GDPR, Brexit, and data protection in the UK
The impact of Brexit on civil and digital rights: Part 2
Introduction
The Pirate Party UK has a strong stance on data privacy and an individual’s control over their own data. As members of the EU, we also adopt rules based on EU regulations, such as the General Data Protection Regulation, a major update to the EU’s privacy laws which came into effect on 25th May, 2018.
In theory, EU regulations and directives will no longer apply to the UK once we leave the European Union, but the reality of whether we choose to apply these laws while still trading, working and co-existing with the European Union, or whether we repeal existing legislation that has already passed, is a little more complex.
This article examines how Brexit may or may not impact the GDPR as it applies to the UK, and our overall data privacy laws, once we are no longer a member of the EU.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a major regulation in EU law on data privacy and data protection that affects all individuals within the European Union (EU) and European Economic Area (EEA). One of its main goals was to simplify the various privacy laws within the EU, while also giving individuals control over their own data.
Who does it apply to?
The GDPR applies to all individuals, organisations and companies that are either “controllers” of personal data (someone who determines the purposes for which data needs to be processed) or “processors” of personal data (anyone who processes personal data on behalf of a controller), and they are considered accountable for their handling of personal information.
The definition of “personal data” under the GDPR is a very broad one, covering any piece of information that can be used to identify a person — from a name, to an address, an IP address, or even a pseudonym. The GDPR also covers “sensitive personal data”, which includes things like genetic data, information about a person’s religious and political views, information about their sexual orientation, and more.
Because the GDPR is such a broad regulation, the answer to the question of, “Does my organisation need to comply with the GDPR?” is almost always “Yes”, if your organisation is one that is either based in the EU or EEA, does business with any companies within those areas, or could conceivably be processing the data of individuals from those areas. This is why all kinds of companies based in the United States and around the world like online newspapers, social networks, ecommerce websites, etc. still have to comply with the GDPR, because they almost definitely have customers or users whose data is covered by the GDPR.
(With that said, there are also some exemptions to the GDPR for things like law and public protection, journalism and research, health data, social work and child abuse, finance, and confidential references. Organisations are expected to consider whether they can rely on an exemption on a “case-by-case” basis, and document and justify their reasons for doing so).
As a side note, there has been some disagreement as to whether the GDPR applies strictly to citizens of EU and EEA countries (meaning it wouldn’t automatically apply to people living and working in those areas who didn’t have citizenship) or whether it applies to anyone geographically located in the EU and EEA (meaning that it wouldn’t apply to EU citizens living and working abroad). This is why some companies tried to get around complying with the GDPR by blocking traffic or users from the EU and EEA.
However, since it isn’t clear that this is enough to get around the GDPR, the safest bet is always to comply with it.
What rights does the GDPR give individuals?
The GDPR provides individuals with eight rights in relation to their personal data and how it is processed:
- The right to be informed
- The right of access
- The right to rectification (i.e. correction of incorrect data)
- The right to erasure
- The right to restrict processing
- The right to data portability (i.e. the ability to obtain whatever data has been collected on them)
- The right to object
- Rights in relation to automated decision-making and profiling.
The Information Commissioner’s Office has a Guide to the GDPR which goes into more detail on what each individual right involves.
What are the penalties for not complying?
The maximum penalty for GDPR non-compliance is 4% of an organisation’s annual global turnover, or €20 million (whichever is highest) — which is why most organisations have been taking it very seriously. This level of fine would be imposed for the most serious breaches of the regulation, like not having sufficient consent to process people’s data.
A lower fine of 2% of annual turnover, or up to €10 million, could be imposed for less serious breaches, like not having their records in order, or not notifying the authorities and any individuals whose data they hold about a data breach.
How does the GDPR currently apply to the UK?
As a regulation, the GDPR is a legal act that is immediately enforceable as law in all EU member states, meaning that it doesn’t have to be transposed (brought into force) as a national law. When it comes into force, it overrides all national laws dealing with the same subject matter, and any new legislation has to be consistent with it. However, the GDPR did allow flexibility for some aspects of the legislation to be adjusted by individual member states.
In the UK, royal assent was granted to the Data Protection Act 2018 on the 23rd May 2018. This superseded the Data Protection Act 1998, the UK’s primary law regarding the protection, processing and movement of data, and brought it up to date. It is the third generation of data protection regulation in the UK.
The Act broadly implements the GDPR in the UK, including the parts of the regulation which are “to be determined by member state law”, and creates a framework similar to the GDPR for processing personal data which is outside the scope of the regulation, such as data relating immigration and national security. In the words of the Information Commissioner’s Office, “[The Data Protection Act] applies GDPR standards but it has been amended to adjust those that would not work in the national context.”
What happens when the UK leaves the EU?
Because the UK has its own national law applying the GDPR’s standards, the Data Protection Act 2018, the GDPR will still apply to the UK once it leaves the EU. Section 3 of the European Union (Withdrawal) Act 2018 (which is one of multiple Withdrawal Acts that have been passed in anticipation of Brexit), the GDPR will be incorporated directly into domestic law once the UK exits the European Union.
Once the UK does leave, it will become a “third country” for the purposes of transferring personal data outside the EU, just like any other non-EU country. Under the GDPR, the European Commission has the power to determine whether a country outside the EU and EEA has an adequate level of data protection (known as an “adequacy decision”) for data to be transferred to that country without any additional restrictions. A handful of countries, including Japan, Switzerland, Israel, Canada (for commercial entities) and the Faroe Islands, have so far received this recognition.
But adequacy status isn’t granted automatically, which means that restrictions would most likely apply to data transferred between the EU/EEA and the UK until the European Commission had assessed the UK’s status.
A lot could also depend on what type of deal, if any, the UK leaves with; the data situation under a no-deal Brexit could be quite different to a softer Brexit, where the UK still retains a lot of links with the EU and its institutions.
What is the Pirate Party UK’s stance on the GDPR and data protection?
The Pirate Party UK is in favour of robust data protection laws that inform data subjects of their rights and ensure that organisations are clear about their data policies. For this reason, we support the General Data Protection Regulation and urge the UK to continue complying with its standards after it leaves the European Union.
We would also ensure that the freedom for ordinary citizens to encrypt data and communications is not abridged or limited, and promote access to encryption tools. We believe wholeheartedly in citizens’ rights to private communication, and oppose the return of the Communications Data Bill (“Snoopers’ Charter”) or any similar legislation. We would also forbid third parties from intercepting or monitoring communications traffic, and require specific warrants to be issued by a court before this activity can take place.
Additionally, the Pirate Party UK opposes the warrantless mass surveillance of citizens and suspicionless collection of data, and would force the government to be open about the scope, purpose and scale of its surveillance and monitoring. Whether the UK is a member of the European Union or not, we believe that all citizens have a right to strong data protection laws, and should be able to trust in their government to only collect and retain necessary data for as long as it is needed, and only when it has justifiable cause to do so.
Resources
For further reading on the GDPR and data protection laws in the UK, refer to:
What is GDPR? The summary guide to GDPR compliance in the UK — Wired UK
Guide to Data Protection — The Information Commissioner’s Office
Guide to the General Data Protection Regulation (GDPR) — The Information Commissioner’s Office
Data Protection Act 2018 — The Information Commissioner’s Office
Brexit, GDPR and Data Protection: What happens if the UK becomes a third country? — Data Protection Network
Data Protection — GOV.UK
