Whatever form it takes, the UK’s withdrawal from the EU’s “legal ecosystem” will have consequences for the country’s data protection regime. That is not just an abstract legal issue: it directly impacts on UK plc’s ability to exchange personal data with the EU 27. In the event of a no deal Brexit, on 29 March 2019 the EU GDPR (the EU’s General Data Protection Regulation) will be brought into law in the UK through the European Union (Withdrawal) Act 2019. If a withdrawal agreement comes into effect – and with it a transition period – the EU GDPR may also continue to be applicable in the UK as an instrument of EU legislation. But on the expiry of any such transition period, or in the event of a no deal Brexit, the country will have its own, standalone regime - rooted in the EU GDPR but capable of modification by future UK governments (the “UK GDPR”).
International data flows
Once the UK has left the EU and any applicable transition period has expired, it will become a “third country” for the purposes of Chapter V of the EU GDPR. As a result, any transfer of personal data from an EEA-based organisation to the UK must meet one of the legal requirements for transfer set out in the EU GDPR. However, current indications are the UK will not be imposing reciprocal restrictions on flows from the UK to the EEA.
On 13 December 2018, the UK government released Guidance on Amendments to UK data protection law in the event the UK leaves the EU without a deal (the “No Deal Guidance”). This states that in the event of a no deal Brexit, the UK government will pass legislation (a) recognising the EEA Member States as “adequate” for the purpose of the UK GDPR (allowing the free flow of personal data from the UK to the EEA), (b) recognising adequacy decisions adopted to date by the EU, allowing transfers of personal data to continue from the UK to countries such as Guernsey, Israel and US companies which are Privacy Shield signatories, and (c) recognising the EU standard contractual clauses as a valid means of transferring personal data from the UK to international recipients outside of the EEA.
The EU has to date made no statement mirroring these aspects of the UK’s No Deal Guidance. The European Commission emphasised in its Notice to Stakeholders dated 9 January 2018 that if the UK becomes a “third country” for the purposes of the EU GDPR, “appropriate safeguards” must be provided for any transfers.
The preferred position for businesses will be for the European Commission – as soon as possible - to issue an adequacy decision, formally recognising the adequacy of the UK’s data protection regime and thereby allowing personal data to flow from the EU 27 to the UK, as if the UK were still a Member State. Adequacy decisions tend to take at least months and the European Commission has stated that it will not start the process until after 29 March 2019. If there is a transition or implementation period agreed as part of a Brexit deal, then it may be possible for the European Commission to issue a decision before the conclusion of that period; however, in the event of a no deal Brexit, without some kind of grace period by the EU, transfers from the EU 27 to the UK could be immediately impacted on Brexit day, unless businesses take action.
What should businesses be doing now?
Many businesses will have mapped international data flows as part of their GDPR preparations in the run up to May 2018. To prepare for a no deal Brexit, businesses should now look to identify flows of personal data from EU Member States to the UK that may need to be addressed following Brexit. As the EU GDPR requires processors as well as controllers to implement appropriate safeguards for international transfers (in contrast with the Data Protection Directive it replaced), this will be a concern for all organisations, including intra-group service arrangements as well as those with third parties.
Following Brexit, businesses with UK/EU cross-border operations may find themselves subject to two independent legal regimes governing the processing of personal data.
The EU GDPR explicitly extends EU data protection rules and rights beyond the territory of the EU in some circumstances. The No Deal Guidance states that the UK government “intends to retain the extraterritoriality of the UK’s data protection framework”. The combined effect of this is that business operating in the EU with no “establishment” in the UK, or vice versa, could find themselves simultaneously subject to two independent legal regimes: the EU GDPR and the UK GDPR. Initially they will be closely aligned but this may well change over time.
What should businesses be doing now?
In the event of a no deal Brexit, the No Deal Guidance states that the UK government will legislate to require controllers based outside of the country which are subject to the UK GDPR (e.g. because they target UK customers) to appoint a representative in the UK. This will replicate the requirement in Article 3(2) of the EU GDPR which will apply post-Brexit to UK-only established controllers with no presence in the EU which target customers in the EU. As part of no deal preparations, businesses should consider whether they may be caught by these requirements, and who might act as a representative in the event of a no deal Brexit. The requirement to appoint a representative will likely become a requirement (absent any further legislative action) at the end of any applicable transition or implementation period.
The Information Commissioner’s Office (“ICO”) has also released guidance on data protection if there’s no Brexit deal (the “ICO Guidance”), including a 6 steps checklist. The ICO Guidance notes that on Brexit, businesses may need to update existing privacy notices, documentation (such as Article 30 records of processing) or Binding Corporate Rules (“BCRs”) and data protection impact assessments. The ICO’s preparation checklist includes:
- Transfers to the UK - identify where data are received into the UK from the EEA. Think about what GDPR safeguards you can put in place to ensure that data can continue to flow once we are outside the EU.
- Transfers from the UK - identify where data are transferred from the UK to any country outside the UK, as these will fall under new UK transfer and documentation provisions.
- European operations - If operating across Europe, review the structure, processing operations and data flows to assess how the UK’s exit from the EU will affect the data protection regimes that apply.
- Documentation - Review privacy information and internal documentation to identify any details that will need updating when the UK leaves the EU.
Relations with supervisory authorities
Organisations that find themselves within scope of both the UK GDPR and EU GDPR post-Brexit (whether or not it is a no deal Brexit) will be subject to the jurisdiction of at least two supervisory authorities. The ICO will continue to be responsible for enforcing law in the UK, but will no longer be able to act as lead supervisory authority in cross-border enforcement matters under the EU GDPR’s one-stop-shop enforcement mechanism. Article 50 of the EU GDPR recognises that the European Commission and supervisory authorities shall take “appropriate steps” to develop effective enforcement mechanisms and provide mutual assistance in investigations (which presumably could include memoranda of understanding with overseas regulators like the ICO); however it is currently unclear how this might operate in practice or how quickly any understanding with the ICO could be put in place.
What should businesses be doing now?
Organisations likely to be caught by both the UK GDPR and EU GDPR should determine which supervisory authorities they may need to cooperate with in the event of a no deal Brexit, and the impact of this for existing policies and procedures. Organisations that have previously identified the ICO as their lead authority will need to consider the impact of a no deal Brexit on time-sensitive matters, such as reporting personal data breaches to supervisory authorities which has a 72 hour timeframe. Where a data protection officer (“DPO”) has been appointed by an organisation whose activities encompass the EU and the UK, consideration should be given to whether the person can still perform the role effectively under the dual regimes (given that s/he may need to liaise with a supervisory authority outside the UK post-Brexit and will be expected to have suitable expertise in that country’s local data protection law).
Keeping up to date
At the time of writing, the parliamentary vote on the UK’s proposed agreement with the EU has yet to occur. It goes without saying that organisations will need to keep up to date with the latest proposals and guidance, as developments could have a significant bearing on the potential impact and the prudent preparations to be taken.