1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Brexit impact on privacy

On Friday, January 31, 2020, the United Kingdom (UK) left the European Union (EU) after 47 years as part of the union.

While the UK has ceased to be part of the EU when the clock struck midnight in Brussels, the UK and EU have agreed to a transition period until the end of 2020, to allow the UK to continue its current relationship with the EU, while future trading relationships are negotiated.

As part of this transition period, the UK’s Information Commissioner Office has clarified that the EU’s General Data Protection Regulations (GDPR) will remain in effect until the end of 2020.

No changes required at this time, but …

If you or your clients offer goods or services in the UK, and process personal data of UK residents, the GDPR will continue to apply to the treatment and safeguarding of that personal data.

Similarly, the GDPR still applies, and data protection agreements (DPA) are still required as part of an agreement with organizations that process personal data of individuals from the UK.

The UK’s Data Protection Act of 2018 incorporates the GDPR into UK law. It remains to be seen what status the EU will give to personal data transfers to the UK: Will the EU allow such transfers or will it apply the same conditions as for the rest of the world?

Adequacy status for Canada

At the time of this writing, the EU Commission considered Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) adequate to receive and process personal data of EU residents in Canada without further conditions under the GDPR. However, this adequacy status is up for review in 2020 by the EU Commission.  

Even if Canada retains its adequacy status with the EU, it is not clear what regime the UK will adopt in relation to cross-border personal data flows. While it is fair to expect that the UK will look favourably at facilitating cross-border data flows towards North America in support of new trade agreements, UK businesses have recently started to show concern with the UK’s direction in that regard. Indeed, in the months leading up to the UK leaving the EU, organizations from the UK have started to ask for further assurances related to data protection from entities outside the UK, including Canadian businesses processing information of UK residents.

With all these uncertainties at play this year, do not be surprised if a UK business partner asks you to sign the Standard Contractual Clauses with respect to personal data of UK residents being stored or processed in Canada. 

What to expect

Following the transition period, there may be areas of uncertainty around the data protection landscape in the UK. It is likely, however, that the UK will keep its GDPR-based data protection legislation to address any concerns about the flow of personal data between the EU and the UK, and keep its flexibility in negotiating free trade agreements with North America.

Please contact a member of our Privacy and Cybersecurity group if you have any questions on the impact of Brexit and the privacy compliance obligations.

Brexit impact on privacy

Mark your calendars: Mandatory data-breach notification rules come into force November 1

The federal government released an Order in Council, dated March 26, 2018, announcing that the mandatory data-breach notification rules will come into force on November 1, on the recommendation of Navdeep Bains, Minister of Industry, Science and Economic Development.

After nearly three years, sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of the Digital Privacy Act, Chapter 32 will come into effect to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government released the proposed breach reporting rules in September 2017 and advised at that time that the proposed regulations will be delayed coming into force after their publications, meant to “give regulated organizations time to adjust their policies and procedures accordingly and ensure that systems are in place to track and record all breaches of security safeguards that they experience.”

With the amendment, PIPEDA will contain provisions requiring organizations to notify affected individuals and organizations of breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner. It also creates offences in relation to the contravention of certain obligations respecting breaches of security safeguards. Among the changes, the new rules will also give the privacy commissioner the power to enter into a “compliance agreement” with an organization in certain circumstance to ensure the organization’s compliance with PIPEDA.

Stay tuned for further updates.

Mark your calendars: Mandatory data-breach notification rules come into force November 1