With the Johnson ministry into it’s second week, it is important to take stock of what impact Brexit will have on your Privacy and Data Protection provisions. The Prime Minister has made clear that there will be ‘no ifs or buts’ on the withdrawal of the UK from the EU on 31 October 2019 (exit day).
What does this mean for privacy and data protection? There still remain some areas in need of government clarification or that will be determined in any withdrawal agreement. Below, we set out some of the key issues that companies with UK and EU operations need to think about.
1. Personal data flows from the EU to the UK after Brexit. What happens? The UK will be a ‘third country’ without adequacy status.
In the event of a no-deal Brexit, the UK will become a third country. This means that, post-Brexit, data transfers to the UK can only occur under the following mechanisms:
- Adequacy agreement. There is currently no adequacy agreement in place for the UK.
- Standard contractual clauses. These can be used alongside your data processing agreement. They must not be modified, and must be signed as provided by the European Commission.
- Binding corporate rules (BCR). These are personal data protection policies agreed by a group of companies, and approved by the BCR lead supervisory authority (LSA) and the European Data Protection Board (EDPB).
- Codes of conduct and certification mechanisms. These should contain binding and enforceable commitments, such as to provide appropriate safeguards. The EDPB is planning to publish guidance in this area.
- Relying on derogations. There are a number of derogations which allow for the transfer of personal data without the safeguards listed above. However, these are interpreted very restrictively.
2. Will you need to appoint a UK representative if you’re selling into the UK?
Controllers of personal data located outside of the UK will be required to appoint a UK representative. This requirement will only apply to companies that sell into the UK or monitor the behaviour of UK residents. This obligation will mirror GDPR Article 27.
3. Lead supervisory authorities. What happens if the Information Commissioner’s Office (ICO) is your LSA? What happens to the GDPR cooperation and consistency mechanism?
In the event of a no-deal exit, the UK will no longer participate in the one stop shop mechanism or the consistency and cooperation procedure. The ICO may be able to continue to be your LSA if the UK enters into the Withdrawal Agreement or another agreement negotiated in between now and exit day. Depending on the terms of any other agreement, the issue of whether the ICO can remain as LSA may have to be resolved at the end of a transition period.
The EDPB advise that groups of companies headquartered in the UK should identify a new BCR lead within the EU.
4. What about eMarketing? Will ePrivacy Regulation come into force in the UK?
The draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 amends UK data protection laws to ensure that they continue to operate after exit day. PECR is amended to align the definition of consent for cookies with UK GDPR.
Whether the ePrivacy Regulation come into force in the UK depends on whether the UK enters into the Withdrawal Agreement or not. If the ePrivacy Regulation applies during the transition period then the ePrivacy Regulation will be implemented automatically into UK domestic law. This may not be the case with another agreement negotiated by the UK before exit day.
Much of your contingency planning will depend on whether an agreement can be reached between the EU and UK, and what form that agreement takes. We can help you prepare your contingency plans reviewing some of the issues above, among others. Please do get in touch if you would like us to help you in your contingency planning or to discuss any of the issues above in more detail.