Time for a Brexit Check-Up – Where Are We Now?
The current UK government won a large electoral majority in December 2019 on the back of an ‘oven ready’ set of terms for EU withdrawal and ongoing trade. Those terms took the UK out of the EU on 31 January 2020, and the trade terms took effect on 1 January 2021. The UK government declined to exercise an option to extend the transition period, but has since avoided fully implementing its own checks on the import of goods from the EU. It is also seeking to renegotiate the Northern Ireland Protocol which governs the movement of goods between Great Britain and Northern Ireland (‘the border in the Irish Sea’). While the scope for trade in services is very limited (despite promises by the UK government to secure broader rights for financial services, for example), the UK government is actually consulting on various initiatives that would see UK law ‘diverging’ from EU law in ways that are likely to increase friction in trade between the EU/EEA and the UK. A key area is data protection, notwithstanding that the EU agreed a limited extension and made an early ‘adequacy finding’ in relation to the UK’s data protection regime, to ensure the continued flow of the personal data from the EEA to the UK.
The latest trade checks to be deferred by the UK government are:
- Pre-notification of agri-food imports (until 1 January 2022);
- Export Health Certificates and Phytosanitary Certificates, and physical checks on sanitary and phytosanitary (SPS) goods at Border Control Posts (to start from 1 July 2022);
- Safety and Security declarations on imports (as of 1 July 2022).
Full customs controls and checks will begin on 1 January 2022 in any event.
The likely severity of the impact of these controls can be judged by the UK government’s efforts to avoid them. The value of goods exported to EU countries has decreased by £1.7bn since July 2018, while imports fell by £2.9bn. The British Chambers of Commerce’s head of trade policy, William Bain, said: “Overall, the figures remain concerning. Taken in conjunction with German trade data from earlier this week, the UK is clearly doing less trade with the EU than three years ago. SMEs and other businesses will want to see steps being taken by the UK government and the EU to help improve this situation in the coming months.”
In addition, the UK government has signalled various efforts to ensures that UK law diverges from EU law, reducing any likelihood that maintaining ‘alignment’ in those limited areas might have yielded further ‘equivalence’ or ‘mutual recognition’ to the advantage of trade between the UK and EU in financial services, for example.
The UK Chancellor recently signalled a range of areas in which his government plans to diverge from the EU regulation. This would affect insurance capital, stock and derivatives trading, commodity markets, bond trading and the content of prospectuses. There is already no prospect of ‘passporting’ retail financial services from the UK into the EEA. Overall, it seems likely that firms who used to trade in financial services with EEA customers and who have since created EEA-based ‘hubs’ will begin to see significant differences in how their UK and EEA businesses operate.
In September 2021, the UK government began consulting on changes it claims will create an “ambitious, pro-growth and innovation-friendly” market in personal data. This is seemingly at odds with the global movement towards increasing data protection, and the recent European Data Protection Board findings against WhatsApp, for example. Whether the move from prescriptive rules under the General Data Protection Regulation as it applies in the UK to a “focus on outcomes” will make the UK “the world’s most attractive data marketplace” is questionable. The UK government forecasts an economic benefit of only £1 billion over the next decade, which may be dwarfed by the consequences of losing the EU adequacy finding.
Less reliance on consent
The UK proposes to list of activities that would be “legitimate interests” giving controllers the right to process personal data without consent and without assess the impact on the interests or rights of data subjects, except for certain circumstances such as where children’s data are involved.
The UK proposes to drop requirements to maintain records of processing activities, conduct data protection impact assessments and appoint a data protection officer. Controllers would merely be required to manage personal data processing in a way that is proportionate and reflects their specific processing activities. However, uncertainty as to what is ‘best practice’ means that UK firms might simply maintain their GDPR compliance measures, except to the extent that the Information Commissioner’s Office (ICO) provides guidance to the contrary.
The UK government plans to replace the requirement to report personal data breaches unless they are unlikely to result in a risk to data subjects, with an obligation to report unless the risk to data subjects is “not material”. The ICO would be expected to offer guidance on what this means, with an opportunity for voluntary undertakings for remedial action.
Cost cap for rights requests
The UK government is renowned for limiting its responses to Freedom of Information requests and similarly plans to curtail personal data subject access requests where costs exceed a certain limit or reintroduce a fee.
Easing privacy regulations
The government also plans to liberalise the Privacy and Electronic Communications Regulations while increasing the potential fines of up to £17.5 million or up to 4% of global turnover. Plans include allowing firms to use analytics cookies and similar technologies without the user’s consent or permit them to store information on, or collect information from, a user’s device without their consent for other limited purposes; as well as a ‘soft opt-in’ for email and text marketing extended to non-commercial organisations including charities and political parties (given the challenges faced by Vote Leave campaigners).
Removing human checks on automated decisions?
The UK government suggests it may be impracticable for individuals who are the subject of automated decisions that affect them legally or otherwise significantly be allowed the right to obtain human intervention (as they currently have under GDPR). Instead, UK law would instead permit the use of solely automated AI systems on the basis of legitimate interests or public interests. This would remove the right not to be subject to a decision resulting from ‘solely automated’ processing if that decision has legal or ‘similarly significant’ effects on data subjects. This would mean that solely automated decision-making in relation to personal data would be permitted, subject to it meeting other requirements of the data protection legislation.
International data transfers
The UK government intends to make more adequacy decisions in respect of third countries, groups of countries or regions. The law might allow transfers to countries whose regimes are not deemed adequate, based on protection that firms create for themselves, although the ICO has also set out its expectations for assessing risk in the course of international data transfers.
If you have a query relating to Brexit that could have consequences for you or your business, contact Simon or any of our legal experts at Ogier Leman, by visiting www.leman.ie