Following the rejection of the Withdrawal Agreement by the UK Parliament on 15 January 2019, the UK may face a No-Deal Brexit on 29 March 2019. We have set out a summary of the impact of a No-Deal Brexit on data protection, but this is of course subject to continuing negotiations between the UK and EU and the landscape of how the UK will leave the EU is yet to be determined.
1. Compliance with the GDPR
The European Union Withdrawal Act 2018 brings the GDPR into domestic UK law. The draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the "DP Exit Regulations") make some amendments to the GDPR that are necessary for it to operate correctly when the UK leaves the EU, and combine it with the Data Protection Act 2018 to create a `UK GDPR'.
2. Transfers from the UK to the EEA
The UK government has confirmed that it will transitionally recognise all EEA countries as `adequate' for data transfers from the UK and any countries with an adequacy decision on Brexit day will continue to have adequacy status for transfers from the UK. This is only on a transitional basis until the UK Government (in consultation with the ICO) issues its own adequacy rules. The DP Exit Regulations also state that EU standard contractual clauses and BCRs authorised before Brexit day will continue to be recognised on a transitional basis. The ICO will also be able to issue new standard contractual clauses.
3. Transfers from the EEA to the UK
In the event of a No-Deal Brexit the UK would become a third country vis--vis the EU after 29 March 2019 and data transfers from the EEA to the UK would have to be legitimised by the EU. However for both the EU and UK there will be a strong imperative to reach an agreement (at least on a transitional basis) to enable EEA-UK transfers to continue without the need for businesses to enter into model clauses or take other urgent measures. In November 2018 the EU Commission issued a notice confirming that on a no-deal Brexit data transfers from the EEA to the UK would be an issue but we are yet to see any further communication.
The ICO is taking steps to help small businesses and has created an online tool which helps business determine whether they need to put model clauses in place, and helps to generate the contract. https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-fortransfers-from-the-eea-to-the-uk-interactive-tool/
4. Lead Supervisory Authorities ("LSA")
Organisations may need to revisit their position on LSAs. For example:
i. In the case of a company which currently has its LSA in the UK, the ICO will not be able to act as the LSA post-Brexit. The company would need to consider if an alternative LSA could be identified in a EU Member State where it has an establishment. But if there is no EU establishment, the company cannot artificially choose one and the company would be subject to each relevant supervisory authority.
ii. In the case of a company which currently has its LSA in an EU Member State other than the UK, but has a business operation or processes data of an individual in the UK, the LSA in an EU Member State would continue but the company may also have to deal with the ICO for processing activities concerning the UK.
Organisations may also have to look at multiple sets of guidance for the same processing activities as the EDPB may have a different view to the ICO.
5. Data Protection Impact Assessment (“DPIA”)
A UK company may not necessarily need a new or separate DPIA, but will need to consider which are the relevant regulators for consultation. It may be necessary to consider both the relevant EU regulators and the ICO.
6. Breach Notifications
In the case of a cross-border breach covering the EU and UK, post Brexit data controllers may have to inform both their relevant LSA in the EU (if any) and the ICO. If no LSA can be identified based on the facts of the breach it may be necessary to have to notify each relevant authority
7. UK Privacy and Electronic Communications
Regulations ("PECR") Previously there has been much debate on the interaction between GDPR and PECR. The DP Exit Regulations make a number of clarifications on this issue. In particular, the DP Exit Regulations make it clear that the definition of consent of a user/subscriber under PECR is the same as the GDPR. This helps to clarify questions in the context of direct marketing and cookies which are in PECR.
8. Records of Processing
Controllers and processors should consider whether existing records need to be revisited. Sections dealing with recipients in third countries may need to be updated, as companies whose activities are regulated under the GDPR will have to list the UK as a third country together with details of the transfer mechanism relied on. Similarly companies regulated under the UK GDPR will have to list all EU Member States as third countries.
9. Privacy Notices
Privacy notices will need to be updated to reflect data transfers to and from the UK as a third country.