Navigating the Government’s No Deal Brexit Preparations for Data Protection

Here Alexander Edwards, a lawyer with Rosling King LLP, discusses what’s to come and how it will affect you.

The UK government has unveiled a series of amendments to the Privacy and Electronic Communications Regulations (PECR) to ensure the UK’s legal framework for data protection functions correctly after the UK leaves the EU and to prepare for the prospect of a No Deal Brexit. It is crucial that companies are attuned to these amendments, which come into effect on Exit Day (whenever that may be), to ensure that they do not fall foul of data protection rules and avoid potentially hefty fines.

The PECR is a set of regulations that implements into UK law the EU e-Privacy Directive (ePD). It sits alongside GDPR and both must be read together. It is worth distinguishing from the outset the key differences between PECR and GDPR. The PECR generally only applies to organisations that provide a public electronic communications network or service. In some instances, even if you are not a network or services provider, PECR may still apply to you. Such as if you market by phone, email or text; use cookies or similar technology on your website; or compile a telephone or public directory. By this account most companies will in fact be caught by PECR.

Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’. This will need to meet the GDPR standard of consent to ensure it is valid. This involves a clear affirmative action, such as an opt-in to receive such communications.

Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’.

There is an exemption within PECR called the Soft Opt-in, which states that you do not require consent where:

• You have obtained contact details in the course of a sale;
• You are only marketing your own similar products and services; and
• You provided a simple opportunity to opt out of the marketing when you first collected the contact details.

The GDPR governs the data you use for email marketing, whilst the PECR defines the required permission to send email marketing. There is naturally much overlap between the GDPR and PECR as both aim to protect people’s privacy and therefore compliance with one shall help compliance with the other.

To ensure that the UK legal framework for data protection functions correctly after the UK leaves the EU, the government is preparing a series of amendments. The first set of amendments, PECR Amendments No 1, will come into effect on the day the UK leaves the EU, and will:

• Extend the GDPR standards to certain data processing activities outside the scope of EU law;
• Make amendments to international transfers of personal data, institutions and member states; and
• Formally amend the definition of consent in the PECR to mirror the GDPR definition.

The second set of amendments address the prospects of the UK leaving the EU under a “No Deal” scenario, and will ensure that personal data transferred from the UK to Privacy Shield organisations in the US will continue to be protected under the Privacy Shield framework should the UK leave the EU under a “No Deal” scenario. Reliance on the Privacy Shield can only take place after Exit Day in a “No Deal” scenario if the certified Privacy Shield organisation has updated its privacy policy to refer to personal data transfers from the UK.

The Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. It enables US organisations to more easily access personal data from entities based in the EU and protected by EU privacy laws.

This will provide some commercial and legal certainty for UK businesses in a “No Deal” scenario and UK data subjects will continue to have access to the redress mechanisms afforded by the Privacy Shield.

In order to ensure compliance, organisations should carry out audits of their policies and procedures to help understand and meet obligations. UK organisations wishing to make transfers to US organisations under the Privacy Shield will need to check the US organisation has made the necessary update to its commitment to compliance with the Privacy Shield which is usually possible by checking the US organisation’s publicly available privacy policy.