Navigating the Government’s No Deal Brexit Preparations for Data Protection
The UK government’s recently announced certain Brexit/No Deal preparations when it comes to data protection and privacy, but very little is understood about these so far.
Here Alexander Edwards, a lawyer with Rosling King LLP, discusses what’s to come and how it will affect you.
The UK government has unveiled a series of amendments to the Privacy and Electronic Communications Regulations (PECR) to ensure the UK’s legal framework for data protection functions correctly after the UK leaves the EU and to prepare for the prospect of a No Deal Brexit. It is crucial that companies are attuned to these amendments, which come into effect on Exit Day (whenever that may be), to ensure that they do not fall foul of data protection rules and avoid potentially hefty fines.
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’. This will need to meet the GDPR standard of consent to ensure it is valid. This involves a clear affirmative action, such as an opt-in to receive such communications.
Whilst GDPR does not replace PECR, it does change the underlying definition of consent: PECR stipulates that you must not send marketing emails or texts to “individual subscribers” without ‘consent’.
There is an exemption within PECR called the Soft Opt-in, which states that you do not require consent where:
- You have obtained contact details in the course of a sale;
- You are only marketing your own similar products and services; and
- You provided a simple opportunity to opt out of the marketing when you first collected the contact details.
The GDPR governs the data you use for email marketing, whilst the PECR defines the required permission to send email marketing. There is naturally much overlap between the GDPR and PECR as both aim to protect people’s privacy and therefore compliance with one shall help compliance with the other.
To ensure that the UK legal framework for data protection functions correctly after the UK leaves the EU, the government is preparing a series of amendments. The first set of amendments, PECR Amendments No 1, will come into effect on the day the UK leaves the EU, and will:
- Extend the GDPR standards to certain data processing activities outside the scope of EU law;
- Make amendments to international transfers of personal data, institutions and member states; and
- Formally amend the definition of consent in the PECR to mirror the GDPR definition.
The Privacy Shield is a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US. It enables US organisations to more easily access personal data from entities based in the EU and protected by EU privacy laws.
This will provide some commercial and legal certainty for UK businesses in a “No Deal” scenario and UK data subjects will continue to have access to the redress mechanisms afforded by the Privacy Shield.