The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both in the UK and outside but doing business with the UK.
UK Retained Law
- The EU Withdrawal Act 2018 will retain the GDPR as UK law and give the Government the power to make appropriate amendments. Amendments will include, for example, amending references to EU laws and institutions.
- The fundamental principles, obligations on organisations, and rights for individuals will remain the same under the UK law.
Data transfers from the UK to the EEA
- The UK will recognise all EEA states, EU and EEA institutions and Gibraltar as providing an adequate level of protection for personal data, meaning that data can flow freely from the UK to these jurisdictions.
- However, the UK will keep this under review, meaning that the Government could decide in the future that certain EEA member states do not provide adequate protection and restrict the flow of data to such member states.
Data transfers from the UK to countries with adequate protection
- The UK will preserve the effect of existing EU adequacy decisions meaning that data can flow freely from the UK to Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
- The UK has also confirmed that it will preserve the effect of the existing EU-US Privacy Shield to enable the free flow of data from the UK to organisations on the US Privacy Shield List.
- The Government has stated that this will be on a transitional basis, leaving the door open for the Government to potentially agree its own Privacy Shield with the US in the future.
Data transfers from the UK to third countries with no adequate protection
- Any EU Standard Contractual Clauses that have been approved by the European Commission will continue to be an effective basis for transfers from the UK to third countries.
- Under the proposed regulations, the UK Information Commissioner will also have the power to issue new Standard Contractual Clauses after exit day.
Extra-territorial scope of the UK law
- The UK law will have extra-territorial scope the same as the GDPR, meaning that it will apply to organisations based outside of the UK (including in the EU) where they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour.
- Controllers based outside of the UK who are directly subject to the UK law will need to appoint a representative in the UK. This means that companies based outside of Europe but doing business in both Europe and the UK will need to appoint an EU representative under the GDPR and a UK representative under the UK law.
For further details on our view of the possible impact of Brexit on data protection under both a deal and no deal scenario, please see our Brexit Legal Guide available here.