Data Protection & Brexit for Solicitors

By Justin Tivey and Clare Hughes-Williams

Published 06 May 2021

Overview

The Data Protection Acts 1998 and 2018 were rooted in European Directives and Regulations. However data protection laws have not gone away as a result of Brexit. Indeed Brexit is not even the beginning of the end but changes are afoot as a result of the United Kingdom leaving the European Union.

Under the pre-Brexit regime the UK was part of one unified data protection regime across Europe. There was no need to think any differently about the treatment of the data of EU and UK citizens and the transfer of data to and from other EU countries.

As a result of Brexit the EU’s General Data Protection Regulation has been incorporated into UK domestic legislation but will be amended by Regulations awaiting Parliamentary approval. These will substitute references to the EU bodies in the GDPR to UK entities, principally the Information Commissioner’s Office. Crucially though the competence of a lead supervisory authority will go as will the suspension of proceedings in one EU Court where another is already dealing with the same subject matter.

This could give rise to issues in the event of a solicitors practice suffering a data breach affecting any data relating to EU citizens. Prior to Brexit a UK law firm with no other EU offices, but which was undertaking cross-border processing activities in the EU, could nominate the ICO as its lead supervisory authority under the “One Stop Shop” mechanism, meaning only one notification would be required of the firm in the event of a breach. Now, in the same situation, the UK law firm would be required to make a notification to the ICO, but as there would be no establishment in the EU, it would not be able to nominate a lead supervisory authority, and would instead be required to make notifications to all jurisdictions in which there are impacted data subjects.

As a consequence, enforcement action and regulatory fines could follow from more than one regulator, and legal proceedings by data subjects in the UK and EU could proceed simultaneously. This could multiply the headaches already caused by data breach incidents.

As part of the trade and other agreements between the UK and EU reached in December 2020 there is a grace period of up to 6 months under which the UK is not regarded as a third country for data protection purposes. This maintains the status quo while the EU and UK decide whether each other’s data protection regimes are adequate so that data can be sent without additional safeguards. In a positive development on 19 February 2021 the EU proposed that should be the case for a further 4 year period subject to member state agreement.

However, the grace period and any adequacy decision do not change the position in terms of the UK no longer being able to participate in the One Stop Shop.

Solicitors having any communications or dealings with European contacts or clients need to check the ICO’s guidance on data transfers and update privacy policies accordingly. The appointment of an EU representative or a lead regulatory authority in the EU should also be considered.