
According the UK government, “no, or no significant, impact on the private, voluntary or public sector is foreseen” as a consequence of the changes made to UK data protection law.
Now, with regards to the GDPR after Brexit in the EU – there are no changes.
If a website based in the UK has visitors from the EU, it still has to comply with the European GDPR after Brexit just as it did before.
That’s because the EU GDPR has extraterritorial scope and applies to any website, company or organization in the world that collects or processes data from inside Europe.
The biggest change here will be who is the supervisor and enforcer.
Since the EU GDPR won’t apply domestically to the UK after the transition period of Brexit, data law in the UK will not be supervised or enforced by the European Data Protection Board (EDPB), the main power of supervision and enforcement today.
Rather, it will be the Information Commissioner (ICO) that will supervise and enforce the domestic UK-GDPR and Data Protection Act 2018 on UK soil.
GDPR, Brexit and your website
What does all of this Brexit and GDPR stuff ultimately mean for you and your website and its use of cookies and similar tracking technology?
It means that until June 2021, the interim provision allows unrestricted personal data flow between UK and EU.
Your website will need to comply with the GDPR (both UK and EU versions) just as before, but no additional measures need to be taken when processing personal data from the EU:
You still need the prior consent of your end-users before you are allowed to collect or process their personal data, e.g. with a cookie banner.
Learn more about GDPR and consent on your website
Cookiebot CMP scans your website and finds all cookies and similar tracking technologies, then blocks them all apart from the strictly necessary, and therefore compliant, until the user has given their consent as to which they want to activate.
This way, your website can be sure to be in compliance with the requirements of obtaining prior consent from individuals, before collecting or processing their personal data.
Protecting users in the UK after Brexit requires the same insight, transparency and control of what happens on your website as before.
In short, before Brexit, under Brexit and after Brexit, our solution ensures your website full EU and UK-GDPR compliance, as well as compliance with the Data Protection Act 2018.
FAQ
Will the GDPR apply in UK after Brexit?
If your website processes personal data from users inside the EU, you are required to comply with the EU’s GDPR, even if your website is located and operated from inside the UK after Brexit. The UK-GDPR applies domestically in the UK and requires the same data protection and consent from your users as the EU’s.
What is the UK-GDPR?
The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s domestic data privacy law that replaces the EU’s GDPR after Brexit. The UK-GDPR is essentially the same law as the EU’s GDPR only changed to accommodate domestic areas of law. The UK-GDPR will regulate personal data and require the same legal bases for processing of personal data.
What is the Data Protection Act?
The Data Protection Act 2018 (DPA2018) is a domestic law governing the use of personal data and flow of information in the UK. Together with the UK-GDPR it forms the legal regime of data privacy in the United Kingdom. The DPA also governs data processing for law enforcement authorities and intelligence services.
How can websites be compliant with the UK-GDPR?
Your website is required to obtain the prior consent from users before processing any of their personal data. To ensure compliance on your website, a consent management platform scans and detects all cookies and trackers in operation, then keeps them deactivated until your users have given their consent.
Try Cookiebot CMP free for 14 days… or forever if you have a small website
Resources
What is the Data Protection Act 2018?
UK adequacy decision from June 2021
ICO’s consultation on data transfers to and from the U.K. from August 2021
EPRS report on EU-UK private-sector data flows (pdf)
See IAPP’s comprehensive Brexit privacy checklist
Keeling Schedule for the new UK-GDPR
Keeling Schedule for the amended Data Protection Act 2018
The Information Commissioner’s Office (ICO)
Controlling the cookie (consent) monster 2021, blogpost from Evalian