When the General Data Protection Regulation (GDPR) came into effect back in May 2018, the UK was still part of the EU and no-one had ever heard of Covid-19. We look here at the ways in which these two major events have tested the GDPR.
The pandemic has changed the use of personal data in ways we never imagined: from temperature checks to giving our personal details to every venue we visit. The GDPR did not envision that personal data, particularly sensitive medical data, would be processed in this way or on this scale.
Nevertheless, employers and hospitality venues now routinely process their employees’ and visitors’ health data, which is considered “special category data”. Special category data may only be processed for certain specified reasons, which include protecting public health. If one of your colleagues tests positive for Covid-19, employers may inform other employees, provided that the individual is told in advance and their dignity is protected. In this way, GDPR was well prepared for the challenges posed by the pandemic.
However, when NHS Track and Trace was launched, the Department of Health faced scrutiny when they admitted that a data protection impact assessment, as required under GDPR, had not been carried out before launch. Use of the app itself is not mandatory, but relevant businesses are required to collect customer information in some form. Personal data should be kept securely and for no more than 21 days. The data must only be used for contact tracing, not for marketing, profiling, or data analytics.
Covid-19 has also caused a huge shift in the number of people working from home which presents new security risks for personal data. Employees must ensure their own compliance with GDPR by complying with their employer’s data protection policies and taking steps to ensure data is kept secure and confidential. This has presented a significant challenge, though it remains to be seen whether there will be any fallout from a lack of compliance in this area.
Strictly speaking, the EU’s GDPR no longer applies to the UK, but new domestic data protection legislation known as UK GDPR has been introduced. The UK and EU GDPRs are almost identical, but UK GDPR makes certain minor changes to reflect that the UK is no longer part of the EU. Together, UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) govern data privacy in the UK.
At the end of the transition period, a further temporary bridging mechanism was implemented which is set to end on 30 June 2021. This treats the UK as though it were still a member of the EU for the purposes of data protection only. This means that data continues to flow between the UK and the EU as it did prior to Brexit, but the UK may not make substantial changes to its data protection legislation.
If the EU declares that the UK’s data privacy laws are adequate, data can continue to move freely. Reassuringly, the EU has published a draft finding of adequacy and it is expected that this will be approved. However, the decision needs final authorisation and cannot yet be guaranteed. If for any reason the adequacy decision is not approved, the UK will be classed as a third country and the transfer of personal data from the EU may only take place in limited circumstances.
The full effects of Brexit on the GDPR remain to be seen while the bridging period applies and will depend on whether the adequacy decision is granted. The UK government may make changes to UK GDPR after the bridging period ends. There has been speculation that the UK will introduce provisions authorising the processing of personal data to monitor immigration, permit mass surveillance and share personal data with other jurisdictions.
The EU may revoke a finding of adequacy at any time and without notice. As the UK and EU regimes diverge over time, the risk of the adequacy finding being revoked will increase. British businesses should prepare for a finding of inadequacy by ensuring that any cross-border data transfers comply with EU GDPR. This risk can be mitigated by including EU-approved standard terms in contracts which ensure that data transfers comply with EU GDPR. The UK will publish its own standard terms in due course.
As well as complying with the DPA, PECR and UK GDPR, British businesses which operate in the EU will also fall within scope of EU GDPR. This applies to businesses without an EU establishment which provide goods or services to individuals in the EU. UK businesses may therefore need to ensure that their website complies with EU GDPR where applicable to users in the EU. Further, any data processed before 31 December 2020 must comply with GDPR as it was as at that date.
What does the next year hold?
Recent debate has focussed on the possible use of Covid-19 vaccine passports. The Information Commissioner has raised concerns regarding potential data protection issues. The more stringent provisions of the GDPR which relate to special category data will need to be carefully considered as part of this process. The GDPR requires that processing data is proportionate, and a balance will need to be reached between acting in the public interest and protecting the rights of individuals. Companies which process vaccination passport data will need to conduct a data protection impact assessment to ensure that they comply with the GDPR key principles. There may also be restrictions under domestic legislation, as are already in place in France, Germany, and Belgium.
Across Europe there has been a trend in more pro-active enforcement of GDPR rather than waiting for individuals to report data breaches. The Information Commissioner’s Office’s recent stance suggests that enforcement will be more robust in the UK as well. Awareness surrounding personal data is likely to increase, partly due to the extent to which personal data has been collected and processed throughout the pandemic and the risks posed by remote working.
What the next year holds for GDPR depends largely on whether the EU grants an adequacy decision. If not, the way in which personal data is processed for suppliers of goods and services to the EU will change significantly. Even if the UK GDPR is found to be adequate, future divergence of the EU and UK GDPR will undoubtedly change the landscape of data protection and privacy in the years to come.