GDPR UK adequacy update 2021
Since the UK has left the EU, the question of personal data transfers has been top of the list for many websites, companies, and privacy organizations in both blocs.
In the agreement signed by the UK and EU in end of December 2020, a provision allowed for the continued, unrestricted flow of data between the two blocs for an interim period of six months (until June 2021).
On June 28, 2021, the European Commission adopted an adequacy decision for the UK, ensuring the continued free flow of personal data between the two blocs for the next four years.
Under the EU’s GDPR, adequacy decisions can be adopted by the EU if it deems that a third country (i.e. a country outside of the European Union) has an equivalent level of data protection. If so, personal data from EU residents can be transferred to the country freely (still requiring end-user consent, as always of course).
Since the UK left the EU under Brexit, the UK is not covered by the GDPR anymore, and adequacy talks have been a point of importance to ensure continued flow for websites, companies, and organizations in both blocs.
Particular to the UK adequacy decision from June 2021 is a so-called “sunset clause” that strictly limits the free flow of data to a 4-year period from the effective date, after which the adequacy status of UK will not automatically be renewed. If the EU chooses to renew the agreements, a new adoption process will start.
The UK already has in place a new domestic data privacy law called UK-GDPR that is exactly the same as the EU version and is supported by the UK’s Data Protection Act of 2018.
Compliance with the UK-GDPR and EU’s GDPR remains an obligation for any website, company or organization who process personal data form either inside the UK or EU: the explicit consent of users must be obtained before any processing or transfer is allowed to take place.
See the UK adequacy decision from June 2021
See the ICO’s consultation on data transfers to and from the U.K. from August 2021
Learn more about GDPR and end-user consent
GDPR compliance after Brexit in 2021
Cookiebot CMP for UK compliance
Being compliant with the EU GDPR, the new UK-GDPR and the supporting data protection legislations such as the Data Protection Act 2018 might seem a tad confusing, what with all the other messy stuff that comes with Brexit.
Cookiebot CMP by Usercentrics is the world-leading GDPR compliance solution for websites of all shapes and sizes.
Built around a powerful scanner that detects all cookies, trackers and trojan horses, our solution gives your users automatic control of their personal data, in full compliance with the requirements of both the EU and UK data privacy regime.
Cookies are one of the most common ways that websites process personal data, so it’s super important in terms of data law compliance to both know what cookies are active on your website and to enable your end-users with a choice of prior consent as to which cookies they want active, when visiting your domain.
By simulating visitors on your website – scrolling, clicking, exhausting all possible uses of your domain – our solution detects trackers present, both first party (your own website’s) and third party (usually marketing cookies from ad tech companies that are privacy invasive).
With highly customizable consent banner and automated geo-targeting, we take the hard part out of being compliant with the world’s major data privacy laws.
Cookiebot CMP offers plug-and-play compliance with the EU’s GDPR, UK’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA, Singapore’s PDPA and more.
Learn more about the GDPR and consent
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU law that took effect in May 2018 and is uniformly binding in all 27 EU nations. It controls how companies and organizations are allowed to handle personal data.
Personal data is defined in the GDPR as anything that can be directly or indirectly identified to a natural person, such as names, physical addresses, IP addresses, location data, and information about physical, mental, economic, cultural or social facts.
Sensitive personal data, however, is defined by the GDPR as data about religious convictions, political opinions and/or sexual orientation.
The GDPR clarifies in total eight rights for individuals, including the right to request access to one’s data (a so-called Subject Access Request or SAR), as well as to request their personal data deleted.
However, the most important right that the GDPR empowers EU citizens with is the right to not have their data (personal or sensitive) collected and processed without prior consent.
Here, the GDPR requires websites to –
- obtain clear and unambiguous consent from its users,
- prior to any processing of personal data,
- after specifying all types of cookies and other tracking technology present and operating on its pages,
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
- to then be able to safely and confidentially document each user consent,
- and to ask for renewed consent regularly, e.g. every six months.
This is the backbone of GDPR compliance.
In doubt whether your website is GDPR compliant? Test with Cookiebot’s free compliance test.
GDPR in the UK after Brexit 2021
The United Kingdom has been regulated by the European GDPR since it took effect in May 2018.
Upon leaving the EU on January 1, 2021, the UK is officially not a part of the EU’s GDPR any longer, i.e. the EU’s GDPR does not have any domestic jurisdiction in the UK as it had from May 2018.
The UK has passed its own version called the UK-GDPR, which alongside the Data Protection Act of 2018, is in effect now.
The new UK-GDPR is essentially the same as its European predecessor, only revised so as to cover areas of the domestic law that are not touched upon by the EU regulation. These include among others national security, the intelligence services and immigration.
Learn more about the Data Protection Act 2018
See IAPP’s comprehensive Brexit privacy checklist
GDPR and the UK’s other data laws
The Information Commissioners’ Office has several data laws to enforce in the UK.
After Brexit on January 1, 2021, the following data laws has taken effect in the UK:
- UK-GDPR (United Kingdom General Data Protection Regulation)
- Data Protection Act 2018
- PECR (Privacy and Electronic Communications Regulations 2003)
PECR is the UK’s national implementation of the European ePrivacy Directive. It deals with the protection of personal data in relation to electronic communications, specifically cookies and online marketing communications.
Visit the ICO to read more about the PECR.
Since it’s a national implementation, i.e. a domestic UK law, the PECR will still apply after Brexit.
ICO and cookies – updated guidelines to the PECR
ICO updated its guidelines regarding the use of cookies, and hence processing of user data, according to the PECR. It has done so in order to align it with the consent standards of the GDPR.
ICO has ruled that the only form of valid consent on websites are consents given prior to the initial tracking, obtained through cookie banners without any pre-ticked checkboxes.
Read more about the updated guidelines on ICO’s own website.
Website owners and operators are no longer allowed to collect or process personal information if users simply close a cookie banner or choose to keep browsing on a site after the popping up of a cookie banner.
Instead, users must affirmatively consent by clicking and ticking the boxes of all categories of cookies apart from the strictly necessary ones on which a website functions.
Who enforces GDPR in the UK?
While the UK was still a part of the European Union, it was the responsibility of the Information Commissioner’s Office (ICO) to enforce the EU’s GDPR on UK soil.
However, since the UK is no longer an EU member state, the main responsibilities of the ICO will now be to enforce its own domestic version, the UK-GDPR, and the supporting Data Protection Act of 2018.
The EU’s GDPR is enforced by the national data protection authorities (so-called DPAs) in each EU nation, although special responsibility and power falls to the Irish DPA for being the lead regulator of the GDPR in EU.
This is because a provision in the GDPR specifies that the law’s lead regulator must be the DPA of the country that houses a tech company’s data controller, which is the case for Ireland when it comes to both Facebook and Google.
ICO and GDPR
ICO is the enforcer of the GDPR in the UK with the power to conduct criminal investigations and issue fines, as was witnessed last year when it raided the offices of Cambridge Analytica, the disgraced data firm that abused the personal information of 87 million people, obtained through Facebook, to influence both British and US elections.
After Brexit, the ICO will become the enforcer, supervisor and regulator of the domestic UK-GDPR.
GDPR fines UK
According to the GDPR, UK websites and companies who fail to comply with its requirements can be fined up to €20 million or four percent of a company’s annual global turnover, whichever is greater.
So far the GDPR fines in UK vary a lot in form and strength.
ICO has enforced the GDPR in the UK on numerous occasions already.
A lot of the monetary penalties issued by ICO a year after the date of effect of the GDPR in the UK center around unsolicited direct marketing, which is unlawful according the to GDPR. Prior consent from its customers or users is required before a company or website can undertake direct marketing.
ICO has stated that it prefers to work with organizations to improve their practices, rather than seeking maximum fines.
Its GDPR enforcement has so far taken shape as monetary penalties, but also guidance to companies and organizations in order to improve their practices and sometimes “a stern letter can be enough”, ICO stated.
How to comply with the GDPR in the UK
If you process personal data of individuals in the UK, you must comply with the GDPR, the Data Protection Act 2018 and the PECR.
After Brexit, you must comply with the new UK-GDPR, the Data Protection Act 2018 and the PECR.
The UK has an adequacy agreement with the EU, ensuring the free flow of personal data between the two bloc for a four-year period (until June 2025).
Cookiebot CMP enables full compliance all domestic UK data privacy laws and the EU’s GDPR.
Summary
So, to sum up –
GDPR and the UK
In June 2021, an adequacy decision was made by the EU for the UK, ensuring the free flow of data for a strict four-year period (until June 2025).
After this period, the EU must renew adequacy talks in order to determine whether the UK still offers an equivalent level of data protection for EU residents and their data privacy.
Since Brexit, the new UK-GDPR is in effect domestically in the UK and means the same data protection and requirements apply as before under EU law.
ICO and GDPR
The ICO is the lead enforcer of the UK-GDPR, Data Protection Act of 2018 and PECR.
Data Protection Act 2018 and PECR
An amended version of the Data Protection Act 2018 took effect on January 31, 2020.
PECR is a domestic law in the UK regulating electronic communication and continues to apply after Brexit.
FAQ
How is the GDPR applicable in the UK post Brexit?
The EU’s General Data Protection Regulation applies to any processing of personal data from individuals inside the European Union, but after Brexit, will no longer apply to the processing of personal data from individuals inside the UK. After Brexit, the new UK-GDPR applies domestically in the UK and is the equivalent of the EU’s GDPR.
Who will enforce the UK-GDPR?
The Information Commissioner’s Office (ICO) is the lead supervisory body and enforcer of the UK-GDPR. The ICO has the power to conduct criminal investigations, adopt guidelines and issue fines for non-compliance.
What is personal data under the UK-GDPR?
Personal data is anything that can be used to identify a living individual, either directly or indirectly. Personal data includes names, addresses, driver’s license, passport number, health data, location data, information about religious beliefs and political convictions, but also cookies, IP addresses, search and browser history.
How do I control cookies on my website?
Cookies are difficult to control – many cookies will secretly load other cookies, and many of those will change on repeated visits. Using a consent management platform can help your website control its cookie setup and ensure compliance with data privacy laws like the EU’s GDPR and UK-GDPR.
Resources
Learn more about the Data Protection Act 2018
UK adequacy decision by the European Commission, June 2021
Learn more about the GDPR after Brexit
See IAPP’s comprehensive Brexit privacy checklist
General Data Protection Regulation (GDPR) official law text
ePrivacy Directive 2009 official law text
UK Data Protection Act 2018 official law text
Privacy and Electronic Communications Regulations (PECR)