On 23 June 2016, 72% of the UK’s eligible voters went to the polls to have their say on the UK’s continued membership of the European Union (EU). 51.9% of those voted to leave.
The decision to leave the EU still requires the correct constitutional process of parliamentary scrutiny and formal approval. However, with strong opposition to a ‘Brexit’ from Scotland and Northern Ireland, and the expectation of various legal challenges, exactly when this will happen is unknown.
That said, as data protection practitioners, we need to consider how the referendum result may, or may not, impact on our privacy programs, in particular our GDPR (General Data Protection Regulation) programs[i].
It is therefore important to consider the various possibilities as to the future of the UK to ensure that we are as prepared as we can be.
Option one: The UK remains in the EU
What does this mean?
The result of the referendum is not binding on the UK government. Therefore, if the UK government believes that leaving the EU is not in the best interests of the country, the UK may well remain a member of the EU.
What are the data protection implications?
The GDPR will enter into force, as originally planned, on 25 May 2018.
The UK Data Protection Authority (DPA), the Information Commissioner’s Office (ICO), will be represented on the European Data Protection Board (EDPB)[i].
This means that the ICO will continue to enjoy its active and influential role on data protection matters at a European level.
Another key benefit for the UK will be that, from a data protection perspective, it will be a desirable location for multinationals to set up their EU headquarters. This is because, under the GDPR, multinationals will have the ability to nominate a single national DPA as its lead DPA for all EU data privacy issues (currently, multinationals have to answer to DPAs in all jurisdictions where they have establishments). As the ICO has a reputation as commercially minded DPA, this will be appealing for data rich businesses looking to enter the EU market.
Option two: The UK leaves the EU but remains in the European Economic Area (EEA) and re-joins the European Free Trade Association (EFTA)
What does this mean?
In broad terms, this model would give the UK the benefits of the single market access whilst allowing the UK to conclude its own trade deals with other countries and to obtain slightly more control over immigration. However, the UK would be required to comply with EU legislation relating to the single market (e.g. in relation to data protection, competition, public procurement, employment law, intellectual property and product regulation). It would not need to comply with EU law in other areas (such as the common fisheries or agricultural policies). In addition, the UK would be required to adopt the majority of EU laws and judgments handed down by the Court of the European Free Trade Area (EFTA), which would play a role similar to that of the Court of Justice of the European Union (CJEU) in interpreting and enforcing EU law. The EFTA Surveillance Authority would exercise the monitoring function that is currently carried out by the EU Commission.
What are the data protection implications?
It is highly likely that the UK would be required to accept the GDPR. However, the GDPR would not take direct effect in to UK law, but would require national implementing legislation. Therefore, the same concepts and requirements of the GDPR would still apply, but the UK’s new law may have a slightly different look and feel.
Data protection law restrictions on transfers of personal data outside of the EEA unless certain data transfer mechanisms are in place. Under this model, these restrictions will remain and, importantly, as a member of the EEA, there would be no restrictions on EU member states transferring personal data to the UK.
However, if there is a challenge in the CJEU to various existing data transfer mechanisms (such as the European Commission approved Standard Contractual Clauses (SCCs)), this decision would also apply in the UK.
Countries that are not members of the EU, but which are members of the EEA, currently enjoy a place at the table of the WP. It is therefore likely that these countries will also have a role, in some capacity, on the EDPB once the GDPR is in force. Consequently, the ICO should hopefully retain a good degree of influence over European data protection polices.
Unless otherwise negotiated, it is unlikely that the UK could act as a ‘lead authority’ for multinationals given that the GDPR specifically states that the lead authority must be located in an EU member state. Therefore, multinationals operating in both the UK and the EU will remain answerable to the ICO as well as its lead DPA in the EU.
Option three: The UK leaves the EU/EEA and goes it alone, negotiating trade arrangements with the EU and the rest of the world
Two important points to note:
First, a Brexit will not mean that UK companies will be able to avoid GDPR entirely. The GDPR has ‘extra-territorial’ effect meaning that organisations that process the personal data of EU citizens will need to comply with the terms of the GDPR in respect of that data, even if they do not have establishments in the EU. In practice, this means that to the extent that a UK business has customers in the EU, it will need to comply with the GDPR.
Second, it is highly likely that the UK’s data protection law will be reformed in the next couple of years, regardless of the political landscape. The UK ICO has publically said that “given the growing digital economy [it] will be speaking to the government to present [its] view that reform of the UK law remains necessary”.
The ICO will be unlikely to have a position of the EDPB meaning that its influence will be reduced.
Multinationals will not be able to designate the ICO as its lead authority for European data privacy issues. There is also a possibility that multinationals could face double enforcement action, from both the ICO and their lead EU authority.
International data transfers
With this model, there are many issues and uncertainties around international data transfers.
SCCs between the UK and EU data controllers and processors?
If the UK does not reform its law by the time it leaves the EU and retains the Data Protection Act 1998, it will likely be deemed as a destination providing inadequate protection for personal data. This means that the UK would not be able to receive / import personal data from the EU. In this scenario, EU data controllers would have to require any UK company to which it is sending personal data to enter in to the SCCs clauses in order to legitimise the transfer.
A UK Privacy Shield?
Alternatively, the UK could propose a ‘Privacy Shield’ / ‘Safe Harbor’ model which would require UK companies who wish to receive personal data from the EU to self-certify that they will process the data in accordance with EU data privacy principles. This is the model that many US companies have historically used in order to receive data from the EU.
A UK adequacy assessment?
However, the most likely scenario, in our view, is that the UK would adopt something very similar to the GDPR and would then apply to European Commission (EC) for ‘adequacy status’. This means that the EC would examine the UK’s data protection law and, if it felt that it offered equivalent protection to the personal data as the GDPR, then it would allow the UK to receive personal data from the EU without the need for SCCs or other data transfer mechanisms. A number of countries, including Canada, New Zealand, Argentina and Israel, have gone have undergone this process.
Non-EU countries’ data protection laws
Many countries outside of the EU have adopted their own data protection laws which are largely based on the current EU data protection framework. These countries’ data protection laws often prohibit transfers of personal data outside of the country of origin but many provide an exception for transfers to countries in the EU or the EEA. If the UK is not part of the EU or the EEA then it may have to seek ‘adequacy’ assessments in many other countries or enter in to appropriate agreements, similar to the SCCS, in order to legitimise transfers of personal data from those countries to the UK.
The GDPR requires organisations that process the personal data of EU citizens but which do not have an establishment in the EU to appoint a representative in a member state. UK companies will therefore need to appoint a representative in the EU.
Tips on how to prepare
- Continue with your GDPR compliance program – it is very likely that the GDPR will become law in some form or other, further evidenced by the fact that the ICO has confirmed that they are moving ahead with their GDPR guidance program. Indeed, Baroness Neville-Rolfe’s (the UK minister responsible for data protection) recently acknowledged: "One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens' data, they will need to be assessed as providing an adequate level of data protection".
- If you do business with the EU, consider which DPA would be your lead DPA. Familiarise yourself with how they operate and their keys priorities.
- If you are a data processor with EU customers, review your contracts in light of Brexit, considering how you can address the uncertainties around international data transfers. Do not risk missing out on business because you have not considered Brexit data protection implications.
- Monitor the ICO’s comments and guidance for the latest update on negotiations